From ef83a0c67884274be000f3b4fcc8150e8910bcb7 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Fri, 4 Jul 2014 09:32:08 +0200
Subject: Add Modify Realm Domains permission

The permission is required for DNS Administrators as realm domains
object is updated when a master zone is added.

https://fedorahosted.org/freeipa/ticket/4423

Reviewed-By: Petr Spacek <pspacek@redhat.com>
---
 ACI.txt                        | 2 ++
 ipalib/plugins/realmdomains.py | 8 ++++++++
 2 files changed, 10 insertions(+)

diff --git a/ACI.txt b/ACI.txt
index 8e73c5c85..bc82d644e 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -154,6 +154,8 @@ dn: cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=exa
 aci: (targetattr = "krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Modify Group Password Policy";allow (write) groupdn = "ldap:///cn=System: Modify Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "cn || cospriority || krbmaxpwdlife || krbminpwdlife || krbpwdfailurecountinterval || krbpwdhistorylength || krbpwdlockoutduration || krbpwdmaxfailure || krbpwdmindiffchars || krbpwdminlength || objectclass")(targetfilter = "(objectclass=krbpwdpolicy)")(version 3.0;acl "permission:System: Read Group Password Policy";allow (compare,read,search) groupdn = "ldap:///cn=System: Read Group Password Policy,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+dn: cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
+aci: (targetattr = "associateddomain")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Modify Realm Domains";allow (write) groupdn = "ldap:///cn=System: Modify Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: cn=System: Read Realm Domains,cn=permissions,cn=pbac,dc=ipa,dc=example
 aci: (targetattr = "associateddomain || cn || objectclass")(targetfilter = "(objectclass=domainrelatedobject)")(version 3.0;acl "permission:System: Read Realm Domains";allow (compare,read,search) userdn = "ldap:///all";)
 dn: cn=System: Add Roles,cn=permissions,cn=pbac,dc=ipa,dc=example
diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py
index 08d3a6a78..c53340591 100644
--- a/ipalib/plugins/realmdomains.py
+++ b/ipalib/plugins/realmdomains.py
@@ -79,6 +79,14 @@ class realmdomains(LDAPObject):
                 'objectclass', 'cn', 'associateddomain',
             },
         },
+        'System: Modify Realm Domains': {
+            'ipapermbindruletype': 'permission',
+            'ipapermright': {'write'},
+            'ipapermdefaultattr': {
+                'associatedDomain',
+            },
+            'default_privileges': {'DNS Administrators'},
+        },
     }
 
     label = _('Realm Domains')
-- 
cgit