diff options
author | Martin Kosek <mkosek@redhat.com> | 2012-03-14 10:38:33 +0100 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2012-03-25 23:58:24 -0400 |
commit | b944ad44b5ac66a253b28613cf0b722c4d4ad444 (patch) | |
tree | 8b9bc685c7a8491e2be2bc6f3239adafd904de54 /install/updates | |
parent | 0b01751c1bd7c579ab8f7fb64d9182c6f107ab3b (diff) | |
download | freeipa-b944ad44b5ac66a253b28613cf0b722c4d4ad444.tar.gz freeipa-b944ad44b5ac66a253b28613cf0b722c4d4ad444.tar.xz freeipa-b944ad44b5ac66a253b28613cf0b722c4d4ad444.zip |
Amend permissions for new DNS attributes
New features in bind-dyndb-ldap and IPA DNS plugin pulled new
attributes and objectclasses. ACIs and permissions need to be
updated to allow users with appropriate permissions update
these attributes in LDAP.
This patch updates the ACI for DNS record updates and adds one
new permission to update global DNS configuration.
https://fedorahosted.org/freeipa/ticket/2510
Diffstat (limited to 'install/updates')
-rw-r--r-- | install/updates/40-dns.update | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/install/updates/40-dns.update b/install/updates/40-dns.update index ef2627bd7..02af8e467 100644 --- a/install/updates/40-dns.update +++ b/install/updates/40-dns.update @@ -23,3 +23,7 @@ add: ttl: 10 # add idnsConfigObject if it is not there already dn: cn=dns, $SUFFIX addifexist: objectClass: idnsConfigObject + +# update DNS acis with new idnsRecord attributes +dn: $SUFFIX +replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)' |