From b944ad44b5ac66a253b28613cf0b722c4d4ad444 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Wed, 14 Mar 2012 10:38:33 +0100
Subject: Amend permissions for new DNS attributes

New features in bind-dyndb-ldap and IPA DNS plugin pulled new
attributes and objectclasses. ACIs and permissions need to be
updated to allow users with appropriate permissions update
these attributes in LDAP.

This patch updates the ACI for DNS record updates and adds one
new permission to update global DNS configuration.

https://fedorahosted.org/freeipa/ticket/2510
---
 install/updates/40-dns.update | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'install/updates/40-dns.update')

diff --git a/install/updates/40-dns.update b/install/updates/40-dns.update
index ef2627bd7..02af8e467 100644
--- a/install/updates/40-dns.update
+++ b/install/updates/40-dns.update
@@ -23,3 +23,7 @@ add: ttl: 10
 # add idnsConfigObject if it is not there already
 dn: cn=dns, $SUFFIX
 addifexist: objectClass: idnsConfigObject
+
+# update DNS acis with new idnsRecord attributes
+dn: $SUFFIX
+replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
-- 
cgit