freeipa/install/updates/10-bind-schema.update

#
# New schema enhancements from:
#       https://fedorahosted.org/bind-dyndb-ldap/browser/doc/schema
#
dn: cn=schema
add:attributeTypes:
    ( 2.16.840.1.113730.3.8.5.11
      NAME 'idnsAllowQuery'
      DESC 'BIND9 allow-query ACL element'
      EQUALITY caseIgnoreIA5Match
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
      SINGLE-VALUE
      X-ORIGIN 'IPA v2')
add:attributeTypes:
    ( 2.16.840.1.113730.3.8.5.12
      NAME 'idnsAllowTransfer'
      DESC 'BIND9 allow-transfer ACL element'
      EQUALITY caseIgnoreIA5Match
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
      SINGLE-VALUE
      X-ORIGIN 'IPA v2')
add:attributeTypes:
    ( 2.16.840.1.113730.3.8.5.13
      NAME 'idnsAllowSyncPTR'
      DESC 'permit synchronization of PTR records'
      EQUALITY booleanMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
      SINGLE-VALUE
      X-ORIGIN 'IPA v2' )
add:attributeTypes:
    ( 2.16.840.1.113730.3.8.5.14
      NAME 'idnsForwardPolicy'
      DESC 'forward policy: only or first'
      EQUALITY caseIgnoreIA5Match
      SUBSTR caseIgnoreIA5SubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
      SINGLE-VALUE
      X-ORIGIN 'IPA v2' )
add:attributeTypes:
    ( 2.16.840.1.113730.3.8.5.15
      NAME 'idnsForwarders'
      DESC 'list of forwarders'
      EQUALITY caseIgnoreIA5Match
      SUBSTR caseIgnoreIA5SubstringsMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
      X-ORIGIN 'IPA v2' )
add:attributeTypes:
    ( 2.16.840.1.113730.3.8.5.16
      NAME 'idnsZoneRefresh'
      DESC 'zone refresh interval'
      EQUALITY integerMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
      SINGLE-VALUE
      X-ORIGIN 'IPA v2' )
add:attributeTypes:
    ( 2.16.840.1.113730.3.8.5.17
      NAME 'idnsPersistentSearch'
      DESC 'allow persistent searches'
      EQUALITY booleanMatch
      SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
      SINGLE-VALUE
      X-ORIGIN 'IPA v2' )
add:objectClasses:
    ( 2.16.840.1.113730.3.8.6.2
      NAME 'idnsConfigObject'
      DESC 'DNS global config options'
      STRUCTURAL
      MAY ( idnsForwardPolicy $$ idnsForwarders $$ idnsAllowSyncPTR $$
        idnsZoneRefresh $$ idnsPersistentSearch
      ) )
add:objectClasses:
    ( 2.16.840.1.113730.3.8.12.18
      NAME 'ipaDNSZone'
      SUP top AUXILIARY
      MUST idnsName
      MAY managedBy
      X-ORIGIN 'IPA v3' )
replace:objectClasses:( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $$ idnsSOAmName $$ idnsSOArName $$ idnsSOAserial $$ idnsSOArefresh $$ idnsSOAretry $$ idnsSOAexpire $$ idnsSOAminimum ) MAY idnsUpdatePolicy )::( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord    STRUCTURAL MUST ( idnsName $$ idnsZoneActive $$ idnsSOAmName $$ idnsSOArName $$ idnsSOAserial $$ idnsSOArefresh $$ idnsSOAretry $$ idnsSOAexpire $$ idnsSOAminimum ) MAY ( idnsUpdatePolicy $$ idnsAllowQuery $$ idnsAllowTransfer $$ idnsAllowSyncPTR $$ idnsForwardPolicy $$ idnsForwarders ) )
Update schema for bind-dyndb-ldap Add new attributes and objectclasses to support new features: - global bind-dyndb-ldap settings in LDAP - conditional per-zone forwarding - per-zone configuration of automatic PTR updates - AllowQuery and AllowTransfer ACIs https://fedorahosted.org/freeipa/ticket/2215 https://fedorahosted.org/freeipa/ticket/2072 2012-02-24 02:35:12 -06:00			`#`
			`# New schema enhancements from:`
			`# https://fedorahosted.org/bind-dyndb-ldap/browser/doc/schema`
			`#`
			`dn: cn=schema`
			`add:attributeTypes:`
			`( 2.16.840.1.113730.3.8.5.11`
			`NAME 'idnsAllowQuery'`
			`DESC 'BIND9 allow-query ACL element'`
			`EQUALITY caseIgnoreIA5Match`
			`SYNTAX 1.3.6.1.4.1.1466.115.121.1.26`
			`SINGLE-VALUE`
			`X-ORIGIN 'IPA v2')`
			`add:attributeTypes:`
			`( 2.16.840.1.113730.3.8.5.12`
			`NAME 'idnsAllowTransfer'`
			`DESC 'BIND9 allow-transfer ACL element'`
			`EQUALITY caseIgnoreIA5Match`
			`SYNTAX 1.3.6.1.4.1.1466.115.121.1.26`
			`SINGLE-VALUE`
			`X-ORIGIN 'IPA v2')`
			`add:attributeTypes:`
			`( 2.16.840.1.113730.3.8.5.13`
			`NAME 'idnsAllowSyncPTR'`
			`DESC 'permit synchronization of PTR records'`
			`EQUALITY booleanMatch`
			`SYNTAX 1.3.6.1.4.1.1466.115.121.1.7`
			`SINGLE-VALUE`
			`X-ORIGIN 'IPA v2' )`
			`add:attributeTypes:`
			`( 2.16.840.1.113730.3.8.5.14`
			`NAME 'idnsForwardPolicy'`
			`DESC 'forward policy: only or first'`
			`EQUALITY caseIgnoreIA5Match`
			`SUBSTR caseIgnoreIA5SubstringsMatch`
			`SYNTAX 1.3.6.1.4.1.1466.115.121.1.26`
			`SINGLE-VALUE`
			`X-ORIGIN 'IPA v2' )`
			`add:attributeTypes:`
			`( 2.16.840.1.113730.3.8.5.15`
			`NAME 'idnsForwarders'`
			`DESC 'list of forwarders'`
			`EQUALITY caseIgnoreIA5Match`
			`SUBSTR caseIgnoreIA5SubstringsMatch`
			`SYNTAX 1.3.6.1.4.1.1466.115.121.1.26`
			`X-ORIGIN 'IPA v2' )`
			`add:attributeTypes:`
			`( 2.16.840.1.113730.3.8.5.16`
			`NAME 'idnsZoneRefresh'`
			`DESC 'zone refresh interval'`
			`EQUALITY integerMatch`
			`SYNTAX 1.3.6.1.4.1.1466.115.121.1.27`
			`SINGLE-VALUE`
			`X-ORIGIN 'IPA v2' )`
			`add:attributeTypes:`
			`( 2.16.840.1.113730.3.8.5.17`
			`NAME 'idnsPersistentSearch'`
			`DESC 'allow persistent searches'`
			`EQUALITY booleanMatch`
			`SYNTAX 1.3.6.1.4.1.1466.115.121.1.7`
			`SINGLE-VALUE`
			`X-ORIGIN 'IPA v2' )`
			`add:objectClasses:`
			`( 2.16.840.1.113730.3.8.6.2`
			`NAME 'idnsConfigObject'`
			`DESC 'DNS global config options'`
			`STRUCTURAL`
			`MAY ( idnsForwardPolicy $$ idnsForwarders $$ idnsAllowSyncPTR $$`
			`idnsZoneRefresh $$ idnsPersistentSearch`
			`) )`
Per-domain DNS record permissions IPA implements read/write permissions for DNS record or zones. Provided set of permissions and privileges can, however, only grant access to the whole DNS tree, which may not be appropriate. Administrators may miss more fine-grained permissions allowing them to delegate access per-zone. Create a new IPA auxiliary objectclass ipaDNSZone allowing a managedBy attribute for a DNS zone. This attribute will hold a group DN (in this case a permission) which allows its members to read or write in a zone. Member permissions in given zone will only have 2 limitations: 1) Members cannot delete the zone 2) Members cannot edit managedBy attribute Current DNS deny ACI used to enforce read access is removed so that DNS privileges are based on allow ACIs only, which is much more flexible approach as deny ACIs have always precedence and limit other extensions. Per-zone access is allowed in 3 generic ACIs placed in cn=dns,$SUFFIX so that no special ACIs has to be added to DNS zones itselves. 2 new commands have been added which allows an administrator to create the system permission allowing the per-zone access and fill a zone's managedBy attribute: * dnszone-add-permission: Add per-zone permission * dnszone-remove-permission: Remove per-zone permission https://fedorahosted.org/freeipa/ticket/2511 2012-06-27 06:10:10 -05:00			`add:objectClasses:`
			`( 2.16.840.1.113730.3.8.12.18`
			`NAME 'ipaDNSZone'`
			`SUP top AUXILIARY`
			`MUST idnsName`
			`MAY managedBy`
			`X-ORIGIN 'IPA v3' )`
Update schema for bind-dyndb-ldap Add new attributes and objectclasses to support new features: - global bind-dyndb-ldap settings in LDAP - conditional per-zone forwarding - per-zone configuration of automatic PTR updates - AllowQuery and AllowTransfer ACIs https://fedorahosted.org/freeipa/ticket/2215 https://fedorahosted.org/freeipa/ticket/2072 2012-02-24 02:35:12 -06:00			replace:objectClasses:( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsZoneActive $$ idnsSOAmName $$ idnsSOArName $$ idnsSOAserial $$ idnsSOArefresh $$ idnsSOAretry $$ idnsSOAexpire $$ idnsSOAminimum ) MAY idnsUpdatePolicy )::( 2.16.840.1.113730.3.8.6.1 NAME 'idnsZone' DESC 'Zone class' SUP idnsRecord STRUCTURAL MUST ( idnsName $$ idnsZoneActive $$ idnsSOAmName $$ idnsSOArName $$ idnsSOAserial $$ idnsSOArefresh $$ idnsSOAretry $$ idnsSOAexpire $$ idnsSOAminimum ) MAY ( idnsUpdatePolicy $$ idnsAllowQuery $$ idnsAllowTransfer $$ idnsAllowSyncPTR $$ idnsForwardPolicy $$ idnsForwarders ) )