IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-01-26 16:16:31 -06:00
Code Issues Packages Projects Releases Wiki Activity
52f69aaa8a
freeipa/install/share
History
Martin Kosek 52f69aaa8a Per-domain DNS record permissions 
IPA implements read/write permissions for DNS record or zones.
Provided set of permissions and privileges can, however, only grant
access to the whole DNS tree, which may not be appropriate.
Administrators may miss more fine-grained permissions allowing
them to delegate access per-zone.

Create a new IPA auxiliary objectclass ipaDNSZone allowing
a managedBy attribute for a DNS zone. This attribute will hold
a group DN (in this case a permission) which allows its members
to read or write in a zone. Member permissions in given zone
will only have 2 limitations:
1) Members cannot delete the zone
2) Members cannot edit managedBy attribute

Current DNS deny ACI used to enforce read access is removed so that
DNS privileges are based on allow ACIs only, which is much more
flexible approach as deny ACIs have always precedence and limit
other extensions. Per-zone access is allowed in 3 generic ACIs
placed in cn=dns,$SUFFIX so that no special ACIs has to be added
to DNS zones itselves.

2 new commands have been added which allows an administrator to
create the system permission allowing the per-zone access and
fill a zone's managedBy attribute:
 * dnszone-add-permission: Add per-zone permission
 * dnszone-remove-permission: Remove per-zone permission

https://fedorahosted.org/freeipa/ticket/2511
2012-06-28 15:21:21 +02:00
..
05rfc2247.ldif Incorporate new schema for IPAv2 2009-02-11 17:13:41 -05:00
60basev2.ldif schema: Split ipadns definitions from basev2 ones 2011-08-26 08:26:13 -04:00
60basev3.ldif Add separate attribute to store trusted domain SID 2012-06-07 09:39:09 +02:00
60ipaconfig.ldif Add SELinux user mapping framework. 2011-12-09 16:46:25 +02:00
60ipadns.ldif Per-domain DNS record permissions 2012-06-28 15:21:21 +02:00
60kerberos.ldif Add support for account unlocking 2011-01-28 10:23:02 -05:00
60policyv2.ldif Re-number some attributes to compress our usage to be contiguous 2010-05-27 10:50:49 -04:00
60samba.ldif Update samba LDAP schema 2011-09-20 17:27:40 -04:00
61kerberos-ipav3.ldif Perform case-insensitive searches for principals on TGS requests 2012-06-07 09:39:10 +02:00
65ipasudo.ldif Add support for sudoOrder 2012-03-01 21:02:33 -05:00
anonymous-vlv.ldif Let anonymous users browse the VLV index 2009-07-10 16:45:45 -04:00
automember.ldif 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin 2011-08-31 09:49:43 +02:00
bind.named.conf.template Let Bind track data changes 2011-08-31 16:46:12 +02:00
bind.zone.db.template Add new DNS install argument for setting the zone mgr e-mail addr. 2010-09-23 12:00:12 -04:00
bootstrap-template.ldif Add separate attribute to store trusted domain SID 2012-06-07 09:39:09 +02:00
caJarSigningCert.cfg.template Add signing profile to CA installation so we can sign the firefox jar file. 2009-05-04 16:54:42 -04:00
certmap.conf.template Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
default-aci.ldif Remove ipaNTHash from global allow ACI 2012-06-26 21:28:25 +02:00
default-hbac.ldif UUIDs: remove uuid python plugin and let DS always autogenerate 2010-10-28 07:58:31 -04:00
delegation.ldif Don't allow "Modify Group membership" permission to manage admins 2012-02-23 11:05:52 +01:00
dna.ldif id ranges: change DNA configuration 2010-11-22 12:42:16 -05:00
dns.ldif Per-domain DNS record permissions 2012-06-28 15:21:21 +02:00
ds-nfiles.ldif Autotune directory server to use a greater number of files 2010-11-22 12:42:16 -05:00
encrypted_attribute.ldif Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
entryusn.ldif Address entryusn initialization on replica installation 2011-01-28 13:58:43 -05:00
fedora-ds.init.patch Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
host_nis_groups.ldif Move Managed Entries into their own container in the replicated space. 2011-09-12 16:28:27 -04:00
indices.ldif - index the fqdn and macAddress attributes for the sake of the compat plugin 2012-04-26 09:00:11 +02:00
kdc_extensions.template Add support for configuring KDC certs for PKINIT 2010-11-18 15:09:36 -05:00
kdc_req.conf.template Add support for configuring KDC certs for PKINIT 2010-11-18 15:09:36 -05:00
kdc.conf.template ipa-kdb: Change install to use the new ipa-kdb kdc backend 2011-08-26 08:24:50 -04:00
kerberos.ldif install: Remove uid=kdc user 2011-08-26 08:24:50 -04:00
key_escrow_schema.ldif Re-number some attributes to compress our usage to be contiguous 2010-05-27 10:50:49 -04:00
krb5.conf.template Fix installation when server hostname is not in a default domain 2012-04-08 20:35:10 -04:00
krb5.ini.template Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
krb.con.template Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
krbrealm.con.template Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
ldapi.ldif Enable ldapi connections in the management framework. 2009-08-27 13:36:58 -04:00
Makefile.am Perform case-insensitive searches for principals on TGS requests 2012-06-07 09:39:10 +02:00
managed-entries.ldif Move Managed Entries into their own container in the replicated space. 2011-09-12 16:28:27 -04:00
master-entry.ldif Use FQDN in place of FQHN for consistency in sub_dict. 2012-02-15 20:27:34 -05:00
memberof-conf.ldif Display user and host membership in netgroups. 2010-11-24 08:38:41 -05:00
memberof-task.ldif Wait for memberof task and DS to start before proceeding in installation. 2011-04-22 11:43:50 +02:00
modrdn-krbprinc.ldif The precendence on the modrdn plugin was set in the wrong location. 2011-09-13 17:36:59 +02:00
nis.uldif - add a pair of ethers maps for computers with hardware addresses on file 2012-04-26 09:00:22 +02:00
preferences.html.template Set network.http.sendRefererHeader to 2 on browser config 2012-06-22 10:44:45 +02:00
referint-conf.ldif Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
replica-acis.ldif Fix replica setup using replication admin kerberos credentials 2011-03-01 11:02:55 -05:00
replica-automember.ldif 34 Create FreeIPA CLI Plugin for the 389 Auto Membership plugin 2011-08-31 09:49:43 +02:00
replica-s4u2proxy.ldif Defer adding ipa-cifs-delegation-targets until the Updates phase. 2012-06-27 16:50:02 +02:00
repoint-managed-entries.ldif Move Managed Entries into their own container in the replicated space. 2011-09-12 16:28:27 -04:00
root-autobind.ldif Remove root autobind search restriction, fix upgrade logging & error handling. 2011-06-13 09:51:05 +02:00
schema_compat.uldif - create a "cn=computers" compat area populated with ieee802Device entries corresponding to computers with fqdn and macAddress attributes 2012-04-26 09:00:17 +02:00
smb.conf.empty Add trust management for Active Directory trusts 2012-06-07 09:39:09 +02:00
smb.conf.template Add trust-related ACIs 2012-06-07 09:39:10 +02:00
sudobind.ldif Create default disabled sudo bind user 2011-02-23 15:32:24 -05:00
unique-attributes.ldif Fixed cn attribute in ipaUniqueID uniqueness config. 2011-02-16 19:38:18 -05:00
user_private_groups.ldif Move Managed Entries into their own container in the replicated space. 2011-09-12 16:28:27 -04:00
uuid-ipauniqueid.ldif UUIDs: remove uuid python plugin and let DS always autogenerate 2010-10-28 07:58:31 -04:00
wsgi.py Tweak the session auth to reflect developer consensus. 2012-02-27 05:54:29 -05:00