mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
b944ad44b5
New features in bind-dyndb-ldap and IPA DNS plugin pulled new attributes and objectclasses. ACIs and permissions need to be updated to allow users with appropriate permissions update these attributes in LDAP. This patch updates the ACI for DNS record updates and adds one new permission to update global DNS configuration. https://fedorahosted.org/freeipa/ticket/2510
30 lines
2.7 KiB
Plaintext
30 lines
2.7 KiB
Plaintext
# Add missing member values to attach permissions to their respective
|
|
# privileges and run a memberOf task.
|
|
dn: cn=add dns entries,cn=permissions,cn=pbac,$SUFFIX
|
|
addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX'
|
|
addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX'
|
|
|
|
dn: cn=remove dns entries,cn=permissions,cn=pbac,$SUFFIX
|
|
addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX'
|
|
addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX'
|
|
|
|
dn: cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX
|
|
addifexist:member: 'cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX'
|
|
addifexist:member: 'cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX'
|
|
|
|
dn: cn=Update PBAC memberOf $TIME, cn=memberof task, cn=tasks, cn=config
|
|
add: objectClass: top
|
|
add: objectClass: extensibleObject
|
|
add: cn: IPA PBAC memberOf $TIME
|
|
add: basedn: 'cn=privileges,cn=pbac,$SUFFIX'
|
|
add: filter: (objectclass=*)
|
|
add: ttl: 10
|
|
|
|
# add idnsConfigObject if it is not there already
|
|
dn: cn=dns, $SUFFIX
|
|
addifexist: objectClass: idnsConfigObject
|
|
|
|
# update DNS acis with new idnsRecord attributes
|
|
dn: $SUFFIX
|
|
replace:aci:'(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)::(targetattr = "idnsname || cn || idnsallowdynupdate || dnsttl || dnsclass || arecord || aaaarecord || a6record || nsrecord || cnamerecord || ptrrecord || srvrecord || txtrecord || mxrecord || mdrecord || hinforecord || minforecord || afsdbrecord || sigrecord || keyrecord || locrecord || nxtrecord || naptrrecord || kxrecord || certrecord || dnamerecord || dsrecord || sshfprecord || rrsigrecord || nsecrecord || idnsname || idnszoneactive || idnssoamname || idnssoarname || idnssoaserial || idnssoarefresh || idnssoaretry || idnssoaexpire || idnssoaminimum || idnsupdatepolicy || idnsallowquery || idnsallowtransfer || idnsallowsyncptr || idnsforwardpolicy || idnsforwarders")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "permission:update dns entries";allow (write) groupdn = "ldap:///cn=update dns entries,cn=permissions,cn=pbac,$SUFFIX";)'
|