cf8f2f8 Forbid public access to DNS tree

2 files Authored by mkosek 11 years ago, Committed by rcritten 11 years ago,
    Forbid public access to DNS tree
    
    With a publicly accessible DNS tree in LDAP, anyone with an access
    to the LDAP server can get all DNS data as with a zone transfer
    which is already restricted with ACL. Making DNS tree not readable
    to public is a common security practice and should be applied
    in FreeIPA as well.
    
    This patch adds a new deny rule to forbid access to DNS tree to
    users or hosts without an appropriate permission or users which
    are not members of admins group. The new permission/aci is
    applied both for new installs and upgraded servers.
    
    bind-dyndb-ldap plugin is allowed to read DNS tree without any
    change because its principal is already a member of "DNS
    Servers" privilege.
    
    https://fedorahosted.org/freeipa/ticket/2569
    
        
file modified
+12 -0