Ticket #2215 added new attributes (idnsAllowQuery, idnsAllowTransfer, idnsAllowSyncPTR, idnsForwardPolicy, idnsForwardPolicy, idnsZoneRefresh, idnsPersistentSearch) adding new features in bind-dyndb-ldap plugin.
idnsAllowQuery, idnsAllowTransfer, idnsAllowSyncPTR, idnsForwardPolicy, idnsForwardPolicy, idnsZoneRefresh, idnsPersistentSearch
bind-dyndb-ldap
We need to update DNS ACIs so that non-admin users with appropriate permissions can change these settings.
I would propose to update permission "update dns entries" with the new attributes and create a new permission for global DNS configuration updates.
How to test:
Before the update, user with DNS Administrator won't be able to update new attributes like DNS zone forwarders, policy (the list is in ticket description):
# ipa user-add --first=Foo --last=Bar fbar # ipa passwd fbar # ipa role-add dnsrole --desc=foo # ipa role-add-privilege dnsrole --privileges="DNS Administrators" # ipa role-add-member dnsrole --users=fbar # kinit fbar # ipa dnszone-add example.com --name-server=`hostname` Administrator e-mail address [hostmaster.example.com.]: Zone name: example.com Authoritative nameserver: vm-068.idm.lab.bos.redhat.com. Administrator e-mail address: hostmaster.example.com. SOA serial: 2012140301 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@vm-068 ~]# ipa dnszone-mod example.com --dynamic-update=TRUE Zone name: example.com Authoritative nameserver: vm-068.idm.lab.bos.redhat.com. Administrator e-mail address: hostmaster.example.com. SOA serial: 2012140301 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Dynamic update: TRUE Allow query: any; Allow transfer: none; # ipa dnszone-mod example.com --forwarder=10.0.0.1 ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'idnsForwarders' attribute of entry 'idnsname=example.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'. # ipa dnszone-mod example.com --forward-policy=only ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'idnsForwardPolicy' attribute of entry 'idnsname=example.com,cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'. # ipa dnsconfig-mod --forwarder=10.0.0.1 ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'idnsForwarders' attribute of entry 'cn=dns,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'.
attachment freeipa-mkosek-236-amend-permissions-for-new-dns-attributes.patch
Patch freeipa-mkosek-236-amend-permissions-for-new-dns-attributes.patch sent for review
master: b944ad4
ipa-2-2: a7a0c34
Metadata Update from @mkosek: - Issue assigned to mkosek - Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/03
Login to comment on this ticket.