After a new installation, the ACIs defined on cn=dns,$SUFFIX contain the following:
aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search,compare) groupdn = "ldap:///cn=Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=test" or userattr = "parent[0,1].managedby#GROUPDN";)
but this ACI is (intentionally) removed by ipa-server-upgrade and replaced by:
aci: (targetattr = "*")(version 3.0; acl "Read DNS entries from a zone"; allow (read,search,compare) userattr = "parent[0,1].managedby#GROUPDN";)
The installation should define the good ACI right from the start.
The ACIs added during the installation are defined in install/share/dns.ldif, and the update applies install/updates/40-dns.update.
Version: IPA 4.9.9-1 but the issue has been present for a long time, also seen in IPA 4.6.8 on RHEL 7.9
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6298
master:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.