On Tue, 2012-02-14 at 09:10 -0500, Rob Crittenden wrote:
> Simo Sorce wrote:
> > On Tue, 2012-02-14 at 12:09 +0100, Martin Kosek wrote:
> >> A new version of bind-dyndb-ldap has been released, sending fixed
> >> patches with the following major changes:
> >> - Since bind-dyndb-ldap supports only idnsForwarders global option at
> >> this time, all other global options were removed from the API. They
> >> were
> >> left in the schema though so that the schema is consistent with
> >> bind-dyndb-ldap supported schema and the support of these options in
> >> the
> >> future can be added more seamlessly
> >> - idnsAllowQuery and idnsAllowTransfer format has changed to follow
> >> BIND
> >> format (ACI elements separated with semicolon). An example of such
> >> element:
> >>
> >> ipa dnszone-mod example.com --allow-query="10.0.0.1;!10.0.0.0/8;any;"
> >>
> >> This ACI would forbid machine from any IP from 10.0.0.0/8 network
> >> besides 10.0.0.1 to query the name server. All other machines are
> >> allowed to issue queries.
> >
> > Any good reason why this is not a multi-value attribute ?
> > Do these ACIs need to be ordered ? (that would be probably a good
> > reason).
> 
> That's exactly it!
> 
> rob
> 

Yup. Previous release of bind-dyndb-ldap followed the multi-valued LDAP
attribute format, but we found out that we cannot do it this way as the
ACI list need to be ordered.

When bind evaluates if it should allow/reject query/tranfer request it
simply traverses the ACI list, one by one, and accepts the result of the
first match, i.e. the order is crucial there.

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to