Hi, > idnsUpdatePolicy is the attribute in LDAP to store update-policy.
Ah, thanks! Seems to be missing in the documentation. I see that the setting has an effect because I can useti to grant all updates on the zone - however, I cannot get it to do the following: I have a host authenticating as host/foo.example....@example.com. I want this host to be able to update *.foo.example.com. Now there exist quite a few different versions about the grant statement, and I tried the following; grant EXAMPLE.COM krb5-subdomain . ANY grant EXAMPLE.COM krb5-subdomain * ANY grant EXAMPLE.COM krb5-subdomain *.example.com. ANY However, I cannot seem to get it to grant a subdomain update. I can get this t owork, though: grant EXAMPLE.COM krb5-self * ANY I am a bit confused, because I found some sources saying krb5-self and krb5-subdomain both append the realm to the host name, which would result in foo.example.com.example.com in the above example. However, this would mean the krb5-self example above would also not have worked for me… Any hints on how I really get BIND to accept updates on all subdomains of the FQDN that authenticated? -nik
signature.asc
Description: PGP signature
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org