Re: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue
On 06/03/2016 12:51 PM, Martin Basti wrote: > > > On 03.06.2016 08:53, Petr Spacek wrote: >> On 2.6.2016 17:53, Martin Basti wrote: >>> Typo - redundant ' ' at the end. Conditional NACK, warnings mentioned in http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI are not there. I'm open to changing this to ACK if you open a separate ticket for this omission so we do not forget to add them later on. >>> I forgot to add, this will be in next batch of patches (you may see that >>> there >>> are not marked DNS servers in output of location show), I do not see reason >>> to >>> open ticket when the current one is not finished. >>> >>> +1 >>> Done >>> Patch 480: >>> >>> 1) The code in location_show.execute() looks like it could be moved to >>> location_show.post_callback() >>> I had to add it to execute because I modifies result entry not just entry_attrs >>> 2) Before calling super().output_for_cli(), pop 'servers' from result, >>> so >>> that >>> it is not displayed with --all. >>> >>> Done >>> Patch 481: >>> >>> 1) Could we rename --force to --nonempty (or something better)? I would >>> like >>> to reserve --force for "ignore NotFound when deleting the entry", which >>> is not >>> the case here. >> IMHO option is unnecessary. Just delete the location (and unset location >> from >> all member servers). The design does not contain --force anyway :-) > OK, that's even better :-) > Done Updated patches attached >> I had to add top object class to the plugin and tests to make tests pass. >> Patch is attached. >> >> CondACK: Fix this before pushing somehow. >> > > Updated and heavily rebased patches attached. Hi guys, I saw the patches were merged, great! I just noticed that you added referential integrity for dnslocation attribute. In that case, you will want to also add QE, PRES index for it, to keep performance on reasonable level. Or was the omission of index already discussed and justified? Thanks, Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue
On 3.6.2016 12:51, Martin Basti wrote: > > > On 03.06.2016 08:53, Petr Spacek wrote: >> On 2.6.2016 17:53, Martin Basti wrote: >>> Typo - redundant ' ' at the end. Conditional NACK, warnings mentioned in http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI are not there. I'm open to changing this to ACK if you open a separate ticket for this omission so we do not forget to add them later on. >>> I forgot to add, this will be in next batch of patches (you may see that >>> there >>> are not marked DNS servers in output of location show), I do not see reason >>> to >>> open ticket when the current one is not finished. >>> >>> +1 >>> Done >>> Patch 480: >>> >>> 1) The code in location_show.execute() looks like it could be moved to >>> location_show.post_callback() >>> I had to add it to execute because I modifies result entry not just entry_attrs >>> 2) Before calling super().output_for_cli(), pop 'servers' from result, >>> so >>> that >>> it is not displayed with --all. >>> >>> Done >>> Patch 481: >>> >>> 1) Could we rename --force to --nonempty (or something better)? I would >>> like >>> to reserve --force for "ignore NotFound when deleting the entry", which >>> is not >>> the case here. >> IMHO option is unnecessary. Just delete the location (and unset location >> from >> all member servers). The design does not contain --force anyway :-) > OK, that's even better :-) > Done Updated patches attached >> I had to add top object class to the plugin and tests to make tests pass. >> Patch is attached. >> >> CondACK: Fix this before pushing somehow. >> > > Updated and heavily rebased patches attached. ACK -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue
On 03.06.2016 08:53, Petr Spacek wrote: On 2.6.2016 17:53, Martin Basti wrote: Typo - redundant ' ' at the end. Conditional NACK, warnings mentioned in http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI are not there. I'm open to changing this to ACK if you open a separate ticket for this omission so we do not forget to add them later on. I forgot to add, this will be in next batch of patches (you may see that there are not marked DNS servers in output of location show), I do not see reason to open ticket when the current one is not finished. +1 Done Patch 480: 1) The code in location_show.execute() looks like it could be moved to location_show.post_callback() I had to add it to execute because I modifies result entry not just entry_attrs 2) Before calling super().output_for_cli(), pop 'servers' from result, so that it is not displayed with --all. Done Patch 481: 1) Could we rename --force to --nonempty (or something better)? I would like to reserve --force for "ignore NotFound when deleting the entry", which is not the case here. IMHO option is unnecessary. Just delete the location (and unset location from all member servers). The design does not contain --force anyway :-) OK, that's even better :-) Done Updated patches attached I had to add top object class to the plugin and tests to make tests pass. Patch is attached. CondACK: Fix this before pushing somehow. Updated and heavily rebased patches attached. From 0ba65ac9702d04fdccab7809af51c166e82e3379 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 4 May 2016 17:33:52 +0200 Subject: [PATCH 1/4] DNS Locations: Always create DNS related privileges DNS privileges are important for handling DNS locations which can be created without DNS servers in IPA topology. We will also need this privileges presented for future feature 'External DNS support' https://fedorahosted.org/freeipa/ticket/2008 --- install/share/delegation.ldif| 16 install/share/dns.ldif | 16 install/updates/37-locations.update | 0 install/updates/40-delegation.update | 16 4 files changed, 32 insertions(+), 16 deletions(-) create mode 100644 install/updates/37-locations.update diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 067b4d26a8be8f4d1b699c15b027ed7f260ddb5b..064078306560528842fa76176152ac594db077c8 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -80,6 +80,22 @@ objectClass: nestedgroup cn: Delegation Administrator description: Role administration +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Administrators +description: DNS Administrators + +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Servers +description: DNS Servers + dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top diff --git a/install/share/dns.ldif b/install/share/dns.ldif index bd5cc57f90ed66066699af06a74e1426cc8f9a59..6cee478674af191350cf24e0aef74c5e418f392e 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -12,19 +12,3 @@ aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";) aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";) aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";) - -dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX -changetype: add -objectClass: top -objectClass: groupofnames -objectClass: nestedgroup -cn: DNS Administrators -description: DNS Administrators - -dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX -changetype: add -ob
Re: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue
On 2.6.2016 17:53, Martin Basti wrote:
>
>> Typo - redundant ' ' at the end.
>>
>>
>> Conditional NACK, warnings mentioned in
>> http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI
>> are not there.
>>
>> I'm open to changing this to ACK if you open a separate ticket for this
>> omission so we do not forget to add them later on.
> I forgot to add, this will be in next batch of patches (you may see that there
> are not marked DNS servers in output of location show), I do not see reason to
> open ticket when the current one is not finished.
>
>
> +1
>
>> Done
>>
>
> Patch 480:
>
> 1) The code in location_show.execute() looks like it could be moved to
> location_show.post_callback()
>
>> I had to add it to execute because I modifies result entry not just
>> entry_attrs
>>
>
> 2) Before calling super().output_for_cli(), pop 'servers' from result, so
> that
> it is not displayed with --all.
>
>
>> Done
>>
> Patch 481:
>
> 1) Could we rename --force to --nonempty (or something better)? I would
> like
> to reserve --force for "ignore NotFound when deleting the entry", which
> is not
> the case here.
IMHO option is unnecessary. Just delete the location (and unset location
from
all member servers). The design does not contain --force anyway :-)
>>>
>>> OK, that's even better :-)
>>>
>> Done
>>
>> Updated patches attached
I had to add top object class to the plugin and tests to make tests pass.
Patch is attached.
CondACK: Fix this before pushing somehow.
--
Petr^2 Spacek
diff --git a/ipalib/plugins/location.py b/ipalib/plugins/location.py
index 3bf97fa..cf61094 100644
--- a/ipalib/plugins/location.py
+++ b/ipalib/plugins/location.py
@@ -58,7 +58,7 @@ class location(LDAPObject):
container_dn = api.env.container_locations
object_name = _('location')
object_name_plural = _('locations')
-object_class = ['ipaLocationObject']
+object_class = ['ipaLocationObject', 'top']
search_attributes = ['idnsName']
default_attributes = [
'idnsname', 'description'
diff --git a/ipatests/test_xmlrpc/tracker/location_plugin.py b/ipatests/test_xmlrpc/tracker/location_plugin.py
index 5e9713c..086442d 100644
--- a/ipatests/test_xmlrpc/tracker/location_plugin.py
+++ b/ipatests/test_xmlrpc/tracker/location_plugin.py
@@ -73,7 +73,7 @@ class LocationTracker(Tracker):
dn=self.dn,
idnsname=[self.idnsname_obj],
description=[self.description],
-objectclass=[u'ipaLocationObject'],
+objectclass=[u'ipaLocationObject', u'top'],
)
self.exists = True
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue
Typo - redundant ' ' at the end. Conditional NACK, warnings mentioned in http://www.freeipa.org/page/V4/DNS_Location_Mechanism#CLI are not there. I'm open to changing this to ACK if you open a separate ticket for this omission so we do not forget to add them later on. I forgot to add, this will be in next batch of patches (you may see that there are not marked DNS servers in output of location show), I do not see reason to open ticket when the current one is not finished. +1 Done Patch 480: 1) The code in location_show.execute() looks like it could be moved to location_show.post_callback() I had to add it to execute because I modifies result entry not just entry_attrs 2) Before calling super().output_for_cli(), pop 'servers' from result, so that it is not displayed with --all. Done Patch 481: 1) Could we rename --force to --nonempty (or something better)? I would like to reserve --force for "ignore NotFound when deleting the entry", which is not the case here. IMHO option is unnecessary. Just delete the location (and unset location from all member servers). The design does not contain --force anyway :-) OK, that's even better :-) Done Updated patches attached -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue
On 02.06.2016 15:03, Jan Cholasta wrote: On 2.6.2016 14:39, Petr Spacek wrote: On 2.6.2016 14:20, Jan Cholasta wrote: On 2.6.2016 14:06, Petr Spacek wrote: On 1.6.2016 18:00, Martin Basti wrote: updated patches attached freeipa-mbasti-0473.6-DNS-Locations-Always-create-DNS-related-privileges.patch From 549379a36281d80818fca4ec929d499efafda044 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 4 May 2016 17:33:52 +0200 Subject: [PATCH 1/4] DNS Locations: Always create DNS related privileges DNS privileges are important for handling DNS locations which can be created without DNS servers in IPA topology. We will also need this privileges presented for future feature 'External DNS support' https://fedorahosted.org/freeipa/ticket/2008 --- install/share/delegation.ldif| 16 install/share/dns.ldif | 16 install/updates/37-locations.update | 0 install/updates/40-delegation.update | 16 4 files changed, 32 insertions(+), 16 deletions(-) create mode 100644 install/updates/37-locations.update diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 067b4d26a8be8f4d1b699c15b027ed7f260ddb5b..064078306560528842fa76176152ac594db077c8 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -80,6 +80,22 @@ objectClass: nestedgroup cn: Delegation Administrator description: Role administration +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Administrators +description: DNS Administrators + +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Servers +description: DNS Servers + dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top diff --git a/install/share/dns.ldif b/install/share/dns.ldif index bd5cc57f90ed66066699af06a74e1426cc8f9a59..6cee478674af191350cf24e0aef74c5e418f392e 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -12,19 +12,3 @@ aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";) aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";) aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";) - -dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX -changetype: add -objectClass: top -objectClass: groupofnames -objectClass: nestedgroup -cn: DNS Administrators -description: DNS Administrators - -dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX -changetype: add -objectClass: top -objectClass: groupofnames -objectClass: nestedgroup -cn: DNS Servers -description: DNS Servers diff --git a/install/updates/37-locations.update b/install/updates/37-locations.update new file mode 100644 index ..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index f0431b92d707b17607fe873efbfe2fcccd3efce1..259cbdbdab9eef69e29dba117db36a9e3e0c5f66 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -274,3 +274,19 @@ default:objectClass: groupofnames default:objectClass: top default:cn: Vault Administrators default:description: Vault Administrators + + +# Locations - always create DNS related privileges +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: DNS Administrators +default:description: DNS Administrators + +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofn
Re: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue
On 02.06.2016 14:53, Martin Basti wrote: On 02.06.2016 14:41, Pavel Vomacka wrote: On 06/02/2016 02:20 PM, Jan Cholasta wrote: On 2.6.2016 14:06, Petr Spacek wrote: On 1.6.2016 18:00, Martin Basti wrote: updated patches attached freeipa-mbasti-0473.6-DNS-Locations-Always-create-DNS-related-privileges.patch From 549379a36281d80818fca4ec929d499efafda044 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 4 May 2016 17:33:52 +0200 Subject: [PATCH 1/4] DNS Locations: Always create DNS related privileges DNS privileges are important for handling DNS locations which can be created without DNS servers in IPA topology. We will also need this privileges presented for future feature 'External DNS support' https://fedorahosted.org/freeipa/ticket/2008 --- install/share/delegation.ldif| 16 install/share/dns.ldif | 16 install/updates/37-locations.update | 0 install/updates/40-delegation.update | 16 4 files changed, 32 insertions(+), 16 deletions(-) create mode 100644 install/updates/37-locations.update diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 067b4d26a8be8f4d1b699c15b027ed7f260ddb5b..064078306560528842fa76176152ac594db077c8 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -80,6 +80,22 @@ objectClass: nestedgroup cn: Delegation Administrator description: Role administration +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Administrators +description: DNS Administrators + +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Servers +description: DNS Servers + dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top diff --git a/install/share/dns.ldif b/install/share/dns.ldif index bd5cc57f90ed66066699af06a74e1426cc8f9a59..6cee478674af191350cf24e0aef74c5e418f392e 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -12,19 +12,3 @@ aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";) aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";) aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#! GROUPDN";) - -dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX -changetype: add -objectClass: top -objectClass: groupofnames -objectClass: nestedgroup -cn: DNS Administrators -description: DNS Administrators - -dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX -changetype: add -objectClass: top -objectClass: groupofnames -objectClass: nestedgroup -cn: DNS Servers -description: DNS Servers diff --git a/install/updates/37-locations.update b/install/updates/37-locations.update new file mode 100644 index ..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index f0431b92d707b17607fe873efbfe2fcccd3efce1..259cbdbdab9eef69e29dba117db36a9e3e0c5f66 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -274,3 +274,19 @@ default:objectClass: groupofnames default:objectClass: top default:cn: Vault Administrators default:description: Vault Administrators + + +# Locations - always create DNS related privileges +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: DNS Administrators +default:description: DNS Administrators + +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:obj
Re: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue
On 2.6.2016 14:39, Petr Spacek wrote: On 2.6.2016 14:20, Jan Cholasta wrote: On 2.6.2016 14:06, Petr Spacek wrote: On 1.6.2016 18:00, Martin Basti wrote: updated patches attached freeipa-mbasti-0473.6-DNS-Locations-Always-create-DNS-related-privileges.patch From 549379a36281d80818fca4ec929d499efafda044 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 4 May 2016 17:33:52 +0200 Subject: [PATCH 1/4] DNS Locations: Always create DNS related privileges DNS privileges are important for handling DNS locations which can be created without DNS servers in IPA topology. We will also need this privileges presented for future feature 'External DNS support' https://fedorahosted.org/freeipa/ticket/2008 --- install/share/delegation.ldif| 16 install/share/dns.ldif | 16 install/updates/37-locations.update | 0 install/updates/40-delegation.update | 16 4 files changed, 32 insertions(+), 16 deletions(-) create mode 100644 install/updates/37-locations.update diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 067b4d26a8be8f4d1b699c15b027ed7f260ddb5b..064078306560528842fa76176152ac594db077c8 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -80,6 +80,22 @@ objectClass: nestedgroup cn: Delegation Administrator description: Role administration +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Administrators +description: DNS Administrators + +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Servers +description: DNS Servers + dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top diff --git a/install/share/dns.ldif b/install/share/dns.ldif index bd5cc57f90ed66066699af06a74e1426cc8f9a59..6cee478674af191350cf24e0aef74c5e418f392e 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -12,19 +12,3 @@ aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";) aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";) aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";) - -dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX -changetype: add -objectClass: top -objectClass: groupofnames -objectClass: nestedgroup -cn: DNS Administrators -description: DNS Administrators - -dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX -changetype: add -objectClass: top -objectClass: groupofnames -objectClass: nestedgroup -cn: DNS Servers -description: DNS Servers diff --git a/install/updates/37-locations.update b/install/updates/37-locations.update new file mode 100644 index ..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index f0431b92d707b17607fe873efbfe2fcccd3efce1..259cbdbdab9eef69e29dba117db36a9e3e0c5f66 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -274,3 +274,19 @@ default:objectClass: groupofnames default:objectClass: top default:cn: Vault Administrators default:description: Vault Administrators + + +# Locations - always create DNS related privileges +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: DNS Administrators +default:description: DNS Administrators + +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: DNS Servers +default:descripti
Re: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue
On 02.06.2016 14:41, Pavel Vomacka wrote: On 06/02/2016 02:20 PM, Jan Cholasta wrote: On 2.6.2016 14:06, Petr Spacek wrote: On 1.6.2016 18:00, Martin Basti wrote: updated patches attached freeipa-mbasti-0473.6-DNS-Locations-Always-create-DNS-related-privileges.patch From 549379a36281d80818fca4ec929d499efafda044 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 4 May 2016 17:33:52 +0200 Subject: [PATCH 1/4] DNS Locations: Always create DNS related privileges DNS privileges are important for handling DNS locations which can be created without DNS servers in IPA topology. We will also need this privileges presented for future feature 'External DNS support' https://fedorahosted.org/freeipa/ticket/2008 --- install/share/delegation.ldif| 16 install/share/dns.ldif | 16 install/updates/37-locations.update | 0 install/updates/40-delegation.update | 16 4 files changed, 32 insertions(+), 16 deletions(-) create mode 100644 install/updates/37-locations.update diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 067b4d26a8be8f4d1b699c15b027ed7f260ddb5b..064078306560528842fa76176152ac594db077c8 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -80,6 +80,22 @@ objectClass: nestedgroup cn: Delegation Administrator description: Role administration +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Administrators +description: DNS Administrators + +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Servers +description: DNS Servers + dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top diff --git a/install/share/dns.ldif b/install/share/dns.ldif index bd5cc57f90ed66066699af06a74e1426cc8f9a59..6cee478674af191350cf24e0aef74c5e418f392e 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -12,19 +12,3 @@ aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";) aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";) aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#! GROUPDN";) - -dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX -changetype: add -objectClass: top -objectClass: groupofnames -objectClass: nestedgroup -cn: DNS Administrators -description: DNS Administrators - -dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX -changetype: add -objectClass: top -objectClass: groupofnames -objectClass: nestedgroup -cn: DNS Servers -description: DNS Servers diff --git a/install/updates/37-locations.update b/install/updates/37-locations.update new file mode 100644 index ..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index f0431b92d707b17607fe873efbfe2fcccd3efce1..259cbdbdab9eef69e29dba117db36a9e3e0c5f66 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -274,3 +274,19 @@ default:objectClass: groupofnames default:objectClass: top default:cn: Vault Administrators default:description: Vault Administrators + + +# Locations - always create DNS related privileges +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: DNS Administrators +default:description: DNS Administrators + +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: n
Re: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue
On 06/02/2016 02:20 PM, Jan Cholasta wrote: On 2.6.2016 14:06, Petr Spacek wrote: On 1.6.2016 18:00, Martin Basti wrote: updated patches attached freeipa-mbasti-0473.6-DNS-Locations-Always-create-DNS-related-privileges.patch From 549379a36281d80818fca4ec929d499efafda044 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 4 May 2016 17:33:52 +0200 Subject: [PATCH 1/4] DNS Locations: Always create DNS related privileges DNS privileges are important for handling DNS locations which can be created without DNS servers in IPA topology. We will also need this privileges presented for future feature 'External DNS support' https://fedorahosted.org/freeipa/ticket/2008 --- install/share/delegation.ldif| 16 install/share/dns.ldif | 16 install/updates/37-locations.update | 0 install/updates/40-delegation.update | 16 4 files changed, 32 insertions(+), 16 deletions(-) create mode 100644 install/updates/37-locations.update diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 067b4d26a8be8f4d1b699c15b027ed7f260ddb5b..064078306560528842fa76176152ac594db077c8 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -80,6 +80,22 @@ objectClass: nestedgroup cn: Delegation Administrator description: Role administration +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Administrators +description: DNS Administrators + +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Servers +description: DNS Servers + dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top diff --git a/install/share/dns.ldif b/install/share/dns.ldif index bd5cc57f90ed66066699af06a74e1426cc8f9a59..6cee478674af191350cf24e0aef74c5e418f392e 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -12,19 +12,3 @@ aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";) aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";) aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#! GROUPDN";) - -dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX -changetype: add -objectClass: top -objectClass: groupofnames -objectClass: nestedgroup -cn: DNS Administrators -description: DNS Administrators - -dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX -changetype: add -objectClass: top -objectClass: groupofnames -objectClass: nestedgroup -cn: DNS Servers -description: DNS Servers diff --git a/install/updates/37-locations.update b/install/updates/37-locations.update new file mode 100644 index ..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index f0431b92d707b17607fe873efbfe2fcccd3efce1..259cbdbdab9eef69e29dba117db36a9e3e0c5f66 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -274,3 +274,19 @@ default:objectClass: groupofnames default:objectClass: top default:cn: Vault Administrators default:description: Vault Administrators + + +# Locations - always create DNS related privileges +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: DNS Administrators +default:description: DNS Administrators + +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: DNS Servers +default:
Re: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue
On 2.6.2016 14:20, Jan Cholasta wrote: > On 2.6.2016 14:06, Petr Spacek wrote: >> On 1.6.2016 18:00, Martin Basti wrote: >>> >>> >>> updated patches attached >>> >>> freeipa-mbasti-0473.6-DNS-Locations-Always-create-DNS-related-privileges.patch >>> >>> >>> From 549379a36281d80818fca4ec929d499efafda044 Mon Sep 17 00:00:00 2001 >>> From: Martin Basti >>> Date: Wed, 4 May 2016 17:33:52 +0200 >>> Subject: [PATCH 1/4] DNS Locations: Always create DNS related privileges >>> >>> DNS privileges are important for handling DNS locations which can be >>> created without DNS servers in IPA topology. We will also need this >>> privileges presented for future feature 'External DNS support' >>> >>> https://fedorahosted.org/freeipa/ticket/2008 >>> --- >>> install/share/delegation.ldif| 16 >>> install/share/dns.ldif | 16 >>> install/updates/37-locations.update | 0 >>> install/updates/40-delegation.update | 16 >>> 4 files changed, 32 insertions(+), 16 deletions(-) >>> create mode 100644 install/updates/37-locations.update >>> >>> diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif >>> index >>> 067b4d26a8be8f4d1b699c15b027ed7f260ddb5b..064078306560528842fa76176152ac594db077c8 >>> 100644 >>> --- a/install/share/delegation.ldif >>> +++ b/install/share/delegation.ldif >>> @@ -80,6 +80,22 @@ objectClass: nestedgroup >>> cn: Delegation Administrator >>> description: Role administration >>> >>> +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >>> +changetype: add >>> +objectClass: top >>> +objectClass: groupofnames >>> +objectClass: nestedgroup >>> +cn: DNS Administrators >>> +description: DNS Administrators >>> + >>> +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >>> +changetype: add >>> +objectClass: top >>> +objectClass: groupofnames >>> +objectClass: nestedgroup >>> +cn: DNS Servers >>> +description: DNS Servers >>> + >>> dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX >>> changetype: add >>> objectClass: top >>> diff --git a/install/share/dns.ldif b/install/share/dns.ldif >>> index >>> bd5cc57f90ed66066699af06a74e1426cc8f9a59..6cee478674af191350cf24e0aef74c5e418f392e >>> 100644 >>> --- a/install/share/dns.ldif >>> +++ b/install/share/dns.ldif >>> @@ -12,19 +12,3 @@ aci: (targetattr = "*")(version 3.0; acl "Allow read >>> access"; allow (read,search >>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Add >>> DNS entries in a zone";allow (add) userattr = >>> "parent[1].managedby#GROUPDN";) >>> aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl >>> "Remove DNS entries from a zone";allow (delete) userattr = >>> "parent[1].managedby#GROUPDN";) >>> aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || >>> arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || >>> dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord >>> || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || >>> idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || >>> idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || >>> idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || >>> idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || >>> kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord >>> || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || >>> rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || >>> sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = >>> "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Update DNS entries in >>> a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";) >>> - >>> -dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX >>> -changetype: add >>> -objectClass: top >>> -objectClass: groupofnames >>> -objectClass: nestedgroup >>> -cn: DNS Administrators >>> -description: DNS Administrators >>> - >>> -dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX >>> -changetype: add >>> -objectClass: top >>> -objectClass: groupofnames >>> -objectClass: nestedgroup >>> -cn: DNS Servers >>> -description: DNS Servers >>> diff --git a/install/updates/37-locations.update >>> b/install/updates/37-locations.update >>> new file mode 100644 >>> index >>> ..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 >>> >>> diff --git a/install/updates/40-delegation.update >>> b/install/updates/40-delegation.update >>> index >>> f0431b92d707b17607fe873efbfe2fcccd3efce1..259cbdbdab9eef69e29dba117db36a9e3e0c5f66 >>> 100644 >>> --- a/install/updates/40-delegation.update >>> +++ b/install/updates/40-delegation.update >>> @@ -274,3 +274,19 @@ default:objectClass: groupofnames >>> default:objectClass: top >>> default:cn: Vault Administrators >>> default:description: Vault Administrators >>> + >>> + >>> +# Locations - always create DNS related
Re: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue
On 2.6.2016 14:06, Petr Spacek wrote: On 1.6.2016 18:00, Martin Basti wrote: updated patches attached freeipa-mbasti-0473.6-DNS-Locations-Always-create-DNS-related-privileges.patch From 549379a36281d80818fca4ec929d499efafda044 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 4 May 2016 17:33:52 +0200 Subject: [PATCH 1/4] DNS Locations: Always create DNS related privileges DNS privileges are important for handling DNS locations which can be created without DNS servers in IPA topology. We will also need this privileges presented for future feature 'External DNS support' https://fedorahosted.org/freeipa/ticket/2008 --- install/share/delegation.ldif| 16 install/share/dns.ldif | 16 install/updates/37-locations.update | 0 install/updates/40-delegation.update | 16 4 files changed, 32 insertions(+), 16 deletions(-) create mode 100644 install/updates/37-locations.update diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 067b4d26a8be8f4d1b699c15b027ed7f260ddb5b..064078306560528842fa76176152ac594db077c8 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -80,6 +80,22 @@ objectClass: nestedgroup cn: Delegation Administrator description: Role administration +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Administrators +description: DNS Administrators + +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Servers +description: DNS Servers + dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top diff --git a/install/share/dns.ldif b/install/share/dns.ldif index bd5cc57f90ed66066699af06a74e1426cc8f9a59..6cee478674af191350cf24e0aef74c5e418f392e 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -12,19 +12,3 @@ aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";) aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";) aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#! GROUPDN";) - -dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX -changetype: add -objectClass: top -objectClass: groupofnames -objectClass: nestedgroup -cn: DNS Administrators -description: DNS Administrators - -dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX -changetype: add -objectClass: top -objectClass: groupofnames -objectClass: nestedgroup -cn: DNS Servers -description: DNS Servers diff --git a/install/updates/37-locations.update b/install/updates/37-locations.update new file mode 100644 index ..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index f0431b92d707b17607fe873efbfe2fcccd3efce1..259cbdbdab9eef69e29dba117db36a9e3e0c5f66 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -274,3 +274,19 @@ default:objectClass: groupofnames default:objectClass: top default:cn: Vault Administrators default:description: Vault Administrators + + +# Locations - always create DNS related privileges +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: DNS Administrators +default:description: DNS Administrators + +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: DNS Servers +default:description: DNS Servers -- 2.5.5 freeipa-mbasti-0474.6-DNS-Lo
Re: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue
On 1.6.2016 18:00, Martin Basti wrote: > > > updated patches attached > > freeipa-mbasti-0473.6-DNS-Locations-Always-create-DNS-related-privileges.patch > > > From 549379a36281d80818fca4ec929d499efafda044 Mon Sep 17 00:00:00 2001 > From: Martin Basti > Date: Wed, 4 May 2016 17:33:52 +0200 > Subject: [PATCH 1/4] DNS Locations: Always create DNS related privileges > > DNS privileges are important for handling DNS locations which can be > created without DNS servers in IPA topology. We will also need this > privileges presented for future feature 'External DNS support' > > https://fedorahosted.org/freeipa/ticket/2008 > --- > install/share/delegation.ldif| 16 > install/share/dns.ldif | 16 > install/updates/37-locations.update | 0 > install/updates/40-delegation.update | 16 > 4 files changed, 32 insertions(+), 16 deletions(-) > create mode 100644 install/updates/37-locations.update > > diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif > index > 067b4d26a8be8f4d1b699c15b027ed7f260ddb5b..064078306560528842fa76176152ac594db077c8 > 100644 > --- a/install/share/delegation.ldif > +++ b/install/share/delegation.ldif > @@ -80,6 +80,22 @@ objectClass: nestedgroup > cn: Delegation Administrator > description: Role administration > > +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX > +changetype: add > +objectClass: top > +objectClass: groupofnames > +objectClass: nestedgroup > +cn: DNS Administrators > +description: DNS Administrators > + > +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX > +changetype: add > +objectClass: top > +objectClass: groupofnames > +objectClass: nestedgroup > +cn: DNS Servers > +description: DNS Servers > + > dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX > changetype: add > objectClass: top > diff --git a/install/share/dns.ldif b/install/share/dns.ldif > index > bd5cc57f90ed66066699af06a74e1426cc8f9a59..6cee478674af191350cf24e0aef74c5e418f392e > 100644 > --- a/install/share/dns.ldif > +++ b/install/share/dns.ldif > @@ -12,19 +12,3 @@ aci: (targetattr = "*")(version 3.0; acl "Allow read > access"; allow (read,search > aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Add DNS > entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";) > aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Remove > DNS entries from a zone";allow (delete) userattr = > "parent[1].managedby#GROUPDN";) > aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || > arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || > dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || > idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer > || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || > idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || > idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || > idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || > mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || > nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || > rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || > tlsarecord || txtrecord || unknownrecord ")(target = > "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Update DNS entries in a > zone";allow (write) userattr = "parent[0,1].managedby#G! ROUPDN";) > - > -dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX > -changetype: add > -objectClass: top > -objectClass: groupofnames > -objectClass: nestedgroup > -cn: DNS Administrators > -description: DNS Administrators > - > -dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX > -changetype: add > -objectClass: top > -objectClass: groupofnames > -objectClass: nestedgroup > -cn: DNS Servers > -description: DNS Servers > diff --git a/install/updates/37-locations.update > b/install/updates/37-locations.update > new file mode 100644 > index > ..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 > diff --git a/install/updates/40-delegation.update > b/install/updates/40-delegation.update > index > f0431b92d707b17607fe873efbfe2fcccd3efce1..259cbdbdab9eef69e29dba117db36a9e3e0c5f66 > 100644 > --- a/install/updates/40-delegation.update > +++ b/install/updates/40-delegation.update > @@ -274,3 +274,19 @@ default:objectClass: groupofnames > default:objectClass: top > default:cn: Vault Administrators > default:description: Vault Administrators > + > + > +# Locations - always create DNS related privileges > +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX > +default:objectClass: top > +default:objectClass: groupofnames > +default:objectClass: nestedgroup > +default:cn: DNS Administrators > +default:description: DNS Administrators > + > +dn: cn=DNS Servers,cn=privileg
Re: [Freeipa-devel] [PATCH 0473-0476, 0478-0482]DNS Locations: Prologue
updated patches attached From 549379a36281d80818fca4ec929d499efafda044 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 4 May 2016 17:33:52 +0200 Subject: [PATCH 1/4] DNS Locations: Always create DNS related privileges DNS privileges are important for handling DNS locations which can be created without DNS servers in IPA topology. We will also need this privileges presented for future feature 'External DNS support' https://fedorahosted.org/freeipa/ticket/2008 --- install/share/delegation.ldif| 16 install/share/dns.ldif | 16 install/updates/37-locations.update | 0 install/updates/40-delegation.update | 16 4 files changed, 32 insertions(+), 16 deletions(-) create mode 100644 install/updates/37-locations.update diff --git a/install/share/delegation.ldif b/install/share/delegation.ldif index 067b4d26a8be8f4d1b699c15b027ed7f260ddb5b..064078306560528842fa76176152ac594db077c8 100644 --- a/install/share/delegation.ldif +++ b/install/share/delegation.ldif @@ -80,6 +80,22 @@ objectClass: nestedgroup cn: Delegation Administrator description: Role administration +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Administrators +description: DNS Administrators + +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX +changetype: add +objectClass: top +objectClass: groupofnames +objectClass: nestedgroup +cn: DNS Servers +description: DNS Servers + dn: cn=Service Administrators,cn=privileges,cn=pbac,$SUFFIX changetype: add objectClass: top diff --git a/install/share/dns.ldif b/install/share/dns.ldif index bd5cc57f90ed66066699af06a74e1426cc8f9a59..6cee478674af191350cf24e0aef74c5e418f392e 100644 --- a/install/share/dns.ldif +++ b/install/share/dns.ldif @@ -12,19 +12,3 @@ aci: (targetattr = "*")(version 3.0; acl "Allow read access"; allow (read,search aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Add DNS entries in a zone";allow (add) userattr = "parent[1].managedby#GROUPDN";) aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Remove DNS entries from a zone";allow (delete) userattr = "parent[1].managedby#GROUPDN";) aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord || nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord ")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX";)(version 3.0;acl "Update DNS entries in a zone";allow (write) userattr = "parent[0,1].managedby#GROUPDN";) - -dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX -changetype: add -objectClass: top -objectClass: groupofnames -objectClass: nestedgroup -cn: DNS Administrators -description: DNS Administrators - -dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX -changetype: add -objectClass: top -objectClass: groupofnames -objectClass: nestedgroup -cn: DNS Servers -description: DNS Servers diff --git a/install/updates/37-locations.update b/install/updates/37-locations.update new file mode 100644 index ..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index f0431b92d707b17607fe873efbfe2fcccd3efce1..259cbdbdab9eef69e29dba117db36a9e3e0c5f66 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -274,3 +274,19 @@ default:objectClass: groupofnames default:objectClass: top default:cn: Vault Administrators default:description: Vault Administrators + + +# Locations - always create DNS related privileges +dn: cn=DNS Administrators,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: DNS Administrators +default:description: DNS Administrators + +dn: cn=DNS Servers,cn=privileges,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: nestedgroup +default:cn: DNS Servers +default:description: DNS Servers -- 2.5.5 From 4363fd4823efcf173f9cc6b56769771bf7867170 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 12 May 2016 10:53:37 +0200 Subject: [PATCH 2/4] DNS Locations: add new attributes and objectclasses http://www
