On to, 16 elo 2018, Dominik George via FreeIPA-users wrote:
{ Please keep me in Cc, thanks. ]
Hi,
I am using bind9-dyndb-ldap (without FreeIPA).
I want to enable GSS-TSIG updates for a zone. This means I would normally
have to add an update-policy block for this zone - but how do I do this for
a zone coming from dyndb-ldap?
idnsUpdatePolicy is the attribute in LDAP to store
update-policy.
When you authenticate using GSS-TSIG to your FreeIPA bind server,
bind-dyndb-ldap will use update-policy definition to decide whether
update is allowed, like a normal bind.
The rest is purely at your LDAP server mercy.
In FreeIPA we set up 389-ds access controlls with these rules
(40-dns.update)
dn: cn=dns, $SUFFIX
addifexist: objectClass: idnsConfigObject
addifexist: aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
"Add DNS entries in a zone";allow (add) userattr =
"parent[1].managedby#GROUPDN";)
addifexist: aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
"Remove DNS entries from a zone";allow (delete) userattr =
"parent[1].managedby#GROUPDN";)
addifexist: aci:(targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord ||
arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord ||
dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate ||
idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders ||
idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum
|| idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial ||
idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord
|| mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord ||
nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord ||
srvrecord || sshfprecord || tlsarecord || txtrecord || urirecord || unknownrecord
")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
"Update DNS entries in a zone";allow (write) userattr =
"parent[0,1].managedby#GROUPDN";)
this means that any LDAP bind who is member of a group pointed to by
managedby attribute in the idnsname=*, cn=dns,$SUFFIX LDAP entry or in
its parent entry can write to the attributes specified in the targetattr
filter in the access control above.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland