8:40 a.m.
{ Please keep me in Cc, thanks. ]
Hi,
I am using bind9-dyndb-ldap (without FreeIPA).
I want to enable GSS-TSIG updates for a zone. This means I would normally
have to add an update-policy block for this zone - but how do I do this for
a zone coming from dyndb-ldap?
Cheers,
Nik
11:06 a.m.
New subject: [bind9-dyndb-ldap] How to configure update-policy?
On to, 16 elo 2018, Dominik George via FreeIPA-users wrote:
{ Please keep me in Cc, thanks. ]
Hi,
I am using bind9-dyndb-ldap (without FreeIPA).
I want to enable GSS-TSIG updates for a zone. This means I would normally
have to add an update-policy block for this zone - but how do I do this for
a zone coming from dyndb-ldap?
idnsUpdatePolicy is the attribute in LDAP to store
update-policy.
When you authenticate using GSS-TSIG to your FreeIPA bind server,
bind-dyndb-ldap will use update-policy definition to decide whether
update is allowed, like a normal bind.
The rest is purely at your LDAP server mercy.
In FreeIPA we set up 389-ds access controlls with these rules
(40-dns.update)
dn: cn=dns, $SUFFIX
addifexist: objectClass: idnsConfigObject
addifexist: aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
"Add DNS entries in a zone";allow (add) userattr =
"parent[1].managedby#GROUPDN";)
addifexist: aci:(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
"Remove DNS entries from a zone";allow (delete) userattr =
"parent[1].managedby#GROUPDN";)
addifexist: aci:(targetattr = "a6record || aaaarecord || afsdbrecord || aplrecord ||
arecord || certrecord || cn || cnamerecord || dhcidrecord || dlvrecord || dnamerecord ||
dnsclass || dnsttl || dsrecord || hinforecord || hiprecord || idnsallowdynupdate ||
idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders ||
idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum
|| idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial ||
idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord
|| mdrecord || minforecord || mxrecord || naptrrecord || nsecrecord || nsec3paramrecord ||
nsrecord || nxtrecord || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord ||
srvrecord || sshfprecord || tlsarecord || txtrecord || urirecord || unknownrecord
")(target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl
"Update DNS entries in a zone";allow (write) userattr =
"parent[0,1].managedby#GROUPDN";)
this means that any LDAP bind who is member of a group pointed to by
managedby attribute in the idnsname=*, cn=dns,$SUFFIX LDAP entry or in
its parent entry can write to the attributes specified in the targetattr
filter in the access control above.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
4:14 p.m.
New subject: [bind9-dyndb-ldap] How to configure update-policy?
Hi,
idnsUpdatePolicy is the attribute in LDAP to store update-policy.
Ah, thanks! Seems to be missing in the documentation.
I see that the setting has an effect because I can useti to grant all
updates on the zone - however, I cannot get it to do the following:
I have a host authenticating as host/foo.example.com(a)EXAMPLE.COM. I want
this host to be able to update *.foo.example.com. Now there exist quite a
few different versions about the grant statement, and I tried the following;
grant EXAMPLE.COM krb5-subdomain . ANY
grant EXAMPLE.COM krb5-subdomain * ANY
grant EXAMPLE.COM krb5-subdomain *.example.com. ANY
However, I cannot seem to get it to grant a subdomain update.
I can get this t owork, though:
grant EXAMPLE.COM krb5-self * ANY
I am a bit confused, because I found some sources saying krb5-self and
krb5-subdomain both append the realm to the host name, which would result in
foo.example.com.example.com in the above example. However, this would mean
the krb5-self example above would also not have worked for me…
Any hints on how I really get BIND to accept updates on all subdomains of
the FQDN that authenticated?
-nik
9:56 a.m.
New subject: [bind9-dyndb-ldap] How to configure update-policy?
On to, 16 elo 2018, Dominik George via FreeIPA-users wrote:
Hi,
> idnsUpdatePolicy is the attribute in LDAP to store update-policy.
Ah, thanks! Seems to be missing in the documentation.
I see that the setting has an effect because I can useti to grant all
updates on the zone - however, I cannot get it to do the following:
I have a host authenticating as host/foo.example.com(a)EXAMPLE.COM. I want
this host to be able to update *.foo.example.com. Now there exist quite a
few different versions about the grant statement, and I tried the following;
grant EXAMPLE.COM krb5-subdomain . ANY
grant EXAMPLE.COM krb5-subdomain * ANY
grant EXAMPLE.COM krb5-subdomain *.example.com. ANY
However, I cannot seem to get it to grant a subdomain update.
I can get this t owork, though:
grant EXAMPLE.COM krb5-self * ANY
I am a bit confused, because I found some sources saying krb5-self and
krb5-subdomain both append the realm to the host name, which would result in
foo.example.com.example.com in the above example. However, this would mean
the krb5-self example above would also not have worked for me…
Any hints on how I really get BIND to accept updates on all subdomains of
the FQDN that authenticated?
Looking at bind's code, krb5-self and
krb5-subdomain only differ with:
case DNS_SSUMATCHTYPE_SELFKRB5:
if (!dst_gssapi_identitymatchesrealmkrb5(signer, name,
rule->identity))
continue;
break;
case DNS_SSUMATCHTYPE_SUBDOMAINKRB5:
if (!dns_name_issubdomain(name, rule->name))
continue;
if (!dst_gssapi_identitymatchesrealmkrb5(signer, NULL,
rule->identity))
continue;
break;
e.g. as name of the resource is checked to be a subdomain of the name in
the rule and then the requestor's kerberos identity is checked to
against the rule's realm.
Do you see any error in the named's log?
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
2059
days inactive
2073
days old
freeipa-users@lists.fedorahosted.org
3 comments
2 participants
participants (2)
-
Alexander Bokovoy -
Dominik George