Hello all, In a scope of ticket 2511 I would like to implement an ability to delegate a DNS update permissions to chosen user (or host) without having to give the user full "Update DNS Entries" privileges, i.e. allow him to modify any DNS zone or record.
So far, this is what I would like to do (comments welcome): 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute in MAY list 2) Create new DNS commands: a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] - these commands would add/remove chosen user/host DN to managedBy attribute in chosen DNS zone 3) Add new generic ACIs to cn=dns,$SUFFIX: aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl "Users and hosts can add DNS entries";allow (add) userattr = "parent[1].managedby#USERDN";) ... add similar ACIs for UPDATE, REMOVE access With these steps done, all that an administrator would need to do to delegate a management of a DNS zone "example.com" is to run this command: $ ipa dnszone-add-managedby example.com --users=fbar The only downside I found so far is that the user would already need to have "Read DNS Entries" permission assigned, otherwise he would not be able to actually read DNS entries (allow rules can't take precedence over deny rule we implemented to deny public access to DNS tree). An admin could of course create a special privilege and role with just "Read DNS Entries" permission and then assign it to relevant users/groups, but this looks awkward. Any idea to make this simpler? Maybe creating a group "dns readers" by default which would allow such access? Thanks, Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel