On Fri, 2012-06-15 at 15:22 +0200, Martin Kosek wrote: > Hello all, > > In a scope of ticket 2511 I would like to implement an ability to > delegate a DNS update permissions to chosen user (or host) without > having to give the user full "Update DNS Entries" privileges, i.e. allow > him to modify any DNS zone or record. > > So far, this is what I would like to do (comments welcome): > > 1) Create new objectclass "idnsManagedZone" with "managedBy" attribute > in MAY list > 2) Create new DNS commands: > a] dnszone-add-managedby [--users=USERS] [--hosts=HOSTS] > b] dnszone-remove-managedby [--users=USERS] [--hosts=HOSTS] > - these commands would add/remove chosen user/host DN to managedBy > attribute in chosen DNS zone > 3) Add new generic ACIs to cn=dns,$SUFFIX: > aci: (target = "ldap:///idnsname=*,cn=dns,$SUFFIX")(version 3.0;acl > "Users and hosts can add DNS entries";allow (add) userattr = > "parent[1].managedby#USERDN";) > ... add similar ACIs for UPDATE, REMOVE access > > With these steps done, all that an administrator would need to do to > delegate a management of a DNS zone "example.com" is to run this > command: > $ ipa dnszone-add-managedby example.com --users=fbar > > The only downside I found so far is that the user would already need to > have "Read DNS Entries" permission assigned, otherwise he would not be > able to actually read DNS entries (allow rules can't take precedence > over deny rule we implemented to deny public access to DNS tree). > > An admin could of course create a special privilege and role with just > "Read DNS Entries" permission and then assign it to relevant > users/groups, but this looks awkward. Any idea to make this simpler? > Maybe creating a group "dns readers" by default which would allow such > access?
Change the deny rule to deny to everyone except the user in "parent[1].managedby#USERDN" ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel