The Domain Name System (DNS) is an essential part of systems management. If you need to manage multiple physical hosts you’d really benefit by a degree of control of some subset of DNS. With Virtual machines, the sheer number of hosts created demand a responsive DNS. Kerberos, X509 and other security mechanisms require a proper DNS configuration. Yet, for many organizations, DNS is locked down by IT to a very static set of records. Earlier articles discussed User Groups, Host Groups, and Netgroups. The final installment in this series discsusses how to delegate DNS Zone management in FreeIPA.
First, create a Zone for the project, and one DNS record
[root@f16server ~]# ipa dnszone-add beowulf.younglogic.com Authoritative nameserver: f16server.ayoung.boston.devel.redhat.com Administrator e-mail address [hostmaster.beowulf.younglogic.com.]: Zone name: beowulf.younglogic.com Authoritative nameserver: f16server.ayoung.boston.devel.redhat.com. Administrator e-mail address: hostmaster.beowulf.younglogic.com. SOA serial: 2012110201 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 Active zone: TRUE Dynamic update: FALSE [root@f16server ~]# ipa dnsrecord-add Zone name: beowulf.younglogic.com Record name: www1 [A record]: 10.10.2.1 [AAAA record]: feed:0123::babe Record name: www1 A record: 10.10.2.1 AAAA record: feed:0123::babe |
Here’s the LDAP details of what we just created:
[root@f16server ~]# ipa dnszone-show beowulf.younglogic.com --all --raw dn: idnsname=beowulf.younglogic.com,cn=dns,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com idnsname: beowulf.younglogic.com idnssoamname: f16server.ayoung.boston.devel.redhat.com. idnssoarname: hostmaster.beowulf.younglogic.com. idnssoaserial: 2012110201 idnssoarefresh: 3600 idnssoaretry: 900 idnssoaexpire: 1209600 idnssoaminimum: 3600 idnszoneactive: TRUE idnsallowdynupdate: FALSE nsrecord: f16server.ayoung.boston.devel.redhat.com. objectclass: top objectclass: idnsrecord objectclass: idnszone |
Notice that the A and AAAA records are not visible in the DNS Zone object. Since we are not just modifying values of attributes, we can’t perform the same type of delegation as we did with User Groups, Host Groups or Netgroups. Lets take a look at the LDAP details of the Record.
[root@f16server ~]# ipa dnsrecord-show beowulf.younglogic.com www1 --all --raw dn: idnsname=www1,idnsname=beowulf.younglogic.com,cn=dns,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com idnsname: www1 arecord: 10.10.2.1 aaaarecord: feed:0123::babe objectclass: top objectclass: idnsrecord |
A and AAAA records that have the same idnsname go into the same LDAP object. PTR and CNAME records would all be put into additional attributes of this object if they, too, had the same idnsname. This LDAP object is a subordinate object to the Zone, beowulf.younglogic.com.
Thus, we can use the Subtree permission type to manage access to this resource. The subtree is the distinguished name (DN) of the DNS Zone.
[root@f16server ~]# ipa permission-add 'beowulf-dns-modify' --permissions=add,delete [Attributes]: [Type]: [Member of group]: [Filter]: [Subtree]: idnsname=beowulf.younglogic.com,cn=dns,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com [Target group]: ------------------------------------- Added permission "beowulf-dns-modify" ------------------------------------- Permission name: beowulf-dns-modify Permissions: add, delete Subtree: ldap:///idnsname=beowulf.younglogic.com,cn=dns,dc=f16server,dc=ayoung,dc=boston,dc=devel,dc=redhat,dc=com |
We could use the objectname and cn as we did before, but subtree is better documentation to our intent.
Again, we need to add the permission to the privilege.
[root@f16server ~]# ipa privilege-add-permission beowulf-manage --permission=beowulf-dns-modify Privilege name: beowulf-manage Description: Manage the Assets of the Beowulf project Permissions: beowulf-manage, beowulf-manage-group, beowulf-hostgroup-modify, beowulf-netgroup-modify, beowulf-dns-modify Granting privilege to roles: beowulf-managers ----------------------------- Number of permissions added 1 ----------------------------- |
Test it out with the admiyo account (that already has the Role beowulf-managers. This time, we’ll add both an A and AAAA record, which are managed by the same object in BINDs LDAP backend.
[root@f16server ~]# ipa privilege-add-permission beowulf-manage --permission=beowulf-dns-modify Privilege name: beowulf-manage Description: Manage the Assets of the Beowulf project Permissions: beowulf-manage, beowulf-manage-group, beowulf-hostgroup-modify, beowulf-netgroup-modify, beowulf-dns-modify Granting privilege to roles: beowulf-managers ----------------------------- Number of permissions added 1 ----------------------------- [root@f16server ~]# kinit admiyo Password for admiyo@F16SERVER.AYOUNG.BOSTON.DEVEL.REDHAT.COM: [root@f16server ~]# ipa dnsrecord-add Zone name: beowulf.younglogic.com Record name: mail1 [A record]: 10.10.2.3 [AAAA record]: feed:babe:beef::cafe Record name: mail1 A record: 10.10.2.3 AAAA record: feed:babe:beef::cafe |
These four articles have attempted to show how the access controls of FreeIPA allow a system administrator to delegate specific actions to power users in their organization. From the simplest and most targeted of Target Groups, through simple and then more complex filter queries, then finally subtree queries. While FreeIPA can abstract you away from having to understand LDAP, it does not prevent you from doing so. Instead, LDAP know how built on top of the structure provided with FreeIPA can help to craft secure and flexible delegation policy.
Hi, if the DNS Server integrated with IPA Server, is possible to doing zone transfer with another DNS Server on different machines? and how I can to add another clause to zone configurations? an example, if I want to add an “allow-update { …; };” clause. Because when I look to named.conf or named.rfc1912.zones, there no zones where I created before using IPA Server .
Because I want to create the IPA server integrated with DNS Server and DHCP Server with dynamic updates. please show me the clue? thanks. :).
sorry for my english.
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/zone-transfers.html
Note that since FreeIPA 3.0 admin can use dnszone-add-permission command to grant read/write/delete permission for a specific zone. See http://fedoraproject.org/wiki/QA:Testcase_freeipav3_dns_delegation for testing instructions.