IPA implementation is ready, but there is a problem in bind-dyndb-ldap plugin, which cannot read a values of new idnsAllowQuery attribute. So far it looks like a bug in openldap library. atkac is investigating.

So far atkac reported that this may be caused by an openldap bug. Pushing ticket to July milestone as it won't be resolved in June.

Moving to the next milestone - problem in openldap has not been resolved yet.

There was no response regarding the bug reported to atkac so I created a BZ ticket to improve our tracking of the bug:

https://bugzilla.redhat.com/show_bug.cgi?id=733371

Moving to the proper milestone where the blocking ticket is planned.

attachment
freeipa-mkosek-197-query-and-transfer-acls.patch

How to test:

1. Create a new zone

   ipa dnszone-add example.com --name-server=hostname

Test query ACL
1. Set query policy. No machine from network 10.0.0.0/8 is allowed to query for a zone, except a machine with IP address 10.0.0.1. Other machines are allowed to query for the zone.

# ipa dnszone-mod example.com --allow-query='10.0.0.1;!10.0.0.0/8;any;'
# service named restart

1. Check that zone is queriable from computer with address != 10.0.0.1

   dig -t soa example.com

2. Check that zone is NOT queriable from computer with address = 10.0.0.1

   dig -t soa example.com

3. Test other ACL combinations

Test zone transfer ACL

Tested in the same way as query ACL, just use --allow-transfer option for setting the transfer ACL and

dig example.com axfr

command to test if zone transfer works/is allowed.

A relevant fix in bind-dyndb-ldap upstream (ACLs cannot be an LDAP multivalued attribute as it depends on precise value order which may change in LDAP):

https://fedorahosted.org/bind-dyndb-ldap/ticket/50

Moving to next month iteration.

(In #2394) #1211 (on review) contains a plugin for dnszone modifications, we can reuse that one.

master: 8605790[[BR]]
ipa-2-2: c614d68