OpenLdap attrs=children
Кто нибудь объясните простым языком принцип работы attrs=children в ACL OpenLdap`а. Сколько я не пытался понять принцип его работы, не вкуриваю.
Кто нибудь объясните простым языком принцип работы attrs=children в ACL OpenLdap`а. Сколько я не пытался понять принцип его работы, не вкуриваю.
Всем привет! Если кто может помогите.
Система: ubuntu-server 9.10 (установлена на виртуальную машину)
В логах вижу такую запись (named[1376]: /etc/bind/db.network.jnl: create: permission denied:
DHCPDISCOVER from 00:16:36:94:e8:e9 via eth0
Mar 6 20:23:59 creepers dhcpd: DHCPOFFER on 192.168.0.200 to 00:16:36:94:e8:e9 (jeepcreep) via eth0
Mar 6 20:23:59 creepers named[1376]: client 127.0.0.1#44134: signer «rndc-key» approved
Mar 6 20:23:59 creepers named[1376]: client 127.0.0.1#44134: updating zone 'network.athome/IN': adding an RR at 'jeepcreep.network.athome' A
Mar 6 20:23:59 creepers named[1376]: client 127.0.0.1#44134: updating zone 'network.athome/IN': adding an RR at 'jeepcreep.network.athome' TXT
Mar 6 20:23:59 creepers named[1376]: journal file /etc/bind/db.network.jnl does not exist, creating it
Mar 6 20:23:59 creepers named[1376]: /etc/bind/db.network.jnl: create: permission denied
Mar 6 20:23:59 creepers named[1376]: client 127.0.0.1#44134: updating zone 'network.athome/IN': error: journal open failed: unexpected error
Mar 6 20:23:59 creepers dhcpd: Unable to add forward map from jeepcreep.network.athome to 192.168.0.200: timed out
Mar 6 20:23:59 creepers dhcpd: dhcp.c(3997): non-null pointer
Mar 6 20:23:59 creepers dhcpd: DHCPREQUEST for 192.168.0.200 (192.168.0.102) from 00:16:36:94:e8:e9 (jeepcreep) via eth0
Mar 6 20:23:59 creepers dhcpd: DHCPACK on 192.168.0.200 to 00:16:36:94:e8:e9 (jeepcreep) via eth0
Понимаю что запрещен доступ в папку /etc/bind, но когда задаю полный доступ всем пользователям (для эксперимента) лучше не становится.
Ниже перечисляю все конфиги:
[named.conf] ------------------------------------------------------
include «/etc/bind/rndc.key»;
include «/etc/bind/named.conf.options»;
include «/etc/bind/named.conf.local»;
include «/etc/bind/named.conf.default-zones»;
[named.conf.options]-----------------------------------------------
options {
directory «/var/cache/bind»;
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
};
controls {
inet 127.0.0.1 allow {localhost; } keys {«rndc-key»; };
};
[named.conf.local] -----------------------------------------------
zone «network.athome» {
type master;
file «/etc/bind/db.network»;
allow-update { key rndc-key; };
notify yes;
};
zone «0.168.192.in-addr.arpa» {
type master;
file «/etc/bind/db.192.168.0»;
allow-update { key rndc-key; };
notify yes;
};
[ named.conf.default-zones]
zone "." {
type hint;
file «/etc/bind/db.root»;
};
zone «localhost» {
type master;
file «/etc/bind/db.local»;
};
zone «127.in-addr.arpa» {
type master;
file «/etc/bind/db.127»;
};
zone «0.in-addr.arpa» {
type master;
file «/etc/bind/db.0»;
};
zone «255.in-addr.arpa» {
type master;
file «/etc/bind/db.255»;
};
Файлы яоны
[db.network]
$TTL 604800 @ IN SOA network.athome. root.network.athome. ( 20100306 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS network.athome. @ IN A 192.168.0.102 creepers IN A 192.168.0.102
[db.192.168.0]
$TTL 604800 @ IN SOA network.athome. root.network.athome. ( 20100306 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS network.athome. 102 IN PTR network.athome. 102 IN PTR creepers.network.athome.
Конфиг файл dhcp сервера
[dhcpd.conf]
authoritative; include «/etc/bind/rndc.key»; server-identifier creepers; ddns-domainname «network.athome»; ddns-rev-domainname «in-addr.arpa»; ddns-update-style interim; ddns-updates on; #ignore client-updates; allow client-updates; default-lease-time 21600; max-lease-time 43200;
option ip-forwarding off;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.200 192.168.0.205; option routers 192.168.0.1; # default gateway option subnet-mask 255.255.255.0; option broadcast-address 192.168.0.255; option domain-name-servers 192.168.0.102, 192.168.0.1; option domain-name «network.athome»;
}
zone network.athome { primary 127.0.0.1; key rndc-key; }
zone 0.168.192.in-addr.arpa { primary 127.0.0.1; key rndc-key; }
Файл apparmor-а
[usr.sbin.named]
/usr/sbin/named { #include <abstractions/base> #include <abstractions/nameservice>
capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, capability sys_resource,
# /etc/bind should be read-only for bind # /var/lib/bind is for dynamically updated zone (and journal) files. # /var/cache/bind is for slave/stub data, since we're not the origin of it. # See /usr/share/doc/bind9/README.Debian.gz /etc/bind/** rw, /var/lib/bind/** rw, /var/lib/bind/ rw, /var/cache/bind/** rw, /var/cache/bind/ rw,
# gssapi /etc/krb5.keytab kr, /etc/bind/krb5.keytab kr,
# ssl /etc/ssl/openssl.cnf r,
# dnscvsutil package /var/lib/dnscvsutil/compiled/** rw,
/proc/net/if_inet6 r, /proc/*/net/if_inet6 r, /usr/sbin/named mr, /var/run/named/named.pid w, # support for resolvconf /var/run/named/named.options r,
# some people like to put logs in /var/log/named/ instead of having # syslog do the heavy lifting. /var/log/named/** rw, /var/log/named/ rw, }
Подскажите как разрешить доступ на создание и изменения журнала зоны.
Заранее благодарен!