[Freeipa-users] Minimal permissions for "joiner" account?
Martin Kosek
mkosek at redhat.com
Tue Aug 19 08:14:03 UTC 2014
On 08/18/2014 09:35 PM, Michael Lasevich wrote:
> I wanted to use the python ipalib directly, but like you mentioned, I found
> very little documentation and what I found indicated I was going to just
> pass cli arguments to it, it seemed to be not much better than calling the
> wrapper directly :-(
I disagree. It *is* vastly better that calling "ipa" command tool from a
subprocess. If not only because you receive proper Python exceptions and
results in Python data types instead of having to parse it from the CLI.
AFAIK, the "only" missing piece is the documentation for this API. For now, you
need to read the plugins code (takes_options section) or deduce the call option
names from CLI option names.
...
> As far as Host-Enrollment vs Host-Administrators privileges - it may be
> that I am mixing up 2 ways to enroll hosts. My original attempt was to try
> to have an "enroller" account that would add client directly from the
> client - but I have relented and switched to a more proper method of adding
> a host entrue with a generated OTP for the client followed by joining of
> that client from the client itself with the OTP password. This works, but
> when I try to add host entry with OTP password using account with only
> "Host Enrollment" privilege I get:
>
> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the
> 'userPassword' attribute
Ah, so this is the error. What FreeIPA version do you use? This bug was fixed
in FreeIPA 4.0: https://fedorahosted.org/freeipa/ticket/4252
Current permissions would still not allow you to add new Hosts with Host
Enrollment privilege, one would also need to add "System: Add hosts"
permission, IIUC.
Martin
More information about the Freeipa-users
mailing list