[Freeipa-users] Minimum rights to enrol a client
Alexander Bokovoy
abokovoy at redhat.com
Fri Mar 20 08:55:36 UTC 2015
On Fri, 20 Mar 2015, David Kupka wrote:
>On 03/20/2015 09:16 AM, Andrew Holway wrote:
>>Hello,
>>
>>I'd like to find our what the minimum role would be to allow a user to join
>>a new client to freeipa.
>>
>>Currently our enrol command looks like:
>>ipa-client-install --force-join --enable-dns-updates -U -p admin -w
>>xxxxxxxx:
>>
>>Thanks,
>>
>>Andrew
>>
>>
>>
>Hello!
>
>AFAIK there is 'Host Enrollment' privilege created during IPA server
>installation. You need to create new role and add this privilege to
>the newly created role.
>The role can then be assigned to any user or group. User with this
>privilege have enough permissions to enroll a host to IPA domain.
That is not a full story.
To enroll hosts you have to have 'Host Enrollment' privilege but this
privilege does not give you rights to create a host object. Creating
hosts is a separate permission ('System: Add Hosts') granted to a
separate privilege, 'Host Administrators'.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list