[Freeipa-users] Service account to enroll hosts
Rob Crittenden
rcritten at redhat.com
Wed Jan 27 16:03:44 UTC 2016
Marat Vyshegorodtsev wrote:
> Hi!
>
> I'm trying to build an auto-enrollment script that would leverage a
> service account to enroll hosts.
>
> Here is the LDIF for this service account:
> https://gist.github.com/touzoku/2b03a47d3f0bcfbdf30a
>
> This service account is created successfully, but when I try to:
> 1) kinit hostadmin
> 2) ipa host-add foobar.contoso.com
>
> The following error appears:
> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add
> the entry 'fqdn=foobar.contoso.com,cn=computers,cn=accounts,dc=contoso,dc=com'.
>
> Which privilege am I missing? A normal (posix) user, with the same set
> of privileges worked fine, the problem started to happen when I moved
> user from normal users to cn=sysaccounts,cn=etc.
>
> Also, is my set of privileges minimal? Which privileges do I need to
> just add host entries?
>
You should not directly add memberOf values. You should add the user as
a member of the respective roles and the rest should follow naturally.
So you'll need to add this entry then do a modify to add it as a member
of one or more roles.
rob
More information about the Freeipa-users
mailing list