[Freeipa-users] Foreman => Insufficient 'add' privilege to the 'userPassword' attribute

Matt . yamakasi.014 at gmail.com
Thu Mar 9 21:51:13 UTC 2017 

I'm trying to add a host using Foreman to the FreeIPA realm but this
doesn't work, all things seem to be fine and some other tests from
people are working:

The issue is reported here: http://projects.theforeman.org/issues/18850


My settings are like this:


[root at ipa-01 ~]# ipa role-find
---------------
6 roles matched
---------------
  Role name: helpdesk
  Description: Helpdesk

  Role name: IT Security Specialist
  Description: IT Security Specialist

  Role name: IT Specialist
  Description: IT Specialist

  Role name: Security Architect
  Description: Security Architect

  Role name: Smart Proxy Host Manager
  Description: Smart Proxy management

  Role name: User Administrator
  Description: Responsible for creating Users and Groups
----------------------------
Number of entries returned 6
----------------------------
[root at ipa-01 ~]# ipa role-show "Smart Proxy Host Manager"
  Role name: Smart Proxy Host Manager
  Description: Smart Proxy management
  Member users: foreman-proxy, foreman-realm-proxy
  Privileges: Smart Proxy Host Management
[root at ipa-01 ~]# ipa privilege-show "Smart Proxy Host Management"
  Privilege name: Smart Proxy Host Management
  Description: Smart Proxy Host Management
  Permissions: Retrieve Certificates from the CA, System: Add DNS
Entries, System: Read DNS Entries, System: Remove DNS Entries, System:
Update DNS
               Entries, System: Manage Host Certificates, System:
Manage Host Enrollment Password, System: Manage Host Keytab, System:
Modify Hosts,
               System: Remove Hosts, System: Manage Service Keytab,
System: Modify Services, Add Host Enrollment Password
  Granting privilege to roles: Smart Proxy Host Manager
[root at ipa-01 ~]#
[root at ipa-01 ~]# ipa permission-find "Add Host"
---------------------
3 permissions matched
---------------------
  Permission name: Add Host Enrollment Password
  Granted rights: add
  Effective attributes: userpassword
  Bind rule type: permission
  Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
  Type: host
  Permission flags: V2, SYSTEM

  Permission name: System: Add Hostgroups
  Granted rights: add
  Bind rule type: permission
  Subtree: cn=hostgroups,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
  Type: hostgroup
  Permission flags: V2, MANAGED, SYSTEM

  Permission name: System: Add Hosts
  Granted rights: add
  Bind rule type: permission
  Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
  Type: host
  Permission flags: V2, MANAGED, SYSTEM
----------------------------
Number of entries returned 3
----------------------------


Can anyone help me out as I'm unsure where this goes wrong.


Thanks so far!

Regards,

Matt

More information about the Freeipa-users mailing list