[Freeipa-users] Foreman => Insufficient 'add' privilege to the 'userPassword' attribute
Rob Crittenden
rcritten at redhat.com
Fri Mar 10 16:21:54 UTC 2017
Matt . wrote:
> I'm trying to add a host using Foreman to the FreeIPA realm but this
> doesn't work, all things seem to be fine and some other tests from
> people are working:
>
> The issue is reported here: http://projects.theforeman.org/issues/18850
>
>
> My settings are like this:
>
>
> [root at ipa-01 ~]# ipa role-find
> ---------------
> 6 roles matched
> ---------------
> Role name: helpdesk
> Description: Helpdesk
>
> Role name: IT Security Specialist
> Description: IT Security Specialist
>
> Role name: IT Specialist
> Description: IT Specialist
>
> Role name: Security Architect
> Description: Security Architect
>
> Role name: Smart Proxy Host Manager
> Description: Smart Proxy management
>
> Role name: User Administrator
> Description: Responsible for creating Users and Groups
> ----------------------------
> Number of entries returned 6
> ----------------------------
> [root at ipa-01 ~]# ipa role-show "Smart Proxy Host Manager"
> Role name: Smart Proxy Host Manager
> Description: Smart Proxy management
> Member users: foreman-proxy, foreman-realm-proxy
> Privileges: Smart Proxy Host Management
> [root at ipa-01 ~]# ipa privilege-show "Smart Proxy Host Management"
> Privilege name: Smart Proxy Host Management
> Description: Smart Proxy Host Management
> Permissions: Retrieve Certificates from the CA, System: Add DNS
> Entries, System: Read DNS Entries, System: Remove DNS Entries, System:
> Update DNS
> Entries, System: Manage Host Certificates, System:
> Manage Host Enrollment Password, System: Manage Host Keytab, System:
> Modify Hosts,
> System: Remove Hosts, System: Manage Service Keytab,
> System: Modify Services, Add Host Enrollment Password
> Granting privilege to roles: Smart Proxy Host Manager
> [root at ipa-01 ~]#
> [root at ipa-01 ~]# ipa permission-find "Add Host"
> ---------------------
> 3 permissions matched
> ---------------------
> Permission name: Add Host Enrollment Password
> Granted rights: add
> Effective attributes: userpassword
> Bind rule type: permission
> Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
> Type: host
> Permission flags: V2, SYSTEM
>
> Permission name: System: Add Hostgroups
> Granted rights: add
> Bind rule type: permission
> Subtree: cn=hostgroups,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
> Type: hostgroup
> Permission flags: V2, MANAGED, SYSTEM
>
> Permission name: System: Add Hosts
> Granted rights: add
> Bind rule type: permission
> Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
> Type: host
> Permission flags: V2, MANAGED, SYSTEM
> ----------------------------
> Number of entries returned 3
> ----------------------------
>
>
> Can anyone help me out as I'm unsure where this goes wrong.
>
For 'Add Host Enrollment Password' the granted rights should be write
not add.
add is for adding entries, not writing attributes.
rob
More information about the Freeipa-users
mailing list