[Freeipa-users] Foreman => Insufficient 'add' privilege to the 'userPassword' attribute

Rob Crittenden rcritten at redhat.com
Fri Mar 10 16:21:54 UTC 2017 

Matt . wrote:
> I'm trying to add a host using Foreman to the FreeIPA realm but this
> doesn't work, all things seem to be fine and some other tests from
> people are working:
> 
> The issue is reported here: http://projects.theforeman.org/issues/18850
> 
> 
> My settings are like this:
> 
> 
> [root at ipa-01 ~]# ipa role-find
> ---------------
> 6 roles matched
> ---------------
>   Role name: helpdesk
>   Description: Helpdesk
> 
>   Role name: IT Security Specialist
>   Description: IT Security Specialist
> 
>   Role name: IT Specialist
>   Description: IT Specialist
> 
>   Role name: Security Architect
>   Description: Security Architect
> 
>   Role name: Smart Proxy Host Manager
>   Description: Smart Proxy management
> 
>   Role name: User Administrator
>   Description: Responsible for creating Users and Groups
> ----------------------------
> Number of entries returned 6
> ----------------------------
> [root at ipa-01 ~]# ipa role-show "Smart Proxy Host Manager"
>   Role name: Smart Proxy Host Manager
>   Description: Smart Proxy management
>   Member users: foreman-proxy, foreman-realm-proxy
>   Privileges: Smart Proxy Host Management
> [root at ipa-01 ~]# ipa privilege-show "Smart Proxy Host Management"
>   Privilege name: Smart Proxy Host Management
>   Description: Smart Proxy Host Management
>   Permissions: Retrieve Certificates from the CA, System: Add DNS
> Entries, System: Read DNS Entries, System: Remove DNS Entries, System:
> Update DNS
>                Entries, System: Manage Host Certificates, System:
> Manage Host Enrollment Password, System: Manage Host Keytab, System:
> Modify Hosts,
>                System: Remove Hosts, System: Manage Service Keytab,
> System: Modify Services, Add Host Enrollment Password
>   Granting privilege to roles: Smart Proxy Host Manager
> [root at ipa-01 ~]#
> [root at ipa-01 ~]# ipa permission-find "Add Host"
> ---------------------
> 3 permissions matched
> ---------------------
>   Permission name: Add Host Enrollment Password
>   Granted rights: add
>   Effective attributes: userpassword
>   Bind rule type: permission
>   Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>   Type: host
>   Permission flags: V2, SYSTEM
> 
>   Permission name: System: Add Hostgroups
>   Granted rights: add
>   Bind rule type: permission
>   Subtree: cn=hostgroups,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>   Type: hostgroup
>   Permission flags: V2, MANAGED, SYSTEM
> 
>   Permission name: System: Add Hosts
>   Granted rights: add
>   Bind rule type: permission
>   Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>   Type: host
>   Permission flags: V2, MANAGED, SYSTEM
> ----------------------------
> Number of entries returned 3
> ----------------------------
> 
> 
> Can anyone help me out as I'm unsure where this goes wrong.
>

For 'Add Host Enrollment Password' the granted rights should be write
not add.

add is for adding entries, not writing attributes.

rob

More information about the Freeipa-users mailing list