[Freeipa-users] Foreman => Insufficient 'add' privilege to the 'userPassword' attribute
Matt .
yamakasi.014 at gmail.com
Fri Mar 10 18:40:20 UTC 2017
Hi Rob,
Thanks, but what do you mean here ? The Foreman has a script which
should be OK for it:
https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm
Can you check this maybe ?
Thanks,
Matt
2017-03-10 17:21 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
> Matt . wrote:
>> I'm trying to add a host using Foreman to the FreeIPA realm but this
>> doesn't work, all things seem to be fine and some other tests from
>> people are working:
>>
>> The issue is reported here: http://projects.theforeman.org/issues/18850
>>
>>
>> My settings are like this:
>>
>>
>> [root at ipa-01 ~]# ipa role-find
>> ---------------
>> 6 roles matched
>> ---------------
>> Role name: helpdesk
>> Description: Helpdesk
>>
>> Role name: IT Security Specialist
>> Description: IT Security Specialist
>>
>> Role name: IT Specialist
>> Description: IT Specialist
>>
>> Role name: Security Architect
>> Description: Security Architect
>>
>> Role name: Smart Proxy Host Manager
>> Description: Smart Proxy management
>>
>> Role name: User Administrator
>> Description: Responsible for creating Users and Groups
>> ----------------------------
>> Number of entries returned 6
>> ----------------------------
>> [root at ipa-01 ~]# ipa role-show "Smart Proxy Host Manager"
>> Role name: Smart Proxy Host Manager
>> Description: Smart Proxy management
>> Member users: foreman-proxy, foreman-realm-proxy
>> Privileges: Smart Proxy Host Management
>> [root at ipa-01 ~]# ipa privilege-show "Smart Proxy Host Management"
>> Privilege name: Smart Proxy Host Management
>> Description: Smart Proxy Host Management
>> Permissions: Retrieve Certificates from the CA, System: Add DNS
>> Entries, System: Read DNS Entries, System: Remove DNS Entries, System:
>> Update DNS
>> Entries, System: Manage Host Certificates, System:
>> Manage Host Enrollment Password, System: Manage Host Keytab, System:
>> Modify Hosts,
>> System: Remove Hosts, System: Manage Service Keytab,
>> System: Modify Services, Add Host Enrollment Password
>> Granting privilege to roles: Smart Proxy Host Manager
>> [root at ipa-01 ~]#
>> [root at ipa-01 ~]# ipa permission-find "Add Host"
>> ---------------------
>> 3 permissions matched
>> ---------------------
>> Permission name: Add Host Enrollment Password
>> Granted rights: add
>> Effective attributes: userpassword
>> Bind rule type: permission
>> Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>> Type: host
>> Permission flags: V2, SYSTEM
>>
>> Permission name: System: Add Hostgroups
>> Granted rights: add
>> Bind rule type: permission
>> Subtree: cn=hostgroups,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>> Type: hostgroup
>> Permission flags: V2, MANAGED, SYSTEM
>>
>> Permission name: System: Add Hosts
>> Granted rights: add
>> Bind rule type: permission
>> Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>> Type: host
>> Permission flags: V2, MANAGED, SYSTEM
>> ----------------------------
>> Number of entries returned 3
>> ----------------------------
>>
>>
>> Can anyone help me out as I'm unsure where this goes wrong.
>>
>
> For 'Add Host Enrollment Password' the granted rights should be write
> not add.
>
> add is for adding entries, not writing attributes.
>
> rob
More information about the Freeipa-users
mailing list