[Freeipa-users] Foreman => Insufficient 'add' privilege to the 'userPassword' attribute
Rob Crittenden
rcritten at redhat.com
Fri Mar 10 20:20:45 UTC 2017
Matt . wrote:
> Hi Rob,
>
> Thanks, but what do you mean here ? The Foreman has a script which
> should be OK for it:
>
> https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm
>
> Can you check this maybe ?
Like I said, it's wrong.
add grants the ability to add new entries, not updating existing ones.
The right needs to be "write".
rob
>
> Thanks,
>
> Matt
>
> 2017-03-10 17:21 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>> Matt . wrote:
>>> I'm trying to add a host using Foreman to the FreeIPA realm but this
>>> doesn't work, all things seem to be fine and some other tests from
>>> people are working:
>>>
>>> The issue is reported here: http://projects.theforeman.org/issues/18850
>>>
>>>
>>> My settings are like this:
>>>
>>>
>>> [root at ipa-01 ~]# ipa role-find
>>> ---------------
>>> 6 roles matched
>>> ---------------
>>> Role name: helpdesk
>>> Description: Helpdesk
>>>
>>> Role name: IT Security Specialist
>>> Description: IT Security Specialist
>>>
>>> Role name: IT Specialist
>>> Description: IT Specialist
>>>
>>> Role name: Security Architect
>>> Description: Security Architect
>>>
>>> Role name: Smart Proxy Host Manager
>>> Description: Smart Proxy management
>>>
>>> Role name: User Administrator
>>> Description: Responsible for creating Users and Groups
>>> ----------------------------
>>> Number of entries returned 6
>>> ----------------------------
>>> [root at ipa-01 ~]# ipa role-show "Smart Proxy Host Manager"
>>> Role name: Smart Proxy Host Manager
>>> Description: Smart Proxy management
>>> Member users: foreman-proxy, foreman-realm-proxy
>>> Privileges: Smart Proxy Host Management
>>> [root at ipa-01 ~]# ipa privilege-show "Smart Proxy Host Management"
>>> Privilege name: Smart Proxy Host Management
>>> Description: Smart Proxy Host Management
>>> Permissions: Retrieve Certificates from the CA, System: Add DNS
>>> Entries, System: Read DNS Entries, System: Remove DNS Entries, System:
>>> Update DNS
>>> Entries, System: Manage Host Certificates, System:
>>> Manage Host Enrollment Password, System: Manage Host Keytab, System:
>>> Modify Hosts,
>>> System: Remove Hosts, System: Manage Service Keytab,
>>> System: Modify Services, Add Host Enrollment Password
>>> Granting privilege to roles: Smart Proxy Host Manager
>>> [root at ipa-01 ~]#
>>> [root at ipa-01 ~]# ipa permission-find "Add Host"
>>> ---------------------
>>> 3 permissions matched
>>> ---------------------
>>> Permission name: Add Host Enrollment Password
>>> Granted rights: add
>>> Effective attributes: userpassword
>>> Bind rule type: permission
>>> Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>>> Type: host
>>> Permission flags: V2, SYSTEM
>>>
>>> Permission name: System: Add Hostgroups
>>> Granted rights: add
>>> Bind rule type: permission
>>> Subtree: cn=hostgroups,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>>> Type: hostgroup
>>> Permission flags: V2, MANAGED, SYSTEM
>>>
>>> Permission name: System: Add Hosts
>>> Granted rights: add
>>> Bind rule type: permission
>>> Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>>> Type: host
>>> Permission flags: V2, MANAGED, SYSTEM
>>> ----------------------------
>>> Number of entries returned 3
>>> ----------------------------
>>>
>>>
>>> Can anyone help me out as I'm unsure where this goes wrong.
>>>
>>
>> For 'Add Host Enrollment Password' the granted rights should be write
>> not add.
>>
>> add is for adding entries, not writing attributes.
>>
>> rob
>
More information about the Freeipa-users
mailing list