[Freeipa-users] Foreman => Insufficient 'add' privilege to the 'userPassword' attribute
Matt .
yamakasi.014 at gmail.com
Fri Mar 10 22:50:49 UTC 2017
Hi Rob,
Thanks for the update, the same error happens when I add a new host,
so I'm lost, the same for the Foreman devs.
What can I check/test further ?
Thanks,
Matt
2017-03-10 21:20 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
> Matt . wrote:
>> Hi Rob,
>>
>> Thanks, but what do you mean here ? The Foreman has a script which
>> should be OK for it:
>>
>> https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm
>>
>> Can you check this maybe ?
>
> Like I said, it's wrong.
>
> add grants the ability to add new entries, not updating existing ones.
>
> The right needs to be "write".
>
> rob
>
>>
>> Thanks,
>>
>> Matt
>>
>> 2017-03-10 17:21 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>> Matt . wrote:
>>>> I'm trying to add a host using Foreman to the FreeIPA realm but this
>>>> doesn't work, all things seem to be fine and some other tests from
>>>> people are working:
>>>>
>>>> The issue is reported here: http://projects.theforeman.org/issues/18850
>>>>
>>>>
>>>> My settings are like this:
>>>>
>>>>
>>>> [root at ipa-01 ~]# ipa role-find
>>>> ---------------
>>>> 6 roles matched
>>>> ---------------
>>>> Role name: helpdesk
>>>> Description: Helpdesk
>>>>
>>>> Role name: IT Security Specialist
>>>> Description: IT Security Specialist
>>>>
>>>> Role name: IT Specialist
>>>> Description: IT Specialist
>>>>
>>>> Role name: Security Architect
>>>> Description: Security Architect
>>>>
>>>> Role name: Smart Proxy Host Manager
>>>> Description: Smart Proxy management
>>>>
>>>> Role name: User Administrator
>>>> Description: Responsible for creating Users and Groups
>>>> ----------------------------
>>>> Number of entries returned 6
>>>> ----------------------------
>>>> [root at ipa-01 ~]# ipa role-show "Smart Proxy Host Manager"
>>>> Role name: Smart Proxy Host Manager
>>>> Description: Smart Proxy management
>>>> Member users: foreman-proxy, foreman-realm-proxy
>>>> Privileges: Smart Proxy Host Management
>>>> [root at ipa-01 ~]# ipa privilege-show "Smart Proxy Host Management"
>>>> Privilege name: Smart Proxy Host Management
>>>> Description: Smart Proxy Host Management
>>>> Permissions: Retrieve Certificates from the CA, System: Add DNS
>>>> Entries, System: Read DNS Entries, System: Remove DNS Entries, System:
>>>> Update DNS
>>>> Entries, System: Manage Host Certificates, System:
>>>> Manage Host Enrollment Password, System: Manage Host Keytab, System:
>>>> Modify Hosts,
>>>> System: Remove Hosts, System: Manage Service Keytab,
>>>> System: Modify Services, Add Host Enrollment Password
>>>> Granting privilege to roles: Smart Proxy Host Manager
>>>> [root at ipa-01 ~]#
>>>> [root at ipa-01 ~]# ipa permission-find "Add Host"
>>>> ---------------------
>>>> 3 permissions matched
>>>> ---------------------
>>>> Permission name: Add Host Enrollment Password
>>>> Granted rights: add
>>>> Effective attributes: userpassword
>>>> Bind rule type: permission
>>>> Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>>>> Type: host
>>>> Permission flags: V2, SYSTEM
>>>>
>>>> Permission name: System: Add Hostgroups
>>>> Granted rights: add
>>>> Bind rule type: permission
>>>> Subtree: cn=hostgroups,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>>>> Type: hostgroup
>>>> Permission flags: V2, MANAGED, SYSTEM
>>>>
>>>> Permission name: System: Add Hosts
>>>> Granted rights: add
>>>> Bind rule type: permission
>>>> Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>>>> Type: host
>>>> Permission flags: V2, MANAGED, SYSTEM
>>>> ----------------------------
>>>> Number of entries returned 3
>>>> ----------------------------
>>>>
>>>>
>>>> Can anyone help me out as I'm unsure where this goes wrong.
>>>>
>>>
>>> For 'Add Host Enrollment Password' the granted rights should be write
>>> not add.
>>>
>>> add is for adding entries, not writing attributes.
>>>
>>> rob
>>
>
More information about the Freeipa-users
mailing list