[Freeipa-users] Foreman => Insufficient 'add' privilege to the 'userPassword' attribute
Rob Crittenden
rcritten at redhat.com
Tue Mar 14 18:51:58 UTC 2017
Matt . wrote:
> Hi Rob,
>
> Thanks for the update, the same error happens when I add a new host,
> so I'm lost, the same for the Foreman devs.
>
> What can I check/test further ?
See what 389-ds is logging in its access log.
You may need to enable ACI summary debugging. See the 389-ds FAQ for
instructions on how.
I find it curious that there are 2 similarly named foreman users in the
role.
rob
>
> Thanks,
>
> Matt
>
> 2017-03-10 21:20 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>> Matt . wrote:
>>> Hi Rob,
>>>
>>> Thanks, but what do you mean here ? The Foreman has a script which
>>> should be OK for it:
>>>
>>> https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm
>>>
>>> Can you check this maybe ?
>>
>> Like I said, it's wrong.
>>
>> add grants the ability to add new entries, not updating existing ones.
>>
>> The right needs to be "write".
>>
>> rob
>>
>>>
>>> Thanks,
>>>
>>> Matt
>>>
>>> 2017-03-10 17:21 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>>> Matt . wrote:
>>>>> I'm trying to add a host using Foreman to the FreeIPA realm but this
>>>>> doesn't work, all things seem to be fine and some other tests from
>>>>> people are working:
>>>>>
>>>>> The issue is reported here: http://projects.theforeman.org/issues/18850
>>>>>
>>>>>
>>>>> My settings are like this:
>>>>>
>>>>>
>>>>> [root at ipa-01 ~]# ipa role-find
>>>>> ---------------
>>>>> 6 roles matched
>>>>> ---------------
>>>>> Role name: helpdesk
>>>>> Description: Helpdesk
>>>>>
>>>>> Role name: IT Security Specialist
>>>>> Description: IT Security Specialist
>>>>>
>>>>> Role name: IT Specialist
>>>>> Description: IT Specialist
>>>>>
>>>>> Role name: Security Architect
>>>>> Description: Security Architect
>>>>>
>>>>> Role name: Smart Proxy Host Manager
>>>>> Description: Smart Proxy management
>>>>>
>>>>> Role name: User Administrator
>>>>> Description: Responsible for creating Users and Groups
>>>>> ----------------------------
>>>>> Number of entries returned 6
>>>>> ----------------------------
>>>>> [root at ipa-01 ~]# ipa role-show "Smart Proxy Host Manager"
>>>>> Role name: Smart Proxy Host Manager
>>>>> Description: Smart Proxy management
>>>>> Member users: foreman-proxy, foreman-realm-proxy
>>>>> Privileges: Smart Proxy Host Management
>>>>> [root at ipa-01 ~]# ipa privilege-show "Smart Proxy Host Management"
>>>>> Privilege name: Smart Proxy Host Management
>>>>> Description: Smart Proxy Host Management
>>>>> Permissions: Retrieve Certificates from the CA, System: Add DNS
>>>>> Entries, System: Read DNS Entries, System: Remove DNS Entries, System:
>>>>> Update DNS
>>>>> Entries, System: Manage Host Certificates, System:
>>>>> Manage Host Enrollment Password, System: Manage Host Keytab, System:
>>>>> Modify Hosts,
>>>>> System: Remove Hosts, System: Manage Service Keytab,
>>>>> System: Modify Services, Add Host Enrollment Password
>>>>> Granting privilege to roles: Smart Proxy Host Manager
>>>>> [root at ipa-01 ~]#
>>>>> [root at ipa-01 ~]# ipa permission-find "Add Host"
>>>>> ---------------------
>>>>> 3 permissions matched
>>>>> ---------------------
>>>>> Permission name: Add Host Enrollment Password
>>>>> Granted rights: add
>>>>> Effective attributes: userpassword
>>>>> Bind rule type: permission
>>>>> Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>>>>> Type: host
>>>>> Permission flags: V2, SYSTEM
>>>>>
>>>>> Permission name: System: Add Hostgroups
>>>>> Granted rights: add
>>>>> Bind rule type: permission
>>>>> Subtree: cn=hostgroups,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>>>>> Type: hostgroup
>>>>> Permission flags: V2, MANAGED, SYSTEM
>>>>>
>>>>> Permission name: System: Add Hosts
>>>>> Granted rights: add
>>>>> Bind rule type: permission
>>>>> Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>>>>> Type: host
>>>>> Permission flags: V2, MANAGED, SYSTEM
>>>>> ----------------------------
>>>>> Number of entries returned 3
>>>>> ----------------------------
>>>>>
>>>>>
>>>>> Can anyone help me out as I'm unsure where this goes wrong.
>>>>>
>>>>
>>>> For 'Add Host Enrollment Password' the granted rights should be write
>>>> not add.
>>>>
>>>> add is for adding entries, not writing attributes.
>>>>
>>>> rob
>>>
>>
>
More information about the Freeipa-users
mailing list