[Freeipa-users] Foreman => Insufficient 'add' privilege to the 'userPassword' attribute
Matt .
yamakasi.014 at gmail.com
Tue Mar 14 20:11:17 UTC 2017
Hi Rob,
I have this solved, I think it was an issue in the foreman-proxy.
The reason why there are two users in the role was to test other
usernames, as you cannot use foreman-proxy for this for an example.
I need to update the Foreman ticket about it.
Thanks for helping out.
Cheers,
Matt
2017-03-14 19:51 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
> Matt . wrote:
>> Hi Rob,
>>
>> Thanks for the update, the same error happens when I add a new host,
>> so I'm lost, the same for the Foreman devs.
>>
>> What can I check/test further ?
>
> See what 389-ds is logging in its access log.
>
> You may need to enable ACI summary debugging. See the 389-ds FAQ for
> instructions on how.
>
> I find it curious that there are 2 similarly named foreman users in the
> role.
>
> rob
>
>>
>> Thanks,
>>
>> Matt
>>
>> 2017-03-10 21:20 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>> Matt . wrote:
>>>> Hi Rob,
>>>>
>>>> Thanks, but what do you mean here ? The Foreman has a script which
>>>> should be OK for it:
>>>>
>>>> https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm
>>>>
>>>> Can you check this maybe ?
>>>
>>> Like I said, it's wrong.
>>>
>>> add grants the ability to add new entries, not updating existing ones.
>>>
>>> The right needs to be "write".
>>>
>>> rob
>>>
>>>>
>>>> Thanks,
>>>>
>>>> Matt
>>>>
>>>> 2017-03-10 17:21 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>>>> Matt . wrote:
>>>>>> I'm trying to add a host using Foreman to the FreeIPA realm but this
>>>>>> doesn't work, all things seem to be fine and some other tests from
>>>>>> people are working:
>>>>>>
>>>>>> The issue is reported here: http://projects.theforeman.org/issues/18850
>>>>>>
>>>>>>
>>>>>> My settings are like this:
>>>>>>
>>>>>>
>>>>>> [root at ipa-01 ~]# ipa role-find
>>>>>> ---------------
>>>>>> 6 roles matched
>>>>>> ---------------
>>>>>> Role name: helpdesk
>>>>>> Description: Helpdesk
>>>>>>
>>>>>> Role name: IT Security Specialist
>>>>>> Description: IT Security Specialist
>>>>>>
>>>>>> Role name: IT Specialist
>>>>>> Description: IT Specialist
>>>>>>
>>>>>> Role name: Security Architect
>>>>>> Description: Security Architect
>>>>>>
>>>>>> Role name: Smart Proxy Host Manager
>>>>>> Description: Smart Proxy management
>>>>>>
>>>>>> Role name: User Administrator
>>>>>> Description: Responsible for creating Users and Groups
>>>>>> ----------------------------
>>>>>> Number of entries returned 6
>>>>>> ----------------------------
>>>>>> [root at ipa-01 ~]# ipa role-show "Smart Proxy Host Manager"
>>>>>> Role name: Smart Proxy Host Manager
>>>>>> Description: Smart Proxy management
>>>>>> Member users: foreman-proxy, foreman-realm-proxy
>>>>>> Privileges: Smart Proxy Host Management
>>>>>> [root at ipa-01 ~]# ipa privilege-show "Smart Proxy Host Management"
>>>>>> Privilege name: Smart Proxy Host Management
>>>>>> Description: Smart Proxy Host Management
>>>>>> Permissions: Retrieve Certificates from the CA, System: Add DNS
>>>>>> Entries, System: Read DNS Entries, System: Remove DNS Entries, System:
>>>>>> Update DNS
>>>>>> Entries, System: Manage Host Certificates, System:
>>>>>> Manage Host Enrollment Password, System: Manage Host Keytab, System:
>>>>>> Modify Hosts,
>>>>>> System: Remove Hosts, System: Manage Service Keytab,
>>>>>> System: Modify Services, Add Host Enrollment Password
>>>>>> Granting privilege to roles: Smart Proxy Host Manager
>>>>>> [root at ipa-01 ~]#
>>>>>> [root at ipa-01 ~]# ipa permission-find "Add Host"
>>>>>> ---------------------
>>>>>> 3 permissions matched
>>>>>> ---------------------
>>>>>> Permission name: Add Host Enrollment Password
>>>>>> Granted rights: add
>>>>>> Effective attributes: userpassword
>>>>>> Bind rule type: permission
>>>>>> Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>>>>>> Type: host
>>>>>> Permission flags: V2, SYSTEM
>>>>>>
>>>>>> Permission name: System: Add Hostgroups
>>>>>> Granted rights: add
>>>>>> Bind rule type: permission
>>>>>> Subtree: cn=hostgroups,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>>>>>> Type: hostgroup
>>>>>> Permission flags: V2, MANAGED, SYSTEM
>>>>>>
>>>>>> Permission name: System: Add Hosts
>>>>>> Granted rights: add
>>>>>> Bind rule type: permission
>>>>>> Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>>>>>> Type: host
>>>>>> Permission flags: V2, MANAGED, SYSTEM
>>>>>> ----------------------------
>>>>>> Number of entries returned 3
>>>>>> ----------------------------
>>>>>>
>>>>>>
>>>>>> Can anyone help me out as I'm unsure where this goes wrong.
>>>>>>
>>>>>
>>>>> For 'Add Host Enrollment Password' the granted rights should be write
>>>>> not add.
>>>>>
>>>>> add is for adding entries, not writing attributes.
>>>>>
>>>>> rob
>>>>
>>>
>>
>
More information about the Freeipa-users
mailing list