[Freeipa-users] Foreman => Insufficient 'add' privilege to the 'userPassword' attribute

Matt . yamakasi.014 at gmail.com
Tue Mar 14 20:11:17 UTC 2017 

Hi Rob,

I have this solved, I think it was an issue in the foreman-proxy.

The reason why there are two users in the role was to test other
usernames, as you cannot use foreman-proxy for this for an example.

I need to update the Foreman ticket about it.

Thanks for helping out.

Cheers,

Matt

2017-03-14 19:51 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
> Matt . wrote:
>> Hi Rob,
>>
>> Thanks for the update, the same error happens when I add a new host,
>> so I'm lost, the same for the Foreman devs.
>>
>> What can I check/test further ?
>
> See what 389-ds is logging in its access log.
>
> You may need to enable ACI summary debugging. See the 389-ds FAQ for
> instructions on how.
>
> I find it curious that there are 2 similarly named foreman users in the
> role.
>
> rob
>
>>
>> Thanks,
>>
>> Matt
>>
>> 2017-03-10 21:20 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>> Matt . wrote:
>>>> Hi Rob,
>>>>
>>>> Thanks, but what do you mean here ? The Foreman has a script which
>>>> should be OK for it:
>>>>
>>>> https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm
>>>>
>>>> Can you check this maybe ?
>>>
>>> Like I said, it's wrong.
>>>
>>> add grants the ability to add new entries, not updating existing ones.
>>>
>>> The right needs to be "write".
>>>
>>> rob
>>>
>>>>
>>>> Thanks,
>>>>
>>>> Matt
>>>>
>>>> 2017-03-10 17:21 GMT+01:00 Rob Crittenden <rcritten at redhat.com>:
>>>>> Matt . wrote:
>>>>>> I'm trying to add a host using Foreman to the FreeIPA realm but this
>>>>>> doesn't work, all things seem to be fine and some other tests from
>>>>>> people are working:
>>>>>>
>>>>>> The issue is reported here: http://projects.theforeman.org/issues/18850
>>>>>>
>>>>>>
>>>>>> My settings are like this:
>>>>>>
>>>>>>
>>>>>> [root at ipa-01 ~]# ipa role-find
>>>>>> ---------------
>>>>>> 6 roles matched
>>>>>> ---------------
>>>>>>   Role name: helpdesk
>>>>>>   Description: Helpdesk
>>>>>>
>>>>>>   Role name: IT Security Specialist
>>>>>>   Description: IT Security Specialist
>>>>>>
>>>>>>   Role name: IT Specialist
>>>>>>   Description: IT Specialist
>>>>>>
>>>>>>   Role name: Security Architect
>>>>>>   Description: Security Architect
>>>>>>
>>>>>>   Role name: Smart Proxy Host Manager
>>>>>>   Description: Smart Proxy management
>>>>>>
>>>>>>   Role name: User Administrator
>>>>>>   Description: Responsible for creating Users and Groups
>>>>>> ----------------------------
>>>>>> Number of entries returned 6
>>>>>> ----------------------------
>>>>>> [root at ipa-01 ~]# ipa role-show "Smart Proxy Host Manager"
>>>>>>   Role name: Smart Proxy Host Manager
>>>>>>   Description: Smart Proxy management
>>>>>>   Member users: foreman-proxy, foreman-realm-proxy
>>>>>>   Privileges: Smart Proxy Host Management
>>>>>> [root at ipa-01 ~]# ipa privilege-show "Smart Proxy Host Management"
>>>>>>   Privilege name: Smart Proxy Host Management
>>>>>>   Description: Smart Proxy Host Management
>>>>>>   Permissions: Retrieve Certificates from the CA, System: Add DNS
>>>>>> Entries, System: Read DNS Entries, System: Remove DNS Entries, System:
>>>>>> Update DNS
>>>>>>                Entries, System: Manage Host Certificates, System:
>>>>>> Manage Host Enrollment Password, System: Manage Host Keytab, System:
>>>>>> Modify Hosts,
>>>>>>                System: Remove Hosts, System: Manage Service Keytab,
>>>>>> System: Modify Services, Add Host Enrollment Password
>>>>>>   Granting privilege to roles: Smart Proxy Host Manager
>>>>>> [root at ipa-01 ~]#
>>>>>> [root at ipa-01 ~]# ipa permission-find "Add Host"
>>>>>> ---------------------
>>>>>> 3 permissions matched
>>>>>> ---------------------
>>>>>>   Permission name: Add Host Enrollment Password
>>>>>>   Granted rights: add
>>>>>>   Effective attributes: userpassword
>>>>>>   Bind rule type: permission
>>>>>>   Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>>>>>>   Type: host
>>>>>>   Permission flags: V2, SYSTEM
>>>>>>
>>>>>>   Permission name: System: Add Hostgroups
>>>>>>   Granted rights: add
>>>>>>   Bind rule type: permission
>>>>>>   Subtree: cn=hostgroups,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>>>>>>   Type: hostgroup
>>>>>>   Permission flags: V2, MANAGED, SYSTEM
>>>>>>
>>>>>>   Permission name: System: Add Hosts
>>>>>>   Granted rights: add
>>>>>>   Bind rule type: permission
>>>>>>   Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
>>>>>>   Type: host
>>>>>>   Permission flags: V2, MANAGED, SYSTEM
>>>>>> ----------------------------
>>>>>> Number of entries returned 3
>>>>>> ----------------------------
>>>>>>
>>>>>>
>>>>>> Can anyone help me out as I'm unsure where this goes wrong.
>>>>>>
>>>>>
>>>>> For 'Add Host Enrollment Password' the granted rights should be write
>>>>> not add.
>>>>>
>>>>> add is for adding entries, not writing attributes.
>>>>>
>>>>> rob
>>>>
>>>
>>
>

More information about the Freeipa-users mailing list