On Пят, 28 сак 2025, Andrew Nelson wrote:
Cool!
Thanks Alexander and Rob, this was a starting point I needed. Our
challenge is tying IPA and our inventory system of record together for
audit, when hostnames are not always consistent, so I was hoping to write
something using the IPA libraries to handle the discovery in an automated
way.
It might be interesting for your use case to look at an enrollment
feature we added for Podengo support (integration with Red Hat's Cloud
Console). It uses RHEL's subscription certificate to authenticate as the
host during enrollment and that triggers creation of the host entry and
then this certificate can be used to enroll the machine. So creation of
the entry is done with something like 'curl' to additional service on
IPA server and can pass arbitrary additional information that the
service in question can add to host entry at creation time.
See https://github.com/podengo-project/ipa-hcc and a talk we had at
this year's FOSDEM:
https://fosdem.org/2025/schedule/event/fosdem-2025-5054-partly-cloudy-ipa-joining-cloud-vms-to-freeipa/
Thanks
-Andrew
On Wed, Mar 26, 2025 at 2:38 PM Rob Crittenden <[email protected]> wrote:
Alexander Bokovoy via FreeIPA-users wrote:
> On Срд, 26 сак 2025, Andrew Nelson via FreeIPA-users wrote:
>> How would one go about scripting the updating of host attributes in IPA
>> such as MAC address form the host itself. Ideally I would love to use
>> the
>> host kerberos key and never need a user credential, but I'm unsure of
how
>> to start this.
>>
>> Can the IPA command line utility use the host kerberos key to perform
>> host-mod activities? Likewise, can the python libraries leverage the
>> host
>> kerberos key? If so, how does one start?
>
> # kinit -k
> # ipa host-show `hostname` --rights --all | grep attributelevelrights
> ...
>
> Look at 'attributelevelrights' line, each element in that dictionary
> describes what rights your Kerberos principal (in this case machine
> account) has for each attribute. If you do not see an attribute, you
> don't have write rights for sure.
>
> # ipa host-mod `hostname` --macaddress=....
>
> this will fail because machine's account has no rights to write to
> macaddress attribute:
>
> # kinit -k
> # ipa host-mod `hostname` --macaddress=AA:BB:CC:DD:EE:FF
> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
> 'macAddress' attribute of entry
> 'fqdn=m1.ipa1demo.test,cn=computers,cn=accounts,dc=ipa1demo,dc=test'.
>
> There is a system permission 'System: Modify Hosts' that allows write to
> macaddress and other attributes but it is not assigned by default
> because it gives more rights than required. In particular, it gives
> right to write to 'objectClass' attribute which is the core of LDAP
> object system. macAddress attribute is only allowed if LDAP object
> includes an object class that permits the attribute. FreeIPA API knows
> which objectclass needs to be added and attempts to add it automatically
> and it will fail if no permission to write to 'objectclass' attribute is
> granted. However, allowing applications to write to 'objectclass' means
> they can transform that entry into something else. It is not something
> you'd want, at least for hosts.
>
> So you need to create a special permission that handle this case.
> I am unable to create one on the fly, my brain is not working today...
The root of the problem is that the macaddress attribute is not
available by default in a host but if it is set then the ieee802device
is added at the same time.
I strongly agree with Alexander and wouldn't recommend hosts be able to
modify their own set of objectclasses.
A workaround is to add the missing objectclass in advance:
$ kinit admin
$ ipa host-mod --addattr objectclass=ieee802device client.example.test
Then you can add a new permission:
$ ipa permission-add "Hosts can modify their own MAC address" --right
write --type host --bindtype self --attrs macaddress
Then you can do as Alexander suggested:
# kinit -k
# ipa host-mod $(hostname) --macaddress 00:11:22:33:44:55
There is no way to change the default objectclasses for hosts in
configuration like there is with users and groups. You'd need to write a
short plugin to inject it into a host as the host is created. For
existing hosts you'd need to do them one at a time.
rob
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
