Matt . wrote: > I'm trying to add a host using Foreman to the FreeIPA realm but this > doesn't work, all things seem to be fine and some other tests from > people are working: > > The issue is reported here: http://projects.theforeman.org/issues/18850 > > > My settings are like this: > > > [root@ipa-01 ~]# ipa role-find > --------------- > 6 roles matched > --------------- > Role name: helpdesk > Description: Helpdesk > > Role name: IT Security Specialist > Description: IT Security Specialist > > Role name: IT Specialist > Description: IT Specialist > > Role name: Security Architect > Description: Security Architect > > Role name: Smart Proxy Host Manager > Description: Smart Proxy management > > Role name: User Administrator > Description: Responsible for creating Users and Groups > ---------------------------- > Number of entries returned 6 > ---------------------------- > [root@ipa-01 ~]# ipa role-show "Smart Proxy Host Manager" > Role name: Smart Proxy Host Manager > Description: Smart Proxy management > Member users: foreman-proxy, foreman-realm-proxy > Privileges: Smart Proxy Host Management > [root@ipa-01 ~]# ipa privilege-show "Smart Proxy Host Management" > Privilege name: Smart Proxy Host Management > Description: Smart Proxy Host Management > Permissions: Retrieve Certificates from the CA, System: Add DNS > Entries, System: Read DNS Entries, System: Remove DNS Entries, System: > Update DNS > Entries, System: Manage Host Certificates, System: > Manage Host Enrollment Password, System: Manage Host Keytab, System: > Modify Hosts, > System: Remove Hosts, System: Manage Service Keytab, > System: Modify Services, Add Host Enrollment Password > Granting privilege to roles: Smart Proxy Host Manager > [root@ipa-01 ~]# > [root@ipa-01 ~]# ipa permission-find "Add Host" > --------------------- > 3 permissions matched > --------------------- > Permission name: Add Host Enrollment Password > Granted rights: add > Effective attributes: userpassword > Bind rule type: permission > Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld > Type: host > Permission flags: V2, SYSTEM > > Permission name: System: Add Hostgroups > Granted rights: add > Bind rule type: permission > Subtree: cn=hostgroups,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld > Type: hostgroup > Permission flags: V2, MANAGED, SYSTEM > > Permission name: System: Add Hosts > Granted rights: add > Bind rule type: permission > Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld > Type: host > Permission flags: V2, MANAGED, SYSTEM > ---------------------------- > Number of entries returned 3 > ---------------------------- > > > Can anyone help me out as I'm unsure where this goes wrong. >
For 'Add Host Enrollment Password' the granted rights should be write not add. add is for adding entries, not writing attributes. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
