Hi Rob, I have this solved, I think it was an issue in the foreman-proxy.
The reason why there are two users in the role was to test other usernames, as you cannot use foreman-proxy for this for an example. I need to update the Foreman ticket about it. Thanks for helping out. Cheers, Matt 2017-03-14 19:51 GMT+01:00 Rob Crittenden <[email protected]>: > Matt . wrote: >> Hi Rob, >> >> Thanks for the update, the same error happens when I add a new host, >> so I'm lost, the same for the Foreman devs. >> >> What can I check/test further ? > > See what 389-ds is logging in its access log. > > You may need to enable ACI summary debugging. See the 389-ds FAQ for > instructions on how. > > I find it curious that there are 2 similarly named foreman users in the > role. > > rob > >> >> Thanks, >> >> Matt >> >> 2017-03-10 21:20 GMT+01:00 Rob Crittenden <[email protected]>: >>> Matt . wrote: >>>> Hi Rob, >>>> >>>> Thanks, but what do you mean here ? The Foreman has a script which >>>> should be OK for it: >>>> >>>> https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm >>>> >>>> Can you check this maybe ? >>> >>> Like I said, it's wrong. >>> >>> add grants the ability to add new entries, not updating existing ones. >>> >>> The right needs to be "write". >>> >>> rob >>> >>>> >>>> Thanks, >>>> >>>> Matt >>>> >>>> 2017-03-10 17:21 GMT+01:00 Rob Crittenden <[email protected]>: >>>>> Matt . wrote: >>>>>> I'm trying to add a host using Foreman to the FreeIPA realm but this >>>>>> doesn't work, all things seem to be fine and some other tests from >>>>>> people are working: >>>>>> >>>>>> The issue is reported here: http://projects.theforeman.org/issues/18850 >>>>>> >>>>>> >>>>>> My settings are like this: >>>>>> >>>>>> >>>>>> [root@ipa-01 ~]# ipa role-find >>>>>> --------------- >>>>>> 6 roles matched >>>>>> --------------- >>>>>> Role name: helpdesk >>>>>> Description: Helpdesk >>>>>> >>>>>> Role name: IT Security Specialist >>>>>> Description: IT Security Specialist >>>>>> >>>>>> Role name: IT Specialist >>>>>> Description: IT Specialist >>>>>> >>>>>> Role name: Security Architect >>>>>> Description: Security Architect >>>>>> >>>>>> Role name: Smart Proxy Host Manager >>>>>> Description: Smart Proxy management >>>>>> >>>>>> Role name: User Administrator >>>>>> Description: Responsible for creating Users and Groups >>>>>> ---------------------------- >>>>>> Number of entries returned 6 >>>>>> ---------------------------- >>>>>> [root@ipa-01 ~]# ipa role-show "Smart Proxy Host Manager" >>>>>> Role name: Smart Proxy Host Manager >>>>>> Description: Smart Proxy management >>>>>> Member users: foreman-proxy, foreman-realm-proxy >>>>>> Privileges: Smart Proxy Host Management >>>>>> [root@ipa-01 ~]# ipa privilege-show "Smart Proxy Host Management" >>>>>> Privilege name: Smart Proxy Host Management >>>>>> Description: Smart Proxy Host Management >>>>>> Permissions: Retrieve Certificates from the CA, System: Add DNS >>>>>> Entries, System: Read DNS Entries, System: Remove DNS Entries, System: >>>>>> Update DNS >>>>>> Entries, System: Manage Host Certificates, System: >>>>>> Manage Host Enrollment Password, System: Manage Host Keytab, System: >>>>>> Modify Hosts, >>>>>> System: Remove Hosts, System: Manage Service Keytab, >>>>>> System: Modify Services, Add Host Enrollment Password >>>>>> Granting privilege to roles: Smart Proxy Host Manager >>>>>> [root@ipa-01 ~]# >>>>>> [root@ipa-01 ~]# ipa permission-find "Add Host" >>>>>> --------------------- >>>>>> 3 permissions matched >>>>>> --------------------- >>>>>> Permission name: Add Host Enrollment Password >>>>>> Granted rights: add >>>>>> Effective attributes: userpassword >>>>>> Bind rule type: permission >>>>>> Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld >>>>>> Type: host >>>>>> Permission flags: V2, SYSTEM >>>>>> >>>>>> Permission name: System: Add Hostgroups >>>>>> Granted rights: add >>>>>> Bind rule type: permission >>>>>> Subtree: cn=hostgroups,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld >>>>>> Type: hostgroup >>>>>> Permission flags: V2, MANAGED, SYSTEM >>>>>> >>>>>> Permission name: System: Add Hosts >>>>>> Granted rights: add >>>>>> Bind rule type: permission >>>>>> Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld >>>>>> Type: host >>>>>> Permission flags: V2, MANAGED, SYSTEM >>>>>> ---------------------------- >>>>>> Number of entries returned 3 >>>>>> ---------------------------- >>>>>> >>>>>> >>>>>> Can anyone help me out as I'm unsure where this goes wrong. >>>>>> >>>>> >>>>> For 'Add Host Enrollment Password' the granted rights should be write >>>>> not add. >>>>> >>>>> add is for adding entries, not writing attributes. >>>>> >>>>> rob >>>> >>> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
