[Freeipa-users] Foreman => Insufficient 'add' privilege to the 'userPassword' attribute

Discussion:

Matt .

2017-03-09 21:51:13 UTC

I'm trying to add a host using Foreman to the FreeIPA realm but this
doesn't work, all things seem to be fine and some other tests from
people are working:

The issue is reported here: http://projects.theforeman.org/issues/18850

My settings are like this:

[***@ipa-01 ~]# ipa role-find
---------------
6 roles matched
---------------
Role name: helpdesk
Description: Helpdesk

Role name: IT Security Specialist
Description: IT Security Specialist

Role name: IT Specialist
Description: IT Specialist

Role name: Security Architect
Description: Security Architect

Role name: Smart Proxy Host Manager
Description: Smart Proxy management

Role name: User Administrator
Description: Responsible for creating Users and Groups
----------------------------
Number of entries returned 6
----------------------------
[***@ipa-01 ~]# ipa role-show "Smart Proxy Host Manager"
Role name: Smart Proxy Host Manager
Description: Smart Proxy management
Member users: foreman-proxy, foreman-realm-proxy
Privileges: Smart Proxy Host Management
[***@ipa-01 ~]# ipa privilege-show "Smart Proxy Host Management"
Privilege name: Smart Proxy Host Management
Description: Smart Proxy Host Management
Permissions: Retrieve Certificates from the CA, System: Add DNS
Entries, System: Read DNS Entries, System: Remove DNS Entries, System:
Update DNS
Entries, System: Manage Host Certificates, System:
Manage Host Enrollment Password, System: Manage Host Keytab, System:
Modify Hosts,
System: Remove Hosts, System: Manage Service Keytab,
System: Modify Services, Add Host Enrollment Password
Granting privilege to roles: Smart Proxy Host Manager
[***@ipa-01 ~]#
[***@ipa-01 ~]# ipa permission-find "Add Host"
---------------------
3 permissions matched
---------------------
Permission name: Add Host Enrollment Password
Granted rights: add
Effective attributes: userpassword
Bind rule type: permission
Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
Type: host
Permission flags: V2, SYSTEM

Permission name: System: Add Hostgroups
Granted rights: add
Bind rule type: permission
Subtree: cn=hostgroups,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
Type: hostgroup
Permission flags: V2, MANAGED, SYSTEM

Permission name: System: Add Hosts
Granted rights: add
Bind rule type: permission
Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
Type: host
Permission flags: V2, MANAGED, SYSTEM
----------------------------
Number of entries returned 3
----------------------------

Can anyone help me out as I'm unsure where this goes wrong.

Thanks so far!

Regards,

Matt

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Rob Crittenden

2017-03-10 16:21:54 UTC

Permalink

Post by Matt .
I'm trying to add a host using Foreman to the FreeIPA realm but this
doesn't work, all things seem to be fine and some other tests from
The issue is reported here: http://projects.theforeman.org/issues/18850
---------------
6 roles matched
---------------
Role name: helpdesk
Description: Helpdesk
Role name: IT Security Specialist
Description: IT Security Specialist
Role name: IT Specialist
Description: IT Specialist
Role name: Security Architect
Description: Security Architect
Role name: Smart Proxy Host Manager
Description: Smart Proxy management
Role name: User Administrator
Description: Responsible for creating Users and Groups
----------------------------
Number of entries returned 6
----------------------------
Role name: Smart Proxy Host Manager
Description: Smart Proxy management
Member users: foreman-proxy, foreman-realm-proxy
Privileges: Smart Proxy Host Management
Privilege name: Smart Proxy Host Management
Description: Smart Proxy Host Management
Permissions: Retrieve Certificates from the CA, System: Add DNS
Update DNS
Modify Hosts,
System: Remove Hosts, System: Manage Service Keytab,
System: Modify Services, Add Host Enrollment Password
Granting privilege to roles: Smart Proxy Host Manager
---------------------
3 permissions matched
---------------------
Permission name: Add Host Enrollment Password
Granted rights: add
Effective attributes: userpassword
Bind rule type: permission
Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
Type: host
Permission flags: V2, SYSTEM
Permission name: System: Add Hostgroups
Granted rights: add
Bind rule type: permission
Subtree: cn=hostgroups,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
Type: hostgroup
Permission flags: V2, MANAGED, SYSTEM
Permission name: System: Add Hosts
Granted rights: add
Bind rule type: permission
Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld
Type: host
Permission flags: V2, MANAGED, SYSTEM
----------------------------
Number of entries returned 3
----------------------------
Can anyone help me out as I'm unsure where this goes wrong.

For 'Add Host Enrollment Password' the granted rights should be write
not add.

add is for adding entries, not writing attributes.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Matt .

2017-03-10 18:40:20 UTC

Permalink

Hi Rob,

Thanks, but what do you mean here ? The Foreman has a script which
should be OK for it:

https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm

Can you check this maybe ?

Thanks,

Matt

Post by Rob Crittenden

For 'Add Host Enrollment Password' the granted rights should be write
not add.
add is for adding entries, not writing attributes.
rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Rob Crittenden

2017-03-10 20:20:45 UTC

Permalink

Post by Matt .
Hi Rob,
Thanks, but what do you mean here ? The Foreman has a script which
https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm
Can you check this maybe ?

Like I said, it's wrong.

add grants the ability to add new entries, not updating existing ones.

The right needs to be "write".

rob

Post by Matt .
Thanks,
Matt

Post by Rob Crittenden

For 'Add Host Enrollment Password' the granted rights should be write
not add.
add is for adding entries, not writing attributes.
rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Matt .

2017-03-10 22:50:49 UTC

Permalink

Hi Rob,

Thanks for the update, the same error happens when I add a new host,
so I'm lost, the same for the Foreman devs.

What can I check/test further ?

Thanks,

Matt

Post by Rob Crittenden

Like I said, it's wrong.
add grants the ability to add new entries, not updating existing ones.
The right needs to be "write".
rob

Post by Matt .
Thanks,
Matt

Post by Rob Crittenden

For 'Add Host Enrollment Password' the granted rights should be write
not add.
add is for adding entries, not writing attributes.
rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Rob Crittenden

2017-03-14 18:51:58 UTC

Permalink

Post by Matt .
Hi Rob,
Thanks for the update, the same error happens when I add a new host,
so I'm lost, the same for the Foreman devs.
What can I check/test further ?

See what 389-ds is logging in its access log.

You may need to enable ACI summary debugging. See the 389-ds FAQ for
instructions on how.

I find it curious that there are 2 similarly named foreman users in the
role.

rob

Post by Matt .
Thanks,
Matt

Post by Rob Crittenden

Like I said, it's wrong.
add grants the ability to add new entries, not updating existing ones.
The right needs to be "write".
rob

Post by Matt .
Thanks,
Matt

Post by Rob Crittenden

For 'Add Host Enrollment Password' the granted rights should be write
not add.
add is for adding entries, not writing attributes.
rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Matt .

2017-03-14 20:11:17 UTC

Permalink

Hi Rob,

I have this solved, I think it was an issue in the foreman-proxy.

The reason why there are two users in the role was to test other
usernames, as you cannot use foreman-proxy for this for an example.

I need to update the Foreman ticket about it.

Thanks for helping out.

Cheers,

Matt

Post by Rob Crittenden

Post by Matt .
Hi Rob,
Thanks for the update, the same error happens when I add a new host,
so I'm lost, the same for the Foreman devs.
What can I check/test further ?

See what 389-ds is logging in its access log.
You may need to enable ACI summary debugging. See the 389-ds FAQ for
instructions on how.
I find it curious that there are 2 similarly named foreman users in the
role.
rob

Post by Matt .
Thanks,
Matt

Post by Rob Crittenden

Like I said, it's wrong.
add grants the ability to add new entries, not updating existing ones.
The right needs to be "write".
rob

Post by Matt .
Thanks,
Matt

Post by Rob Crittenden

For 'Add Host Enrollment Password' the granted rights should be write
not add.
add is for adding entries, not writing attributes.
rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project