freeipa

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |  http://www.freeipa.org/

#4252 Modify Hosts Permission Can't Actually Modify Hosts

Created 4 years ago by mkosek
Modified a year ago

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1076865

Description of problem:
The default included "modify hosts" permission can't truly "modify" hosts.

Version-Release number of selected component (if applicable):
3.3.4-3

How reproducible:
Always

Steps to Reproduce:
1. Create a user that has a role with the "modify hosts" permission
2. Attempt to modify a host:

[fedora@ipa01 ~]$ ipa host_mod testbox.example.com --random

Actual results:
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'userPassword' attribute of entry
'fqdn=testbox.example.com,cn=computers,cn=accounts,dc=example,dc=com'.

Expected results:
Update succeeds and I receive a new OTP

Additional info:
At a minimum, I'd like to be able to specify a userclass and set a new OTP

For the Foreman Smart Proxy, we've created a script to add all the permissions we need, this is a fairly comprehensive role that should support most aspects of managing hosts:

http://projects.theforeman.org/projects/foreman/wiki/IPASmartProxyUser

Maybe it's useful for this issue.

master:

  • 14e2eb9 host permissions: Allow writing attributes needed for automatic enrollment

The 'Host Enrollment' + 'Host Administrators' privileges should now grant all the necessary rights.

a year ago

Metadata Update from @mkosek:
- Issue assigned to pviktori
- Issue set to the milestone: FreeIPA 4.0 Backlog

Login to comment on this ticket.

defect

Access control

1

https://bugzilla.redhat.com/show_bug.cgi?id=1076865

cancel