#4252 Modify Hosts Permission Can't Actually Modify Hosts
Closed: Fixed None by mkosek. Opened 4 years ago by mkosek.

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1076865

Description of problem:
The default included "modify hosts" permission can't truly "modify" hosts.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create a user that has a role with the "modify hosts" permission
2. Attempt to modify a host:

[fedora@ipa01 ~]$ ipa host_mod testbox.example.com --random

Actual results:
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'userPassword' attribute of entry

Expected results:
Update succeeds and I receive a new OTP

Additional info:
At a minimum, I'd like to be able to specify a userclass and set a new OTP

For the Foreman Smart Proxy, we've created a script to add all the permissions we need, this is a fairly comprehensive role that should support most aspects of managing hosts:


Maybe it's useful for this issue.


  • 14e2eb9 host permissions: Allow writing attributes needed for automatic enrollment

The 'Host Enrollment' + 'Host Administrators' privileges should now grant all the necessary rights.

Metadata Update from @mkosek:
- Issue assigned to pviktori
- Issue set to the milestone: FreeIPA 4.0 Backlog

2 years ago

Login to comment on this ticket.