IPA should have simple permission allowing host-join operation but not allowing anything else.
It should be possible to assign this to all users or just a group of users to enable self-service.
Then a random member of appropriate use group then could join own laptop to IPA domain which could lower total cost of IPA configuration (assuming users in particular organization are trusted, e.g. in BYOD model).
I'm not sure where the request came from and what is the original user story behind this so this needs to be filled in by someone who remembers this.
This originally came from a discussion I had with Christian Schaller (I'd CC him, but I don't appear to have permission to do that on this Trac).
Also, while not a strict requirement, it would be useful to also be able to restrict this permission to a certain number of active enrollments per user (i.e. "Users in this group may enroll N devices with FreeIPA").
Look at the privilege Host Enrollment.
There is no way currently to limit this to one host or set of hosts that are allowed to be enrolled, though this does require that the host entry be pre-created in order to do the enrollment.
There is no counting of operations.
Metadata Update from @pspacek: - Issue assigned to someone - Issue set to the milestone: Future Releases
The original RFE is already implemented as the privilege 'Host Enrollment. Marking as fixed.
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.