Yes. The idea behind this split is that whoever is able to create hosts holds 
greater powers over DNS of your environment. When host is created it is added 
to a DNS zone, this goes privilege could be used to disrupt your operations. 

Enrolling the host is only setting the data on an existing object in LDAP. 


----- Ronald Wimmer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> 
wrote:
> On 2017-06-04 17:41, Striker Leggette wrote:
> > If you meant what privileges on the IPA server a user enrolling new 
> > hosts needs to have, I believe it is Host Enrollment and Host 
> > Administrators.  Enrollment gives access to enroll hosts, but to create 
> > the host object, you need to be in Host Administrators.
> 
> Perfect. Thanks a lot. This was the information I was looking for.
> 
> "Host Enrollment" does only make sense if the host object already exists?
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

-- 
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to