We augmented our Host enrollment role with permissions to create host objects. 
This is because we've encapsulated the function in our configuration management 
to enroll existing systems into IPA.

For more modern orchestration one could use OTP enrollment and teach the 
orchestrator to create a host object with a different account.

The Host administrator role has far more permissions, including deleting hosts.

I can look up the exact permissions for you if you want.



Verzonden vanaf mijn Samsung-apparaat


-------- Oorspronkelijk bericht --------
Van: Alexander Bokovoy via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
Datum: 04-06-17 17:55 (GMT+01:00)
Aan: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Ronald Wimmer <rona...@ronzo.at>, Alexander Bokovoy <aboko...@redhat.com>
Onderwerp: [Freeipa-users] Re: Privileges needed for ipa-client-install

Yes. The idea behind this split is that whoever is able to create hosts holds 
greater powers over DNS of your environment. When host is created it is added 
to a DNS zone, this goes privilege could be used to disrupt your operations.

Enrolling the host is only setting the data on an existing object in LDAP.


----- Ronald Wimmer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> 
wrote:
> On 2017-06-04 17:41, Striker Leggette wrote:
> > If you meant what privileges on the IPA server a user enrolling new
> > hosts needs to have, I believe it is Host Enrollment and Host
> > Administrators.  Enrollment gives access to enroll hosts, but to create
> > the host object, you need to be in Host Administrators.
>
> Perfect. Thanks a lot. This was the information I was looking for.
>
> "Host Enrollment" does only make sense if the host object already exists?
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to