On 08/18/2014 09:35 PM, Michael Lasevich wrote: > I wanted to use the python ipalib directly, but like you mentioned, I found > very little documentation and what I found indicated I was going to just > pass cli arguments to it, it seemed to be not much better than calling the > wrapper directly :-(
I disagree. It *is* vastly better that calling "ipa" command tool from a subprocess. If not only because you receive proper Python exceptions and results in Python data types instead of having to parse it from the CLI. AFAIK, the "only" missing piece is the documentation for this API. For now, you need to read the plugins code (takes_options section) or deduce the call option names from CLI option names. ... > As far as Host-Enrollment vs Host-Administrators privileges - it may be > that I am mixing up 2 ways to enroll hosts. My original attempt was to try > to have an "enroller" account that would add client directly from the > client - but I have relented and switched to a more proper method of adding > a host entrue with a generated OTP for the client followed by joining of > that client from the client itself with the OTP password. This works, but > when I try to add host entry with OTP password using account with only > "Host Enrollment" privilege I get: > > ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the > 'userPassword' attribute Ah, so this is the error. What FreeIPA version do you use? This bug was fixed in FreeIPA 4.0: https://fedorahosted.org/freeipa/ticket/4252 Current permissions would still not allow you to add new Hosts with Host Enrollment privilege, one would also need to add "System: Add hosts" permission, IIUC. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
