Marat Vyshegorodtsev wrote:
> Hi!
> I'm trying to build an auto-enrollment script that would leverage a
> service account to enroll hosts.
> Here is the LDIF for this service account:
> This service account is created successfully, but when I try to:
> 1) kinit hostadmin
> 2) ipa host-add
> The following error appears:
> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add
> the entry 
> ',cn=computers,cn=accounts,dc=contoso,dc=com'.
> Which privilege am I missing? A normal (posix) user, with the same set
> of privileges worked fine, the problem started to happen when I moved
> user from normal users to cn=sysaccounts,cn=etc.
> Also, is my set of privileges minimal? Which privileges do I need to
> just add host entries?

You should not directly add memberOf values. You should add the user as
a member of the respective roles and the rest should follow naturally.
So you'll need to add this entry then do a modify to add it as a member
of one or more roles.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to