Matt . wrote: > Hi Rob, > > Thanks for the update, the same error happens when I add a new host, > so I'm lost, the same for the Foreman devs. > > What can I check/test further ?
See what 389-ds is logging in its access log. You may need to enable ACI summary debugging. See the 389-ds FAQ for instructions on how. I find it curious that there are 2 similarly named foreman users in the role. rob > > Thanks, > > Matt > > 2017-03-10 21:20 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: >> Matt . wrote: >>> Hi Rob, >>> >>> Thanks, but what do you mean here ? The Foreman has a script which >>> should be OK for it: >>> >>> https://github.com/theforeman/smart-proxy/blob/develop/sbin/foreman-prepare-realm >>> >>> Can you check this maybe ? >> >> Like I said, it's wrong. >> >> add grants the ability to add new entries, not updating existing ones. >> >> The right needs to be "write". >> >> rob >> >>> >>> Thanks, >>> >>> Matt >>> >>> 2017-03-10 17:21 GMT+01:00 Rob Crittenden <rcrit...@redhat.com>: >>>> Matt . wrote: >>>>> I'm trying to add a host using Foreman to the FreeIPA realm but this >>>>> doesn't work, all things seem to be fine and some other tests from >>>>> people are working: >>>>> >>>>> The issue is reported here: http://projects.theforeman.org/issues/18850 >>>>> >>>>> >>>>> My settings are like this: >>>>> >>>>> >>>>> [root@ipa-01 ~]# ipa role-find >>>>> --------------- >>>>> 6 roles matched >>>>> --------------- >>>>> Role name: helpdesk >>>>> Description: Helpdesk >>>>> >>>>> Role name: IT Security Specialist >>>>> Description: IT Security Specialist >>>>> >>>>> Role name: IT Specialist >>>>> Description: IT Specialist >>>>> >>>>> Role name: Security Architect >>>>> Description: Security Architect >>>>> >>>>> Role name: Smart Proxy Host Manager >>>>> Description: Smart Proxy management >>>>> >>>>> Role name: User Administrator >>>>> Description: Responsible for creating Users and Groups >>>>> ---------------------------- >>>>> Number of entries returned 6 >>>>> ---------------------------- >>>>> [root@ipa-01 ~]# ipa role-show "Smart Proxy Host Manager" >>>>> Role name: Smart Proxy Host Manager >>>>> Description: Smart Proxy management >>>>> Member users: foreman-proxy, foreman-realm-proxy >>>>> Privileges: Smart Proxy Host Management >>>>> [root@ipa-01 ~]# ipa privilege-show "Smart Proxy Host Management" >>>>> Privilege name: Smart Proxy Host Management >>>>> Description: Smart Proxy Host Management >>>>> Permissions: Retrieve Certificates from the CA, System: Add DNS >>>>> Entries, System: Read DNS Entries, System: Remove DNS Entries, System: >>>>> Update DNS >>>>> Entries, System: Manage Host Certificates, System: >>>>> Manage Host Enrollment Password, System: Manage Host Keytab, System: >>>>> Modify Hosts, >>>>> System: Remove Hosts, System: Manage Service Keytab, >>>>> System: Modify Services, Add Host Enrollment Password >>>>> Granting privilege to roles: Smart Proxy Host Manager >>>>> [root@ipa-01 ~]# >>>>> [root@ipa-01 ~]# ipa permission-find "Add Host" >>>>> --------------------- >>>>> 3 permissions matched >>>>> --------------------- >>>>> Permission name: Add Host Enrollment Password >>>>> Granted rights: add >>>>> Effective attributes: userpassword >>>>> Bind rule type: permission >>>>> Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld >>>>> Type: host >>>>> Permission flags: V2, SYSTEM >>>>> >>>>> Permission name: System: Add Hostgroups >>>>> Granted rights: add >>>>> Bind rule type: permission >>>>> Subtree: cn=hostgroups,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld >>>>> Type: hostgroup >>>>> Permission flags: V2, MANAGED, SYSTEM >>>>> >>>>> Permission name: System: Add Hosts >>>>> Granted rights: add >>>>> Bind rule type: permission >>>>> Subtree: cn=computers,cn=accounts,dc=office,dc=ipa,dc=domain,dc=tld >>>>> Type: host >>>>> Permission flags: V2, MANAGED, SYSTEM >>>>> ---------------------------- >>>>> Number of entries returned 3 >>>>> ---------------------------- >>>>> >>>>> >>>>> Can anyone help me out as I'm unsure where this goes wrong. >>>>> >>>> >>>> For 'Add Host Enrollment Password' the granted rights should be write >>>> not add. >>>> >>>> add is for adding entries, not writing attributes. >>>> >>>> rob >>> >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
