Re: [Freeipa-users] Minimum rights to enrol a client
On Fri, 20 Mar 2015, David Kupka wrote:
On 03/20/2015 09:16 AM, Andrew Holway wrote:
Hello,
I'd like to find our what the minimum role would be to allow a user to join
a new client to freeipa.
Currently our enrol command looks like:
ipa-client-install --force-join --enable-dns-updates -U -p admin -w
:
Thanks,
Andrew
Hello!
AFAIK there is 'Host Enrollment' privilege created during IPA server
installation. You need to create new role and add this privilege to
the newly created role.
The role can then be assigned to any user or group. User with this
privilege have enough permissions to enroll a host to IPA domain.
That is not a full story.
To enroll hosts you have to have 'Host Enrollment' privilege but this
privilege does not give you rights to create a host object. Creating
hosts is a separate permission ('System: Add Hosts') granted to a
separate privilege, 'Host Administrators'.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Minimum rights to enrol a client
On 03/20/2015 09:16 AM, Andrew Holway wrote: Hello, I'd like to find our what the minimum role would be to allow a user to join a new client to freeipa. Currently our enrol command looks like: ipa-client-install --force-join --enable-dns-updates -U -p admin -w : Thanks, Andrew Hello! AFAIK there is 'Host Enrollment' privilege created during IPA server installation. You need to create new role and add this privilege to the newly created role. The role can then be assigned to any user or group. User with this privilege have enough permissions to enroll a host to IPA domain. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Minimum rights to enrol a client
Hello, I'd like to find our what the minimum role would be to allow a user to join a new client to freeipa. Currently our enrol command looks like: ipa-client-install --force-join --enable-dns-updates -U -p admin -w : Thanks, Andrew -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
