Marat Vyshegorodtsev wrote: > Hi! > > I'm trying to build an auto-enrollment script that would leverage a > service account to enroll hosts. > > Here is the LDIF for this service account: > https://gist.github.com/touzoku/2b03a47d3f0bcfbdf30a > > This service account is created successfully, but when I try to: > 1) kinit hostadmin > 2) ipa host-add foobar.contoso.com > > The following error appears: > ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add > the entry > 'fqdn=foobar.contoso.com,cn=computers,cn=accounts,dc=contoso,dc=com'. > > Which privilege am I missing? A normal (posix) user, with the same set > of privileges worked fine, the problem started to happen when I moved > user from normal users to cn=sysaccounts,cn=etc. > > Also, is my set of privileges minimal? Which privileges do I need to > just add host entries? >
You should not directly add memberOf values. You should add the user as a member of the respective roles and the rest should follow naturally. So you'll need to add this entry then do a modify to add it as a member of one or more roles. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project