How can a regular user be able to run " ipa host-disable"?
Environment
- Red Hat Enterprise Linux 6, 7
- Red Hat Identity Management (IPA)
Issue
- what are the required privileges for regular IPA users to be able run ipa host-disable command.
- What is required for a normal IPA user to be able to unenroll and re-enroll hosts.
Resolution
It is required to implement a set of custom permissions, then assign them to a role and add a regular user to this new role. This should result in a regular user becoming able to run "ipa host-disable" successfully. Below are the steps:
Please note that the name DUMMY is used as an example only.
1 . Add a new permission which permits write access on the userCertificate attribute in host entries
# ipa permission-add \
'DUMMY Write Host Certificate' \
--permissions=write \
--attrs=usercertificate \
--type=host
2 . Create a new privilege called 'DUMMY Disable Host'
# ipa privilege-add \
'DUMMY Disable Host' \
--desc='Disable Hosts'
3 . Create a new privilege called 'DUMMY Disable Service'
# ipa privilege-add \
'DUMMY Disable Service' \
--desc='Disable Services'
4 . Assign permissions to the new 'DUMMY Disable Host' privilege
# ipa privilege-add-permission \
'DUMMY Disable Host' \
--permissions='retrieve certificates from the ca' \
--permissions='revoke certificate' \
--permissions='manage host keytab' \
--permissions='DUMMY write host certificate'
5 . Assign permission to the new 'DUMMY Disable Service' privilege
# ipa privilege-add-permission \
'DUMMY Disable Service' \
--permissions='modify services' \
--permissions='manage service keytab'
6 . Create a new role called 'DUMMY Disable Hosts'
# ipa role-add \
'DUMMY Disable Hosts' \
--desc='Disable Hosts'
7 . Assign the created privileges to the new role
# ipa role-add-privilege \
--privileges='DUMMY Disable Service' \
--privileges='DUMMY Disable Host' 'DUMMY Disable Hosts'
8 . On IdM web interface add this 'DUMMY Disable Hosts' role to a regular user of your choice.
At the end of these steps, the selected regular user shall be able to run 'ipa host-disable' successfully.
For further details please refer to the documentation page : 24.4. Defining Role-Based Access Controls.
Root Cause
- By default, Only admin users to enroll a machine Red Hat Identity Management (IPA). Regular users are not allowed to such operations.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
