diff --git a/ACI.txt b/ACI.txt index 174d33846..cd660a4fc 100644 --- a/ACI.txt +++ b/ACI.txt @@ -141,7 +141,7 @@ aci: (targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System dn: cn=computers,cn=accounts,dc=ipa,dc=example aci: (targetattr = "krbprincipalname")(targetfilter = "(&(!(krbprincipalname=*))(objectclass=ipahost))")(version 3.0;acl "permission:System: Add krbPrincipalName to a Host";allow (write) groupdn = "ldap:///cn=System: Add krbPrincipalName to a Host,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=computers,cn=accounts,dc=ipa,dc=example -aci: (targetattr = "enrolledby || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Enroll a Host";allow (write) groupdn = "ldap:///cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "enrolledby || nshardwareplatform || nsosversion || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Enroll a Host";allow (write) groupdn = "ldap:///cn=System: Enroll a Host,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=computers,cn=accounts,dc=ipa,dc=example aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Certificates";allow (write) groupdn = "ldap:///cn=System: Manage Host Certificates,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: cn=computers,cn=accounts,dc=ipa,dc=example diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py index 5b2083b08..e6e42b3ea 100644 --- a/ipaserver/plugins/host.py +++ b/ipaserver/plugins/host.py @@ -361,7 +361,9 @@ class host(LDAPObject): }, 'System: Enroll a Host': { 'ipapermright': {'write'}, - 'ipapermdefaultattr': {'objectclass', 'enrolledby'}, + 'ipapermdefaultattr': { + 'objectclass', 'enrolledby', 'nshardwareplatform', 'nsosversion' + }, 'replaces': [ '(targetattr = "objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)', '(targetattr = "enrolledby || objectclass")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Enroll a host";allow (write) groupdn = "ldap:///cn=Enroll a host,cn=permissions,cn=pbac,$SUFFIX";)', diff --git a/ipaserver/plugins/join.py b/ipaserver/plugins/join.py index a4db7404f..eb0d309ac 100644 --- a/ipaserver/plugins/join.py +++ b/ipaserver/plugins/join.py @@ -97,10 +97,13 @@ class join(Command): assert 'cn' not in kw ldap = self.api.Backend.ldap2 + # realm parameter is not supported by host_{add,mod} + kw.pop('realm', None) + try: # First see if the host exists - kw = {'fqdn': hostname, 'all': True} - attrs_list = api.Command['host_show'](**kw)['result'] + show_kw = {'fqdn': hostname, 'all': True} + attrs_list = api.Command['host_show'](**show_kw)['result'] dn = attrs_list['dn'] # No error raised so far means that host entry exists @@ -112,7 +115,8 @@ class join(Command): # one. if 'krbprincipalname' not in attrs_list: service = "host/%s@%s" % (hostname, api.env.realm) - api.Command['host_mod'](hostname, krbprincipalname=service) + api.Command['host_mod'](hostname, **kw, + krbprincipalname=service) logger.info('No principal set, setting to %s', service) # It exists, can we write the password attributes? @@ -122,12 +126,11 @@ class join(Command): "to the 'krbLastPwdChange' attribute of entry '%s'.") % dn) # Reload the attrs_list and dn so that we return update values - kw = {'fqdn': hostname, 'all': True} - attrs_list = api.Command['host_show'](**kw)['result'] + attrs_list = api.Command['host_show'](**show_kw)['result'] dn = attrs_list['dn'] except errors.NotFound: - attrs_list = api.Command['host_add'](hostname, + attrs_list = api.Command['host_add'](hostname, **kw, force=True)['result'] dn = attrs_list['dn'] @@ -135,4 +138,4 @@ class join(Command): attrs_list['ipacertificatesubjectbase'] =\ config['ipacertificatesubjectbase'] - return (dn, attrs_list) + return dn, attrs_list