Typically Linux nodes are joined to FreeIPA using admin credentials. While this works, it exposes fully privileged credentials unnecessarily, for example when used within a configuration management system (see for example puppet-ipa).
Fortunately joining nodes to FreeIPA is possible with more limited privileges. The first step is to create a new FreeIPA role, e.g. "Enrollment administrator" with three privileges:
- DNS Administrators
- Host Administrators
- Host Enrollment
Then you create a new user, e.g. "enrollment", and join it to the "Enrollment administrator" role. After that you should be able to join nodes using that "enrollment" user.
While this is not perfect security-vise, it is still better than having to expose the admin credentials just to join nodes to FreeIPA.