Joining nodes to FreeIPA using a non-admin user

August 9, 2022 

Typically Linux nodes are joined to FreeIPA using admin credentials. While this works, it exposes fully privileged credentials unnecessarily, for example when used within a configuration management system (see for example puppet-ipa).

Fortunately joining nodes to FreeIPA is possible with more limited privileges. The first step is to create a new FreeIPA role, e.g. "Enrollment administrator" with three privileges:

  • DNS Administrators
  • Host Administrators
  • Host Enrollment

Then you create a new user, e.g. "enrollment", and join it to the "Enrollment administrator" role. After that you should be able to join nodes using that "enrollment" user.

While this is not perfect security-vise, it is still better than having to expose the admin credentials just to join nodes to FreeIPA.

Samuli Seppänen
Samuli Seppänen
Author archive