TomK via FreeIPA-users wrote:

Hey All,

1. When moving an IPA Cluster member to another VLAN, is it only

necessary to change the member's DNS entries in the primary IPA's DNS config, then change the IP on the secondary's network config? Or is there more steps that would need to be done?

2. Can I join an IPA client to an IPA server using an alternate

non-previliged account that has minimal permissions, instead of the admin type account?

ipa-client-install --force-join -p admin -w "$TMPP" --fixed-primary --server=$IPA01.$NDOMAIN --server=$IPA02.$NDOMAIN --domain=$NDOMAIN --realm=$UNDOMAIN -U

I've created a user with a role that has Host Enrollment and Host Administrators.  However, perhaps Host Administrators will give too many permissions, including removal of existing hosts. Wondering if there isn't a more restrictive set of permissions I could give.

If memory serves only host add is required. There are a couple of ways you can achieve this. You can create a new "Add hosts" privilege, add "System: Add Hosts" permission to it, then add that privilege to the "Host Enrollment" role or you can add "System: Add Hosts" to the "Host Enrollment" privilege

rob