I also had to extend the schema. I'm not in front of my instructions right now.
On Mon, Nov 12, 2018 at 12:27, Rob Crittenden via FreeIPA-users<freeipa-users@lists.fedorahosted.org> wrote:Joyce Babu via FreeIPA-users wrote:
> I am trying to setup PWM for allowing users to reset their password. I found the following guide on setting up PWM with FreeIPA
> https://gist.github.com/OneLoveAmaru/2ac93400a30466cdecc7a60e30ae1303 .
>
> The above guide creates the pwmproxy and pwmtest users under cn=users,cn=accounts,dc=example,dc=com.
>
> uid=pwmproxy,cn=users,cn=accounts,dc=example,dc=com
> uid=pwmtest,cn=users,cn=accounts,dc=example,dc=com
>
> But FreeIPA documentation does not recommend creating such accounts as normal user accounts.
> https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
>
> Is it better to create the above accounts under cn=sysaccounts,cn=etc,dc=example,dc=com as recommended in the HowTo?
> Or does PWM require that the pwm users also be created under the same base dn?
"Better" is a subjective thing.
The advantage of a sysaccount user is they cannot log into systems. They
can only bind to LDAP.
The disadvantage of a sysaccount user is there is no way currently to
assign permissions causing the write iss you report. The kludgy
workaround is to manually add a memberof=<dn of permission you need> to
the sysaccount user.
If you want to use a real IPA user you can always set the shell to
/bin/false or something to disallow logging in.
It's more a preference thing than anything else, particularly for those
with a background in LDAP and being used to having bind-only users.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org