I am trying to setup PWM for allowing users to reset their password. I found the following guide on setting up PWM with FreeIPA https://gist.github.com/OneLoveAmaru/2ac93400a30466cdecc7a60e30ae1303 .
The above guide creates the pwmproxy and pwmtest users under cn=users,cn=accounts,dc=example,dc=com.
uid=pwmproxy,cn=users,cn=accounts,dc=example,dc=com uid=pwmtest,cn=users,cn=accounts,dc=example,dc=com
But FreeIPA documentation does not recommend creating such accounts as normal user accounts. https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
Is it better to create the above accounts under cn=sysaccounts,cn=etc,dc=example,dc=com as recommended in the HowTo? Or does PWM require that the pwm users also be created under the same base dn?
I just did this. I setup the pwm users under the normal account setup.
Sent from Yahoo Mail on Android
On Sat, Nov 10, 2018 at 10:57, Joyce Babu via FreeIPA-usersfreeipa-users@lists.fedorahosted.org wrote: I am trying to setup PWM for allowing users to reset their password. I found the following guide on setting up PWM with FreeIPA https://gist.github.com/OneLoveAmaru/2ac93400a30466cdecc7a60e30ae1303 .
The above guide creates the pwmproxy and pwmtest users under cn=users,cn=accounts,dc=example,dc=com.
uid=pwmproxy,cn=users,cn=accounts,dc=example,dc=com uid=pwmtest,cn=users,cn=accounts,dc=example,dc=com
But FreeIPA documentation does not recommend creating such accounts as normal user accounts. https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
Is it better to create the above accounts under cn=sysaccounts,cn=etc,dc=example,dc=com as recommended in the HowTo? Or does PWM require that the pwm users also be created under the same base dn? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thank you for your reply, Andrew.
I went ahead and created the proxy user as a sysaccount and the test user as a normal account.
I am seeing the following error, when PWM starts.
Insufficient 'write' privilege to the 'ipaUniqueID' attribute of entry
Is it necessary to give the proxy user write permission to ipaUniqueID for PWM to work properly?
On Sun, Nov 11, 2018 at 7:20 AM Andrew Meyer andrewm659@yahoo.com wrote:
I just did this. I setup the pwm users under the normal account setup.
Sent from Yahoo Mail on Android https://go.onelink.me/107872968?pid=InProduct&c=Global_Internal_YGrowth_AndroidEmailSig__AndroidUsers&af_wl=ym&af_sub1=Internal&af_sub2=Global_YGrowth&af_sub3=EmailSignature
On Sat, Nov 10, 2018 at 10:57, Joyce Babu via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote: I am trying to setup PWM for allowing users to reset their password. I found the following guide on setting up PWM with FreeIPA https://gist.github.com/OneLoveAmaru/2ac93400a30466cdecc7a60e30ae1303 .
The above guide creates the pwmproxy and pwmtest users under cn=users,cn=accounts,dc=example,dc=com.
uid=pwmproxy,cn=users,cn=accounts,dc=example,dc=com uid=pwmtest,cn=users,cn=accounts,dc=example,dc=com
But FreeIPA documentation does not recommend creating such accounts as normal user accounts. https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
Is it better to create the above accounts under cn=sysaccounts,cn=etc,dc=example,dc=com as recommended in the HowTo? Or does PWM require that the pwm users also be created under the same base dn? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Joyce Babu via FreeIPA-users wrote:
I am trying to setup PWM for allowing users to reset their password. I found the following guide on setting up PWM with FreeIPA https://gist.github.com/OneLoveAmaru/2ac93400a30466cdecc7a60e30ae1303 .
The above guide creates the pwmproxy and pwmtest users under cn=users,cn=accounts,dc=example,dc=com.
uid=pwmproxy,cn=users,cn=accounts,dc=example,dc=com uid=pwmtest,cn=users,cn=accounts,dc=example,dc=com
But FreeIPA documentation does not recommend creating such accounts as normal user accounts. https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
Is it better to create the above accounts under cn=sysaccounts,cn=etc,dc=example,dc=com as recommended in the HowTo? Or does PWM require that the pwm users also be created under the same base dn?
"Better" is a subjective thing.
The advantage of a sysaccount user is they cannot log into systems. They can only bind to LDAP.
The disadvantage of a sysaccount user is there is no way currently to assign permissions causing the write iss you report. The kludgy workaround is to manually add a memberof=<dn of permission you need> to the sysaccount user.
If you want to use a real IPA user you can always set the shell to /bin/false or something to disallow logging in.
It's more a preference thing than anything else, particularly for those with a background in LDAP and being used to having bind-only users.
rob
I also had to extend the schema. I'm not in front of my instructions right now.
Sent from Yahoo Mail on Android
On Mon, Nov 12, 2018 at 12:27, Rob Crittenden via FreeIPA-usersfreeipa-users@lists.fedorahosted.org wrote: Joyce Babu via FreeIPA-users wrote:
I am trying to setup PWM for allowing users to reset their password. I found the following guide on setting up PWM with FreeIPA https://gist.github.com/OneLoveAmaru/2ac93400a30466cdecc7a60e30ae1303 .
The above guide creates the pwmproxy and pwmtest users under cn=users,cn=accounts,dc=example,dc=com.
uid=pwmproxy,cn=users,cn=accounts,dc=example,dc=com uid=pwmtest,cn=users,cn=accounts,dc=example,dc=com
But FreeIPA documentation does not recommend creating such accounts as normal user accounts. https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
Is it better to create the above accounts under cn=sysaccounts,cn=etc,dc=example,dc=com as recommended in the HowTo? Or does PWM require that the pwm users also be created under the same base dn?
"Better" is a subjective thing.
The advantage of a sysaccount user is they cannot log into systems. They can only bind to LDAP.
The disadvantage of a sysaccount user is there is no way currently to assign permissions causing the write iss you report. The kludgy workaround is to manually add a memberof=<dn of permission you need> to the sysaccount user.
If you want to use a real IPA user you can always set the shell to /bin/false or something to disallow logging in.
It's more a preference thing than anything else, particularly for those with a background in LDAP and being used to having bind-only users.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org