I also had to extend the schema. I'm not in front of my instructions right now.
Sent from Yahoo Mail on Android On Mon, Nov 12, 2018 at 12:27, Rob Crittenden via FreeIPA-users<freeipa-users@lists.fedorahosted.org> wrote: Joyce Babu via FreeIPA-users wrote: > I am trying to setup PWM for allowing users to reset their password. I found > the following guide on setting up PWM with FreeIPA > https://gist.github.com/OneLoveAmaru/2ac93400a30466cdecc7a60e30ae1303 . > > The above guide creates the pwmproxy and pwmtest users under > cn=users,cn=accounts,dc=example,dc=com. > > uid=pwmproxy,cn=users,cn=accounts,dc=example,dc=com > uid=pwmtest,cn=users,cn=accounts,dc=example,dc=com > > But FreeIPA documentation does not recommend creating such accounts as normal > user accounts. > https://www.freeipa.org/page/HowTo/LDAP#System_Accounts > > Is it better to create the above accounts under > cn=sysaccounts,cn=etc,dc=example,dc=com as recommended in the HowTo? > Or does PWM require that the pwm users also be created under the same base dn? "Better" is a subjective thing. The advantage of a sysaccount user is they cannot log into systems. They can only bind to LDAP. The disadvantage of a sysaccount user is there is no way currently to assign permissions causing the write iss you report. The kludgy workaround is to manually add a memberof=<dn of permission you need> to the sysaccount user. If you want to use a real IPA user you can always set the shell to /bin/false or something to disallow logging in. It's more a preference thing than anything else, particularly for those with a background in LDAP and being used to having bind-only users. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
