I was able to get an older version of PWM (v.1.6.4 b1185) with an older FreeIPA v.3.0.0 working together.  It's been a few years since I initially set it up, but I recall it was not easy getting PWM to cooperate with IPA.  I do recall that I had to grant some extra privileges for the "proxy" user.  We created a user called "svc_pwmproxy" and created a new role called "PWM Proxy", with the following privileges called "Modify PWM and passwords".  Then for that Privilege, we granted the following permission "change a user password".  Which has "write" permissions to the following attributes: (krbprincipalkey, userpassword, sambalmpassword, sambantpassword, passwordhistory), as Type: User and Filter: (!(memberOf=cn=admins,cn=groups,cn=accounts,dc=ipadomain,dc=local)).  We probably didn't need write access to all those attributes, but it worked so I left it alone once I got it working.

-Mike

-----Original Message-----
From: Tiemen Ruiten
Sent: Apr 20, 2016 11:23 AM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] FreeIPA and PWM

Hello,

I'm trying to set up a self-service page for a new IPA domain and I'm trying to use PWM for that.

When I try to bind to FreeIPA from within PWM, with the configured "LDAP Proxy User", I get the following error:

error connecting to ldap server 'ldaps://polonium.ipa.rdmedia.com:636': unable to create connection: unable to bind to ldaps://polonium.ipa.rdmedia.com:636 as cn=svcpwmproxy,cn=groups,cn=accounts,dc=ipa,dc=rdmedia,dc=com reason: [LDAP: error code 48 - Inappropriate Authentication]

In /var/log/krb5kdc.log I see:

Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.50.33: NEEDED_PREAUTH: host/protactinium.ipa.rdmedia....@ipa.rdmedia.com for krbtgt/ipa.rdmedia....@ipa.rdmedia.com, Additional pre-authentication required
Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing down fd 12
Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): AS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.50.33: ISSUE: authtime 1461165149, etypes {rep=18 tkt=18 ses=18}, host/protactinium.ipa.rdmedia....@ipa.rdmedia.com for krbtgt/ipa.rdmedia....@ipa.rdmedia.com
Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing down fd 12
Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) 192.168.50.33: ISSUE: authtime 1461165149, etypes {rep=18 tkt=18 ses=18}, host/protactinium.ipa.rdmedia....@ipa.rdmedia.com for ldap/polonium.ipa.rdmedia....@ipa.rdmedia.com
Apr 20 17:12:29 polonium.ipa.rdmedia.com krb5kdc[25760](info): closing down fd 12

What is going on? What can I do to debug this more?


--
Tiemen Ruiten
Systems Engineer
R&D Media
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to