On Sun, 2016-10-23 at 12:22 -0500, Elwell, Jason wrote: > I posted this on the PWM boards, and figured I'd send this along here, > too. I'm looking for feedback on this. Let me know if you find this > accurate and/or valuable. Thanks! > > > PWM setup for FreeIPA > https://gist.github.com/PowerWagon/d794a1233d7943f1614d2ae5223e678a > > PwmConfiguration-template.xml > https://gist.github.com/PowerWagon/0e83a0c5b67316a6987944b76eb103bc
Jason, It seems to me your ACIs are too lax, you should also make the PWM user a password synchronization agent and not just give it blanket access to read everything from the directory and write every password, you should limit it to users for example and not allow it to change service's or host's "passwords". Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project