On Sun, 2016-10-23 at 12:22 -0500, Elwell, Jason wrote:
> I posted this on the PWM boards, and figured I'd send this along here,
> too.  I'm looking for feedback on this.  Let me know if you find this
> accurate and/or valuable.  Thanks!
> PWM setup for FreeIPA
> https://gist.github.com/PowerWagon/d794a1233d7943f1614d2ae5223e678a
> PwmConfiguration-template.xml
> https://gist.github.com/PowerWagon/0e83a0c5b67316a6987944b76eb103bc

It seems to me your ACIs are too lax, you should also make the PWM user
a password synchronization agent and not just give it blanket access to
read everything from the directory and write every password, you should
limit it to users for example and not allow it to change service's or
host's "passwords".


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to