subject:"Re\: \[Freeipa\-users\] PWM password self\-service integration with FreeIPA"

Re: [Freeipa-users] PWM password self-service integration with FreeIPA

2016-10-30 Thread Elwell, Jason

I have updated the gist using the PWM documentation I found to do just
that.  Let me know if that is more acceptable.  I'm feeling my way through
this, please pardon my lack of savoir-faire.

See latest at
https://gist.github.com/PowerWagon/d794a1233d7943f1614d2ae5223e678a

*Jason Elwell*

*Office: 205-298-3731 *

*Cell: 205-603-4195 *

elwe...@vmcmail.com

E-mail Confidentiality Footer

Privileged/Confidential Information may be contained in this message. If
you are not the addressee indicated in this message (or responsible for
delivery of the message to such person), you may not copy or deliver this
message to anyone. In such case, you should destroy this message, and
notify the sender immediately. If you or your employer does not consent to
e-mail messages of this kind, please advise the sender immediately.
Opinions, conclusions and other information expressed in this message are
not given or endorsed by employer unless otherwise indicated by an
authorized representative independent of this message

On Tue, Oct 25, 2016 at 9:01 AM, Simo Sorce  wrote:

> On Sun, 2016-10-23 at 12:22 -0500, Elwell, Jason wrote:
> > I posted this on the PWM boards, and figured I'd send this along here,
> > too.  I'm looking for feedback on this.  Let me know if you find this
> > accurate and/or valuable.  Thanks!
> >
> >
> > PWM setup for FreeIPA
> > https://gist.github.com/PowerWagon/d794a1233d7943f1614d2ae5223e678a
> >
> > PwmConfiguration-template.xml
> > https://gist.github.com/PowerWagon/0e83a0c5b67316a6987944b76eb103bc
>
> Jason,
> It seems to me your ACIs are too lax, you should also make the PWM user
> a password synchronization agent and not just give it blanket access to
> read everything from the directory and write every password, you should
> limit it to users for example and not allow it to change service's or
> host's "passwords".
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] PWM password self-service integration with FreeIPA

2016-10-25 Thread Simo Sorce

On Sun, 2016-10-23 at 12:22 -0500, Elwell, Jason wrote:
> I posted this on the PWM boards, and figured I'd send this along here,
> too.  I'm looking for feedback on this.  Let me know if you find this
> accurate and/or valuable.  Thanks!
> 
> 
> PWM setup for FreeIPA
> https://gist.github.com/PowerWagon/d794a1233d7943f1614d2ae5223e678a
> 
> PwmConfiguration-template.xml
> https://gist.github.com/PowerWagon/0e83a0c5b67316a6987944b76eb103bc

Jason,
It seems to me your ACIs are too lax, you should also make the PWM user
a password synchronization agent and not just give it blanket access to
read everything from the directory and write every password, you should
limit it to users for example and not allow it to change service's or
host's "passwords".

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] PWM password self-service integration with FreeIPA

Re: [Freeipa-users] PWM password self-service integration with FreeIPA

2 matches

Site Navigation

Mail list logo

Footer information