[Freeipa-users] PWM password self-service integration with FreeIPA
Simo Sorce
simo at redhat.com
Tue Oct 25 14:01:17 UTC 2016
On Sun, 2016-10-23 at 12:22 -0500, Elwell, Jason wrote:
> I posted this on the PWM boards, and figured I'd send this along here,
> too. I'm looking for feedback on this. Let me know if you find this
> accurate and/or valuable. Thanks!
>
>
> PWM setup for FreeIPA
> https://gist.github.com/PowerWagon/d794a1233d7943f1614d2ae5223e678a
>
> PwmConfiguration-template.xml
> https://gist.github.com/PowerWagon/0e83a0c5b67316a6987944b76eb103bc
Jason,
It seems to me your ACIs are too lax, you should also make the PWM user
a password synchronization agent and not just give it blanket access to
read everything from the directory and write every password, you should
limit it to users for example and not allow it to change service's or
host's "passwords".
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list