I am trying to setup PWM for allowing users to reset their password.
I found the following guide on setting up PWM with FreeIPA
https://gist.github.com/OneLoveAmaru/2ac93400a30466cdecc7a60e30ae1303 .
The above guide creates the pwmproxy and pwmtest users under
cn=users,cn=accounts,dc=example,dc=com.
uid=pwmproxy,cn=users,cn=accounts,dc=example,dc=com
uid=pwmtest,cn=users,cn=accounts,dc=example,dc=com
But FreeIPA documentation does not recommend creating such accounts as normal user
accounts.
https://www.freeipa.org/page/HowTo/LDAP#System_Accounts
Is it better to create the above accounts under cn=sysaccounts,cn=etc,dc=example,dc=com
as recommended in the HowTo?
Or does PWM require that the pwm users also be created under the same base dn?
"Better" is a subjective thing.
The advantage of a sysaccount user is they cannot log into systems. They
can only bind to LDAP.
The disadvantage of a sysaccount user is there is no way currently to
assign permissions causing the write iss you report. The kludgy
workaround is to manually add a memberof=<dn of permission you need> to
the sysaccount user.
If you want to use a real IPA user you can always set the shell to
/bin/false or something to disallow logging in.
It's more a preference thing than anything else, particularly for those
with a background in LDAP and being used to having bind-only users.
rob