PWM setup for FreeIPA (with LDAP and MySQL userdata store)

1. PWM-FreeIPA.txt

If you are trying to decide between this and the MySQL version, this is better.
I've tried to document what I learned setting up pwm-1.8.0-SNAPSHOT-2016-10-26T09:44:11Z-pwm-bundle.zip from https://github.com/pwm-project/pwm, an LDAP self-service java webapp on Oracle Linux 6.  RHEL or CentOS should work exactly the same.
My lastest attempt as of 2/22/17, worked on Oracle Linux 7 (should work exatly the same on CentOS 7 or RHEL 7) _updating to_ the file pwm-1.8.0-SNAPSHOT-2017-02-19T20:34:49Z-pwm-bundle.zip from https://github.com/pwm-project/pwm

For the impatient:
DONT RUN TOMCAT UNMODIFIED on your FreeIPA server.  FreeIPA uses its own Tomcat.
Install java 7, tomcat 7 from binaries at the Apache website (don't use distro's packages), and deploy the pwm.war file.
Adjust your firewall to open TCP 8080, if using default Tomcat settings.
The guided configuration wizard doesn't work because you have to adjust the unique ID attribute name, use manual configuration.
Choose OpenLDAP for the configuration type.
The user LDAP base is cn=users,cn=accounts,dc=<domain>,dc=<com>
Your built in Admin user should be uid=admin,cn=users,cn=accounts,dc=<domain>,dc=<com>
The group LDAP base is cn=groups,cn=accounts,dc=<domain>,dc=<com>
The built in admins group should be cn=admins,cn=groups,cn=accounts,dc=<domain>,dc=<com>
Anything that says cn referencing a user should be changed to uid
Password policy doesn't seem to pull from FreeIPA, but maybe that's me.
Security question reset doesn't seem to work.  Once they're set you have to manually delete, but maybe that's me, too.

For the non-impatient:

Prerequisites: 
A working FreeIPA implementation
Your LDAP DN info.  (e.g. if your domain were domain.com, your DN would be dc=domain,dc=com, use this to replace <dc=YOUR,dc=DN>)
Create FreeIPA users "pwmproxy" and "pwmtest". 
- pwmproxy DN would be uid=pwmproxy,cn=users,cn=accounts,<dc=YOUR,dc=DN>
- pwmtest DN would be uid=pwmtest,cn=users,cn=accounts,<dc=YOUR,dc=DN>
Latest tomcat 7 "Core" tar.gz package from https://tomcat.apache.org/download-70.cgi
(packaged versions of tomcat 7 from your distro's repos are not fully recommended)
File pwm-1.8.0-SNAPSHOT-2016-10-26T09:44:11Z-pwm-bundle.zip from http://www.pwm-project.org/artifacts/pwm/ .
Selinux may need to be disabled.

0. Log into the server you are going to use for PWM as root.
1. Disable SELinux (setenforce 0; sed -i 's/SELINUX=.*/SELINUX=disabled/g' /etc/sysconfig/selinux)
1a. Modify or disable your firewall.  (service iptables stop;service ip6tables stop; chkconfig iptables off OR systemctl stop firewalld; systemctl disable firewalld)
2. Unzip the Tomcat package into /opt (tar xf apache-tomcat-*.tar.gz -C /opt)
3. Step left intentionally blank.
4. Unzip the file pwm-1.8.0-SNAPSHOT-2016-10-26T09:44:11Z-pwm-bundle.zip file you downloaded and find the pwm.war file. Copy it to /opt/apache-tomcat*/webapps directory. (cp pwm.war /opt/apache-tomcat*/webapps)
5. Create a PWM data directory (mkdir /pwm)
6. Copy the contents of the file in this gist called 99pwm.ldif to your configuration directory /etc/dirsrv/slapd-<YOUR-DOMAIN>/schema
7. Restart FreeIPA. (ipactl restart)
8. Copy the contents of the file in this gist called PWMacis.ldif, modify, and pull it into FreeIPA (ldapmodify -D "cn=Directory Manager" -W -f PWMacis.ldif)
9. EITHER start, pause a couple minutes, and stop the tomcat server and edit the correct line in web.xml OR set a shell variable to tell the app where to save it's configuration data.  I've chosen to show the second.  (echo 'export PWM_APPLICATIONPATH="/pwm"' >> ~/.bashrc; . ~/.bashrc)
10. Start the tomcat server. It takes a minute to start so be patient. (cd /opt/apache-tomcat*; bin/startup.sh)
11. Open a browser and open http://localhost:8080/pwm or http://<tomcat server name or IP>:8080/pwm.  
12. Step left intentionally blank.
13 In your browser, choose "Manual Configuration".
14. Set a password as requested.
15. Don't log in, but click the blinking triangle, choose "Configuration Editor", enter the password you set at step 14, and start required configuration (use the search function to find these settings):
LDAP Vendor Default Settings = OpenLDAP

LDAP URLs = ldaps://<FreeIPA server name or IP>:636 OR ldap://<FreeIPA server name or IP>:389 
LDAP Certificates (just click Import from Server button)
LDAP Proxy User = uid=pwmproxy,cn=users,cn=accounts,<dc=YOUR,dc=DN>
LDAP Proxy Password = <The password you set>
LDAP Contextless Login Roots = cn=users,cn=accounts,<dc=YOUR,dc=DN>
LDAP Test User = uid=pwmtest,cn=users,cn=accounts,<dc=YOUR,dc=DN>
Username Search Filter = (&(objectClass=posixAccount)(uid=%USERNAME%))
Attribute to use for Username = uid
LDAP GUID Attribute = ipauniqueid
LDAP Naming Attribute = uid
User Object Class = posixAccount

Administrator Permission: <Click 'Add Group'>
      LDAP Profile = default
      LDAP Group DN = cn=admins,cn=groups,cn=accounts,<dc=YOUR,dc=DN>

Password Policy Source = Local
Password is Case Sensitive = True

(OPTIONALLY CHANGE)
Site URL = <the URL from step 11>
Enable Anonymous Statistics Publishing = False
Enable Version Checking = False


16. (optional) Finish configuring to taste.
17. Lock the configuration by logging in with your FreeIPA admin user, click the user name menu item and choose "Configuration Manager".  Click the "Restrict Configuration" button in red, and OK.

What I did not address:
1. Email setup
2. FreeIPA setup
3. Sane passwords
4. Starting Tomcat on boot

2. 99pwm.ldif

# save this file to /etc/dirsrv/slapd-<YOUR-DOMAIN>/schema then restart FreeIPA
# Putting this file into /etc/dirsrv/schema will have no effect.
# Extra blank lines in this file are bad.  You've been warned. 
# Gleaned from Google Doc https://docs.google.com/document/d/1I9u1xaVrIOTFj8Le7uzCM5zGqrODCi9Udo2gGZyAapc/edit#
# You must search and replace <dc=YOUR,dc=DN> with your values
# Fix line 15 with your server's name, replacing: <HOSTNAME>.<YOURDOMAIN>
dn: cn=schema                                                                                           
objectclass: top                                                                                        
objectclass: ldapSubentry                                                                               
objectclass: subschema                                                                                  
cn: schema                                                                                              
aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymous, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";)                                                           
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,<dc=YOUR,dc=DN>";)                                                    
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn="ldap:///uid=admin,cn=users,cn=accounts,<dc=YOUR,dc=DN>";)                                                             
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "ldap:///fqdn=<HOSTNAME>.<YOURDOMAIN>,cn=computers,cn=accounts,<dc=YOUR,dc=DN>";)                                                            
attributetypes: ( 1.3.6.1.4.1.35015.1.2.1 NAME 'pwmEventLog'  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'user defined' )                                                                                    
attributetypes: ( 1.3.6.1.4.1.35015.1.2.2 NAME 'pwmResponseSet'  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'user defined' )                                                                                 
attributetypes: ( 1.3.6.1.4.1.35015.1.2.3 NAME 'pwmLastPwdUpdate'  SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE X-ORIGIN 'user defined' )                                                                  
attributetypes: ( 1.3.6.1.4.1.35015.1.2.4 NAME 'pwmGUID'  SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'user defined' )                                                                            
attributetypes: ( 1.3.6.1.4.1.35015.1.2.6 NAME 'pwmOtpSecret'  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 X-ORIGIN 'user defined' )
objectclasses: ( 1.3.6.1.4.1.35015.1.1.1 NAME 'pwmUser' DESC '' SUP top AUXILIARY MAY ( pwmEventLog $ pwmGUID $ pwmLastPwdUpdate $ pwmResponseSet $ pwmOtpSecret ) X-ORIGIN 'user defined' )

3. PWMacis.ldif

# You must search and replace <dc=YOUR,dc=DN> with your values 
# Incorportate this into your FreeIPA instance with the command on the line below:
# ldapmodify -D "cn=Directory Manager" -W -f PWMacis.ldif 
# Extra blank lines in this file are bad.  You've been warned.
#
#
dn: cn=users,cn=accounts,<dc=YOUR,dc=DN>
changetype: modify
replace: aci
aci: (targetattr = "*") (target = "ldap:///cn=users,cn=accounts,<dc=YOUR,dc=DN>") (version 3.0; acl "PWM Proxy Search"; allow (read,search)(userdn = "ldap:///uid=pwmproxy,cn=users,cn=accounts,<dc=YOUR,dc=DN>");)
aci: (targetattr = "*") (target = "ldap:///cn=users,cn=accounts,<dc=YOUR,dc=DN>") (version 3.0; acl "PWM Proxy Add Users"; allow (add)(userdn = "ldap:///uid=pwmproxy,cn=users,cn=accounts,<dc=YOUR,dc=DN>");)
aci: (targetattr = "pwmGUID || pwmLastPwdUpdate || userPassword || objectClass || pwmEventLog || krbPrincipalKey") (target = "ldap:///cn=users,cn=accounts,<dc=YOUR,dc=DN>") (version 3.0; acl "PWM Proxy Reset Password"; allow (write)(userdn = "ldap:///uid=pwmproxy,cn=users,cn=accounts,<dc=YOUR,dc=DN>");)
aci: (targetattr ="userpassword || telephonenumber || facsimiletelephonenumber || pwmResponseSet || pwmOtpSecret")(version 3.0;acl "Allow self entry modification";allow (write)(userdn = "ldap:///self");)

4. PWM-FreeIPA-MySQL.txt

If you are trying to decide between this and the MySQL version, the other is better.

I've tried to document what I learned setting up Ppwm-1.8.0-SNAPSHOT-2016-10-26T09:44:11Z-pwm-bundle.zip from https://github.com/pwm-project/pwm, an LDAP self-service java webapp on Oracle Linux 6.  RHEL or CentOS should work exactly the same.

For the impatient:
DONT RUN TOMCAT UNMODIFIED on your FreeIPA server.  FreeIPA uses its own Tomcat.
Install java 7, tomcat 7 from binaries at the Apache website (don't use distro's packages), and deploy the pwm.war file.
Adjust your firewall to open TCP 8080, if using default Tomcat settings.
The guided configuration wizard doesn't work because you have to adjust the unique ID attribute name, use manual configuration.
Choose OpenLDAP for the configuration type.
The user LDAP base is cn=users,cn=accounts,dc=<domain>,dc=<com>
Your built in Admin user should be uid=admin,cn=users,cn=accounts,dc=<domain>,dc=<com>
The group LDAP base is cn=groups,cn=accounts,dc=<domain>,dc=<com>
The built in admins group should be cn=admins,cn=groups,cn=accounts,dc=<domain>,dc=<com>
Anything that says cn referencing a user should be changed to uid
Password policy doesn't seem to pull from FreeIPA, but maybe that's me.
I didn't figure out how to extend the FreeIPA schema, so I used MySQL to store PWM user data instead.


For the non-impatient:
(NOTE: I have supplied passwords not because they are any good, but to make things easier)

Prerequisites: (FYI: RPM-distro centric names)
A working FreeIPA implementation
Your LDAP DN info.  (e.g. if your domain were domain.com, your DN would be dc=domain,dc=com)
FreeIPA users "pwmproxy" and "pwmtest".  pwmproxy should be added to the admins built in group.
- pwmproxy DN would be uid=pwmproxy,cn=users,cn=accounts,<dc=YOUR,dc=DN>
- pwmtest DN would be uid=pwmtest,cn=users,cn=accounts,<dc=YOUR,dc=DN>
mysql-server OR mariadb-server
java-1.7.0-openjdk
mysql-connector-java
Latest tomcat 7 "Core" tar.gz package from https://tomcat.apache.org/download-70.cgi
(packaged versions of tomcat 7 from your distro's repos are not fully recommended)
Latest PWM version from http://www.pwm-project.org/artifacts/pwm/ and the version from April 28, 2016.

0. Log into the server you are going to use for PWM as root.
1. Install the packages above
1a. Disable your firewall.  (service iptables stop;service ip6tables stop; chkconfig iptables off OR systemctl stop firewalld; systemctl disable firewalld)
2. Unzip the Tomcat package into /opt (tar xf apache-tomcat-*.tar.gz -C /opt)
3. Copy the mysql-connector-java jar file to the Tomcat lib folder. (cp /usr/share/java/mysql-connector-java-*.jar /opt/apache-tomcat-*/lib)
4. Unzip the file pwm-1.8.0-SNAPSHOT-2016-10-26T09:44:11Z-pwm-bundle.zip you downloaded and find the pwm.war file. Copy it to /opt/apache-tomcat*/webapps directory. (cp pwm.war /opt/apache-tomcat*/webapps)
5. Create a PWM data directory (mkdir /pwm)
6. Start MySQL if you haven't already.  (service mysqld start; chkconfig mysqld on OR systemctl start mariadb; systemctl enable mariadb)
7. Create a MySQL database and a user.  (mysql -uroot -e 'create database PWM;'; mysql -uroot -e 'create user pwm;')
8. Grant user access to the user to the database.  (mysql -uroot -e "grant all on PWM.* to 'pwm'@'localhost' identified by 'Pass@word1';")
9. EITHER start, pause a couple minutes, and stop the tomcat server and edit the correct line in web.xml OR set a shell variable to tell the app where to save it's configuration data.  I've chosen to show the second.  (echo 'export PWM_APPLICATIONPATH="/pwm"' >> ~/.bashrc; . ~/.bashrc)
10. Start the tomcat server. It takes a minute to start so be patient. (cd /opt/apache-tomcat*; bin/startup.sh)
11. Open a browser and open http://localhost:8080/pwm or http://<tomcat server name or IP>:8080/pwm.  
12. Skip this step.
13 In your browser, choose "Manual Configuration".
14. Set a password as requested.
15. Don't log in, but click the blinking triangle, choose "Configuration Editor", enter the password you set at step 14, and start required configuration (use the search function to find these settings):
LDAP Vendor Default Settings = OpenLDAP
Storage Default Settings = Remote Database
LDAP URLs = ldaps://<FreeIPA server name or IP>:636 OR ldap://<FreeIPA server name or IP>:389
LDAP Certificates (just click Import from Server button)
LDAP Proxy User =
uid=pwmproxy,cn=users,cn=accounts,<dc=YOUR,dc=DN>
LDAP Proxy Password = Pass@word2
LDAP Contextless Login Roots = cn=users,cn=accounts,<dc=YOUR,dc=DN>
LDAP Test User = uid=pwmtest,cn=users,cn=accounts,<dc=YOUR,dc=DN>
Auto Add Object Classes = click red X to make blank
Username Search Filter = (uid=%USERNAME%)
Attribute to use for Username = uid
LDAP GUID Attribute = ipauniqueid
LDAP Naming Attribute = uid

Administrator Permission: LDAP Profile = default
Administrator Permission: LDAP Group DN = cn=admins,cn=groups,cn=accounts,<dc=YOUR,dc=DN>

Password Policy Source = Local
Password is Case Sensitive = True

Database Class = com.mysql.jdbc.Driver
Database Connection String = jdbc:mysql://localhost:3306/PWM
Database Username = pwm
Database Password = Pass@word1
Database Vendor =  Other
(OPTIONALLY CHANGE)
Site URL = <the URL from step 11>
Enable Anonymous Statistics Publishing = False
Enable Version Checking = False


16. (optional) Finish configuring to taste.
17. Lock the configuration by logging in with your FreeIPA admin user, click the user name menu item and choose "Configuration Manager".  Click the "Restrict Configuration" button in red, and OK.

What I did not address:
1. Email setup
2. FreeIPA setup
3. Sane passwords
4. Starting Tomcat on boot

This all seems to work, except using the PWMacis.ldif stops login on the FreeIPA host itself, but seems to allow other hosts to continue to authenticate. This change, as suggested by @mueslo, resolves the issue. Also, remove trailing whitespaces, and the spaces after colons...

# You must search and replace <dc=YOUR,dc=DN> with your values 
# Incorportate this into your FreeIPA instance with the command on the line below:
# ldapmodify -D "cn=Directory Manager" -W -f PWMacis.ldif 
# Extra blank lines in this file are bad.  You've been warned.
#
#
dn:cn=users,cn=accounts,<dc=YOUR,dc=DN>
changetype: modify
add:aci
aci:(targetattr = "*") (target = "ldap:///cn=users,cn=accounts,<dc=YOUR,dc=DN>") (version 3.0; acl "PWM Proxy Search"; allow (read,search)(userdn = "ldap:///uid=pwmproxy,cn=users,cn=accounts,<dc=YOUR,dc=DN>");)
aci:(targetattr = "*") (target = "ldap:///cn=users,cn=accounts,<dc=YOUR,dc=DN>") (version 3.0; acl "PWM Proxy Add Users"; allow (add)(userdn = "ldap:///uid=pwmproxy,cn=users,cn=accounts,<dc=YOUR,dc=DN>");)
aci:(targetattr = "pwmGUID || pwmLastPwdUpdate || userPassword || objectClass || pwmEventLog || krbPrincipalKey") (target = "ldap:///cn=users,cn=accounts,<dc=YOUR,dc=DN>") (version 3.0; acl "PWM Proxy Reset Password"; allow (write)(userdn = "ldap:///uid=pwmproxy,cn=users,cn=accounts,<dc=YOUR,dc=DN>");)
aci:(targetattr ="userpassword || telephonenumber || facsimiletelephonenumber || pwmResponseSet || pwmOtpSecret")(version 3.0;acl "Allow self entry modification";allow (write)(userdn = "ldap:///self");)

I have configured pwm according to the above procedure. but it throws below error while performing health check.
2024-09-25T11:55:35Z, ERROR, node.NodeMachine, 5093 ERROR_NODE_SERVICE_ERROR (error writing node service heartbeat: 5079 ERROR_LDAP_DATA_ERROR (error writing node service data user 'uid=pwm-test,cn=users,cn=accounts,dc=example,dc=com (default)' attribute 'pwmData', error: javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient 'write' privilege to the 'pwmdata' attribute of entry 'uid=pwm-test,cn=users,cn=accounts,dc=example,dc=com'.
]))
can you please tell, how can i resolve this? do i need to change in PWMacis file?