This setting controls this behavior:
LDAP ⇨ LDAP Settings ⇨ Microsoft Active Directory ⇨ Use Proxy When Password Forgotten
1) This violates the security model of LDAP, and your asking a lot more trust out of PWM itself.
2) This is somewhat normalized in AD as it doesn't really seem to care about the LDAP security model, among other LDAP concepts.
3) If you do this you should at least make sure PWM's audit messages are going somewhere useful and being preserved.
Is there a way to route all attribute updates through pwm-proxy rather than using an individual user's account?
For example, in a profile update flow we can see in the ldap logs that after a pwm-proxy bind there's a rebind for the individual user under which a search and then a modify is done.
Thanks,
Peter