Hi John

you could add a particular ACI to allow any groupdn or userdn to read/search 
userPassword under the required tree. Something like:

aci: (targetattr = "userPassword") (target = 
"ldap:///cn=users,cn=accounts,dc=<my>,dc=<domain>") (version 3.0;acl "Allow 
password read";allow (read,compare,search)(groupdn = "ldap:///<system accounts 
group dn>");)

Regards,

German.


----- Original Message -----
> From: "John Duino" <jdu...@oblong.com>
> To: "freeipa-users" <freeipa-users@redhat.com>
> Sent: Monday, October 26, 2015 5:41:47 PM
> Subject: [Freeipa-users] How grant access to userPassword for System Accounts
> 
> I am trying to hook our VoIP solution (sipxecs-based openUC) to our FreeIPA.
> But it appears that it wants to read-in the userPassword rather than just
> auth against the ldap.
> I know Directory Manager is the only account that has the ability to read
> userPassword, but is there a way to grant that to a System Account
> (uid=voip,cn=sysaccounts,cn=etc,dc=oblong,dc=com)? Or perhaps some other
> path/process I'm overlooking short of using the Directory Manager account?
> 
> Thanks!
> 
> John
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to