you could add a particular ACI to allow any groupdn or userdn to read/search
userPassword under the required tree. Something like:
aci: (targetattr = "userPassword") (target =
"ldap:///cn=users,cn=accounts,dc=<my>,dc=<domain>") (version 3.0;acl "Allow
password read";allow (read,compare,search)(groupdn = "ldap:///<system accounts
----- Original Message -----
> From: "John Duino" <jdu...@oblong.com>
> To: "freeipa-users" <email@example.com>
> Sent: Monday, October 26, 2015 5:41:47 PM
> Subject: [Freeipa-users] How grant access to userPassword for System Accounts
> I am trying to hook our VoIP solution (sipxecs-based openUC) to our FreeIPA.
> But it appears that it wants to read-in the userPassword rather than just
> auth against the ldap.
> I know Directory Manager is the only account that has the ability to read
> userPassword, but is there a way to grant that to a System Account
> (uid=voip,cn=sysaccounts,cn=etc,dc=oblong,dc=com)? Or perhaps some other
> path/process I'm overlooking short of using the Directory Manager account?
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project