Hi John,

let me add that preferred way is to convince your 'solution' to do it in a
safe way. Also, FreeIPA does not store passwords in clear text so the
userPassword attribute should show only hashes and not clear text. It depends
on the 'solution' if it can deal with hashes or not.

Have a nice day.
Petr^2 Spacek

On 26.10.2015 18:05, German Parente wrote:
> 
> Hi John
> 
> you could add a particular ACI to allow any groupdn or userdn to read/search 
> userPassword under the required tree. Something like:
> 
> aci: (targetattr = "userPassword") (target = 
> "ldap:///cn=users,cn=accounts,dc=<my>,dc=<domain>") (version 3.0;acl "Allow 
> password read";allow (read,compare,search)(groupdn = "ldap:///<system 
> accounts group dn>");)
> 
> Regards,
> 
> German.
> 
> 
> ----- Original Message -----
>> From: "John Duino" <jdu...@oblong.com>
>> To: "freeipa-users" <freeipa-users@redhat.com>
>> Sent: Monday, October 26, 2015 5:41:47 PM
>> Subject: [Freeipa-users] How grant access to userPassword for System Accounts
>>
>> I am trying to hook our VoIP solution (sipxecs-based openUC) to our FreeIPA.
>> But it appears that it wants to read-in the userPassword rather than just
>> auth against the ldap.
>> I know Directory Manager is the only account that has the ability to read
>> userPassword, but is there a way to grant that to a System Account
>> (uid=voip,cn=sysaccounts,cn=etc,dc=oblong,dc=com)? Or perhaps some other
>> path/process I'm overlooking short of using the Directory Manager account?
>>
>> Thanks!
>>
>> John
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
> 


-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to