Hmmm seems I have been misinformed, then. And then why does it have a field for 'mapping' the password? Well, I think that's off-topic for the list. I'll dig more later today.
-- John Duino ----- Original Message ----- From: "Alexander Bokovoy" <aboko...@redhat.com> To: "John Duino" <jdu...@oblong.com> Cc: "freeipa-users" <freeipa-users@redhat.com> Sent: Tuesday, October 27, 2015 1:42:29 AM Subject: Re: [Freeipa-users] How grant access to userPassword for System Accounts On Mon, 26 Oct 2015, John Duino wrote: >I am trying to hook our VoIP solution (sipxecs-based openUC) to our >FreeIPA. But it appears that it wants to read-in the userPassword >rather than just auth against the ldap. I know Directory Manager is >the only account that has the ability to read userPassword, but is >there a way to grant that to a System Account >(uid=voip,cn=sysaccounts,cn=etc,dc=oblong,dc=com)? Or perhaps some >other path/process I'm overlooking short of using the Directory Manager >account? sipxecs internally uses LDAP bind authentication, it does not need access to userPassword. See, for example, the actual code that does it via Spring framework's LDAP Bind Authentication provider: https://github.com/SIPfoundry/sipxecs/blob/master/sipXconfig/neoconf/src/org/sipfoundry/sipxconfig/security/ConfigurableLdapAuthenticationProvider.java#L167 I wonder what is your configuration compared to what is listed in https://sipfoundry.atlassian.net/wiki/display/sipXecs/LDAP+Integration -- you can send me screenshots off-list. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project