[Freeipa-users] How grant access to userPassword for System Accounts
German Parente
gparente at redhat.com
Mon Oct 26 17:05:21 UTC 2015
Hi John
you could add a particular ACI to allow any groupdn or userdn to read/search userPassword under the required tree. Something like:
aci: (targetattr = "userPassword") (target = "ldap:///cn=users,cn=accounts,dc=<my>,dc=<domain>") (version 3.0;acl "Allow password read";allow (read,compare,search)(groupdn = "ldap:///<system accounts group dn>");)
Regards,
German.
----- Original Message -----
> From: "John Duino" <jduino at oblong.com>
> To: "freeipa-users" <freeipa-users at redhat.com>
> Sent: Monday, October 26, 2015 5:41:47 PM
> Subject: [Freeipa-users] How grant access to userPassword for System Accounts
>
> I am trying to hook our VoIP solution (sipxecs-based openUC) to our FreeIPA.
> But it appears that it wants to read-in the userPassword rather than just
> auth against the ldap.
> I know Directory Manager is the only account that has the ability to read
> userPassword, but is there a way to grant that to a System Account
> (uid=voip,cn=sysaccounts,cn=etc,dc=oblong,dc=com)? Or perhaps some other
> path/process I'm overlooking short of using the Directory Manager account?
>
> Thanks!
>
> John
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
More information about the Freeipa-users
mailing list