[Freeipa-users] How grant access to userPassword for System Accounts
Petr Spacek
pspacek at redhat.com
Tue Oct 27 07:50:52 UTC 2015
Hi John,
let me add that preferred way is to convince your 'solution' to do it in a
safe way. Also, FreeIPA does not store passwords in clear text so the
userPassword attribute should show only hashes and not clear text. It depends
on the 'solution' if it can deal with hashes or not.
Have a nice day.
Petr^2 Spacek
On 26.10.2015 18:05, German Parente wrote:
>
> Hi John
>
> you could add a particular ACI to allow any groupdn or userdn to read/search userPassword under the required tree. Something like:
>
> aci: (targetattr = "userPassword") (target = "ldap:///cn=users,cn=accounts,dc=<my>,dc=<domain>") (version 3.0;acl "Allow password read";allow (read,compare,search)(groupdn = "ldap:///<system accounts group dn>");)
>
> Regards,
>
> German.
>
>
> ----- Original Message -----
>> From: "John Duino" <jduino at oblong.com>
>> To: "freeipa-users" <freeipa-users at redhat.com>
>> Sent: Monday, October 26, 2015 5:41:47 PM
>> Subject: [Freeipa-users] How grant access to userPassword for System Accounts
>>
>> I am trying to hook our VoIP solution (sipxecs-based openUC) to our FreeIPA.
>> But it appears that it wants to read-in the userPassword rather than just
>> auth against the ldap.
>> I know Directory Manager is the only account that has the ability to read
>> userPassword, but is there a way to grant that to a System Account
>> (uid=voip,cn=sysaccounts,cn=etc,dc=oblong,dc=com)? Or perhaps some other
>> path/process I'm overlooking short of using the Directory Manager account?
>>
>> Thanks!
>>
>> John
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list