[Freeipa-users] How grant access to userPassword for System Accounts

Alexander Bokovoy abokovoy at redhat.com
Tue Oct 27 15:38:59 UTC 2015 

On Tue, 27 Oct 2015, John Duino wrote:
>Hmmm seems I have been misinformed, then. And then why does it have a
>field for 'mapping' the password? Well, I think that's off-topic for
>the list. I'll dig more later today.
My understanding is that sipxecs has several modes for verifying
passwords when users come from LDAP:
 - password is stored locally in sipxecs database and checked directly
 - password is stored in LDAP and checked by LDAP bind
 - password is complemented by PIN

The methods can be combined, but there is also LDAP migration which
means a local database is populated with data from LDAP, thus setting
initial values in the database based on LDAP values. I guess this is
where userPassword is coming into play and perhaps some option can be
used to say 'use default  password if no password is available in LDAP'.

I haven't configured sipxecs myself but I saw that in documentation,
IIRC.

>
>--
>John Duino
>
>----- Original Message -----
>From: "Alexander Bokovoy" <abokovoy at redhat.com>
>To: "John Duino" <jduino at oblong.com>
>Cc: "freeipa-users" <freeipa-users at redhat.com>
>Sent: Tuesday, October 27, 2015 1:42:29 AM
>Subject: Re: [Freeipa-users] How grant access to userPassword for System Accounts
>
>On Mon, 26 Oct 2015, John Duino wrote:
>>I am trying to hook our VoIP solution (sipxecs-based openUC) to our
>>FreeIPA. But it appears that it wants to read-in the userPassword
>>rather than just auth against the ldap.  I know Directory Manager is
>>the only account that has the ability to read userPassword, but is
>>there a way to grant that to a System Account
>>(uid=voip,cn=sysaccounts,cn=etc,dc=oblong,dc=com)? Or perhaps some
>>other path/process I'm overlooking short of using the Directory Manager
>>account?
>sipxecs internally uses LDAP bind authentication, it does not need
>access to userPassword.
>
>See, for example, the actual code that does it via Spring framework's
>LDAP Bind Authentication provider:
>https://github.com/SIPfoundry/sipxecs/blob/master/sipXconfig/neoconf/src/org/sipfoundry/sipxconfig/security/ConfigurableLdapAuthenticationProvider.java#L167
>
>I wonder what is your configuration compared to what is listed in
>https://sipfoundry.atlassian.net/wiki/display/sipXecs/LDAP+Integration
>-- you can send me screenshots off-list.
>-- 
>/ Alexander Bokovoy
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list