Hi John you could add a particular ACI to allow any groupdn or userdn to read/search userPassword under the required tree. Something like:
aci: (targetattr = "userPassword") (target = "ldap:///cn=users,cn=accounts,dc=<my>,dc=<domain>") (version 3.0;acl "Allow password read";allow (read,compare,search)(groupdn = "ldap:///<system accounts group dn>");) Regards, German. ----- Original Message ----- > From: "John Duino" <[email protected]> > To: "freeipa-users" <[email protected]> > Sent: Monday, October 26, 2015 5:41:47 PM > Subject: [Freeipa-users] How grant access to userPassword for System Accounts > > I am trying to hook our VoIP solution (sipxecs-based openUC) to our FreeIPA. > But it appears that it wants to read-in the userPassword rather than just > auth against the ldap. > I know Directory Manager is the only account that has the ability to read > userPassword, but is there a way to grant that to a System Account > (uid=voip,cn=sysaccounts,cn=etc,dc=oblong,dc=com)? Or perhaps some other > path/process I'm overlooking short of using the Directory Manager account? > > Thanks! > > John > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
