Re: [Freeipa-users] How grant access to userPassword for System Accounts

Alexander Bokovoy Tue, 27 Oct 2015 08:49:38 -0700

On Tue, 27 Oct 2015, John Duino wrote:

Hmmm seems I have been misinformed, then. And then why does it have a
field for 'mapping' the password? Well, I think that's off-topic for
the list. I'll dig more later today.

My understanding is that sipxecs has several modes for verifying
passwords when users come from LDAP:
- password is stored locally in sipxecs database and checked directly
- password is stored in LDAP and checked by LDAP bind
- password is complemented by PIN


The methods can be combined, but there is also LDAP migration which
means a local database is populated with data from LDAP, thus setting
initial values in the database based on LDAP values. I guess this is
where userPassword is coming into play and perhaps some option can be
used to say 'use default  password if no password is available in LDAP'.

I haven't configured sipxecs myself but I saw that in documentation,
IIRC.


--
John Duino

----- Original Message -----
From: "Alexander Bokovoy" <aboko...@redhat.com>
To: "John Duino" <jdu...@oblong.com>
Cc: "freeipa-users" <freeipa-users@redhat.com>
Sent: Tuesday, October 27, 2015 1:42:29 AM
Subject: Re: [Freeipa-users] How grant access to userPassword for System 
Accounts

On Mon, 26 Oct 2015, John Duino wrote:

I am trying to hook our VoIP solution (sipxecs-based openUC) to our
FreeIPA. But it appears that it wants to read-in the userPassword
rather than just auth against the ldap.  I know Directory Manager is
the only account that has the ability to read userPassword, but is
there a way to grant that to a System Account
(uid=voip,cn=sysaccounts,cn=etc,dc=oblong,dc=com)? Or perhaps some
other path/process I'm overlooking short of using the Directory Manager
account?

sipxecs internally uses LDAP bind authentication, it does not need
access to userPassword.

See, for example, the actual code that does it via Spring framework's
LDAP Bind Authentication provider:
https://github.com/SIPfoundry/sipxecs/blob/master/sipXconfig/neoconf/src/org/sipfoundry/sipxconfig/security/ConfigurableLdapAuthenticationProvider.java#L167

I wonder what is your configuration compared to what is listed in
https://sipfoundry.atlassian.net/wiki/display/sipXecs/LDAP+Integration
-- you can send me screenshots off-list.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] How grant access to userPassword for System Accounts

Reply via email to