Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Creating a service account for working with the user catalog and system data storage
For Indeed Certificate Manager For Axidian CertiFlow system to operate properly, you must have certain access rights to access Active Directory objects and certification authorities are required. You . Depending on your company's security policy, you can distribute the privileges between several accounts, or create one service account with maximum rights for system management, depending on the requirements of the company security policy.
Create a service account (say, servicecm) to perform data saving and reading operations in the Active Directory storage.
Configuring the user catalog in Active Directory
Grant the created service account (servicecm) the e.g. cfServiceAD) and grant it the necessary permissions to work with the an object (domainsdomain, containerscontainer, organizational unit) where the Indeed Certificate Manager users will be locatedthat contains Axidian CertiFlow users. This account will be used to read and write user attributes.
To do this, do the followingGo through these steps:
- Open Security property property of the object (domain, container or organizational unit) that contains the Indeed CM system Axidian CertiFlow users.
- Click Advanced. Click →Add. Click →Select a principal.
- In the Enter the object name to select text text box, type service enter the name of the service account (servicecmcfServiceAD) . Click and click OK.
- In the Applies to list box, select Descendant User objects.
- In the Permissions list, activate:
- Reset password
- List contents
Read all properties permission.
Info By default, permission to read all user properties is granted to all accounts in the domain.
- Reset password - required to be able to Reset user's password via the system interface.
- In the Properties list, set the following permissions:
- Write pwdLastSet - Also required to be able to reset the user's password.
- Write thumbnailPhoto or Write jpegPhoto - Required required to be able to upload Upload a photo to a user in Active Directory via the system interface.
- Write userAccountControl - Required for the required to enable option Enforce smart card logon option.
- Click ОК and then and Apply.
| Warning |
|---|
Set Assign the same set of privileges for to each object (domain, container or organizational unit) where Indeed CM users are located. |
The permission to read all user properties is set for all domain accounts by default. If security policies prohibit reading of all user properties, then set the rights for the service account to read only required properties, according to the Table 3.
If all user properties are not allowed to be read in the domain by security policies, then set the rights for the service account access only to the required user attributes according to the Table 3 and attributes of the object (domain, container or organizational unit) in which the Indeed CM users.
that contains Axidian CertiFlow users. |
In case the domain security policies forbid reading all user properties, you can specify that the service account has permissions to only read the necessary user attributes (Table 3) and object attributes (domain, container, When configuring the permissions to read user properties different from default ones, it is also necessary to permit the service account (servicecm) to read the values of object attributes (i.e. Domain, container or organizational unit) that contains Indeed CM Axidian CertiFlow users. These attributes are: cn, objectGUID, name and showInAdvancedViewOnly.
Go through these steps:
- In On the ADSI edit snap-in, open the Security property of the object (domain, container or division) that contains the Indeed CM Axidian CertiFlow users.
- For Set the following in This object and all descendant objects .field:
- In the Permissions click check the List contents check box.
- In the Properties click check the check following boxes next to:
- Read сanonicalName
- Read Distinguished Name
- Read objectClass
- Read objectGuid
- Read showInAdvancedViewOnly
- For Set the following in Descendant user objects: User objects .field:
- In the Permissions check the List contents box.
- In the Properties select read/write the following sets of properties and attributes corresponding to (Table 3):
- Read personal Information
- Read general Information
- Read account restrictions
- Read public Information
- Write pwdLastSet
- Write thumbnailPhoto or Write jpegPhoto
- Write userAccountControlWrite userCertificate
| Info |
|---|
LDAP Display Names are listed below. Granting access to the properties set significantly increases the system performance significantly and also simplifies the security management (see Property Sets). |
Table 3
–. Attributes used by
Indeed CMAxidian CertiFlow to work with
user directory.users catalog
| Table auto |
|---|
Attribute (LDAP Display Name) | Common Name | Commentary |
|---|---|---|
| c | Country/Region Abbreviation or Country/Region Name |
Part of "Personal information" properties set. | |
| сanonicalName | Canonical Name |
| Part of |
| "Public Information" properties set. | |
| cn | Common Name |
Part of |
"Public Information" properties set. | |
| company | Company |
Part of |
"Public Information" properties set. | |
| department | Department |
Part of |
"Public Information" properties set. | |
| distinguishedName | Distinguished Name |
| Part of |
| "Public Information" properties set. | |
| givenName | Given Name |
Part of |
"Public Information" properties set. | |
| l | Locality Name |
Part of |
"Personal Information" properties set. | |
| E-mail Addresses |
Part of |
"Public Information" properties set. | |
| manager | Manager |
Part of |
"Public Information" properties set. | |
| objectClass | Object Class |
| Part of |
| "Public Information" properties set. | |
| objectGUID | ОbjectGUID |
Part of |
"Public Information" properties set. | |
| objectSid | Object Sid |
| Part of |
| "General Information" properties set. | |
| otherMailbox | Other Mailbox |
| Part of |
| "Public Information" properties set. | |
| proxyAddresses | Proxy Addresses |
| Part of |
| "Public Information" properties set. | |
| pwdLastSet | Pwd Last Set |
| Part of "User Account Restrictions" properties set. | |
| sAMAccountName | SAM Account Name |
Part of |
"General Information" properties set. | |
| sn | Surname |
Part of |
"Public Information" properties set. | |
| st | State or Province Name |
Part of |
"Personal Information" properties set. | |
| streetAddress | Address ( |
| or Street) |
Part of |
"Personal Information" properties set. | |
| telephoneNumber | Telephone Number |
Part of |
"Personal Information" properties set. | |
thumbnailPhoto or jpegPhoto | Picture |
Part of |
"Personal Information" properties set. | |
| userAccountControl | User Account Control |
Part of "User Account Restrictions" properties set. | |
| userPrincipalName | User Principal Name |
Part of |
"Public Information" properties set. |