Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
For Indeed Certificate Manager Axidian CertiFlow system to operate properly, you must have certain access rights to access Active Directory objects and certification authorities are required. You . Depending on your company's security policy, you can distribute the privileges between several accounts, or create one service account with maximum rights for system management, depending on the requirements of the company security policy.
Create a user service account (say, servicecm) to use with Indeed Identity container. The said account is used to perform data saving operations in Active Directory. The following permissions must be set for the said account:
- Full Control for the container that stores the system data (default name is “Indeed Identity”) and all of its descendant objects. To do so:
1. Open the Security property of the Indeed Identity container.
2. Click Add and specify the service account (servicecm).
3. Click Advanced, select the service account and click Edit.
4. Select the scope of This object and all descendant objects.
5. Set the Full control permission in the Permissions list.
6. Click ОК and then Apply.
- Permission to Read all Properties:
e.g. cfServiceAD) and grant it the necessary permissions to work with an object (domain, container, organizational unit) that contains Axidian CertiFlow users. This account will be used to read and write user attributes.
Go through these steps:
- Open Security property of the object (domain, container or organizational unit) that contains
- Axidian CertiFlow users.
- Click Advanced→Add→Select a principal.
- In the Enter the object name to select text box, enter the name of the service account (
- cfServiceAD) and
- click
- OK.
- In the Applies to list box, select Descendant User objects
4. Set the
- .
- In the Permissions list, activate:
- List contents
Read all properties
Info By default, permission to read all user properties is granted to all accounts in the
7. Click ОК and then
domain.
- Write: userAccountControl
- Write: thumbnailPhoto or Write: jpegPhoto
- Write: pwdLastSet
- Reset password - required to be able to Reset user's password via the system interface.
- In the Properties list, set the following permissions:
- Write pwdLastSet - required to be able to reset user's password.
- Write thumbnailPhoto or Write jpegPhoto - required to be able to Upload a photo to a user in Active Directory via the system interface.
- Write userAccountControl - required to enable Enforce smart card logon option.
- Click ОК and
- Apply.
| Warning |
|---|
Set Assign the same set of privileges for to each object (domain, container or organizational unit) where Indeed CM users are located.that contains Axidian CertiFlow users. |
In case the domain security policies forbid reading The permission to read all user properties is set for all domain accounts by default. If security policies prohibit reading of all user properties, then set the rights for the you can specify that the service account has permissions to only read only required properties, according to the Table 3.When configuring the permissions to read user properties different from default ones, it is also necessary to permit the service account (servicecm) to read the values of object attributes (i.e. Domain, container the necessary user attributes (Table 3) and object attributes (domain, container, or organizational unit) that contains Indeed CM Axidian CertiFlow users. These attributes are: cn, objectGUID, name and showInAdvancedViewOnly.
Go through these steps:
- In the ADSI edit snap-in, open the Security property of the object (domain, container or division) that contains Axidian CertiFlow users.
- Set the following in This object and all descendant objects field:
- In Permissions check the List contents box.
- In Properties check the following boxes:
- Read сanonicalName
- Read Distinguished Name
- Read objectClass
- Read objectGuid
- Read showInAdvancedViewOnly
- Set the following in Descendant user objects: User objects field:
- In Permissions check the List contents box.
- In Properties select read/write the following sets of properties and attributes (Table 3):
- Read personal Information
- Read general Information
- Read account restrictions
- Read public Information
- Write pwdLastSet
- Write thumbnailPhoto or Write jpegPhoto
- Write userAccountControl
| Info |
|---|
LDAP Display Names are listed below. Granting access to the properties set significantly increases the system performance significantly and also simplifies the security management (see Property Sets). |
Table 3
–. Attributes used by
Indeed CMAxidian CertiFlow to work with
user directory.users catalog
| Table auto |
|---|
Attribute (LDAP Display |
|---|
Name) | Common Name | Commentary |
|---|---|---|
| c | Country/Region Abbreviation or Country/Region Name |
Part of "Personal information" properties set. | ||
| сanonicalName | Canonical Name | Part of "Public Information" properties set. |
| cn | Common Name |
Part of |
"Public Information" properties set. | |
| company | Company |
Part of |
"Public Information" properties set. | |
| department | Department |
Part of |
"Public Information" properties set. |
| distinguishedName |
| Distinguished Name | Part of |
| "Public Information" properties set. | |
| givenName | Given Name |
Part of |
"Public Information" properties set. | |
| l | Locality Name |
Part of |
"Personal Information" properties set. | |
| E-mail Addresses |
Part of |
"Public Information" properties set. | |
| manager | Manager |
Part of "Public Information" properties set. | ||
| objectClass | Object Class | Part of "Public Information" properties set. |
| objectGUID | ОbjectGUID | Part of "Public Information" properties set. |
| objectSid | Object Sid | Part of "General Information" properties set. |
| otherMailbox | Other Mailbox | Part of "Public Information" properties set. |
| proxyAddresses | Proxy Addresses | Part of |
| "Public Information" properties set. | ||
| pwdLastSet | Pwd Last Set | Part of "User Account Restrictions" properties set. |
| sAMAccountName | SAM Account Name |
Part of |
"General Information" properties set. | |
| sn | Surname |
Part of |
"Public Information" properties set. | |
| st | State or Province Name |
Part of |
"Personal Information" properties set. | |
| streetAddress | Address ( |
| or Street) |
Part of |
"Personal Information" properties set. | |
| telephoneNumber | Telephone Number |
Part of |
"Personal Information" properties set. | |
thumbnailPhoto or jpegPhoto | Picture |
Part of |
"Personal Information" properties set. | |
| userAccountControl | User Account Control |
Part of "User Account Restrictions" properties set. | |
| userPrincipalName | User Principal Name |
Part of |
"Public Information" properties set. |