Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Creating a service account for working with a data storage

Для полноценной работы системы Indeed Certificate Manager необходимо наличие определенных прав доступа к объектам Active Directory. В соответствии с принятой в вашей компании политикой безопасности, вы можете распределить привилегии между несколькими сервисными учетными записями, либо создать сервисную учетную запись с максимальным набором прав на управление системой.

Создайте сервисную учетную запись (например, servicecm), от имени которой будут выполняться операции сохранения и чтения данных в хранилище Active Directory.

Creating a data storage

The data storage of Indeed Certificate Manager can be created in Active Directory using IndeedCM.PersistenceAD.Cfg.exe utility (see Misc folder of the server installation package).

Warning

In general, you need Domain Admin rights to create a storage in the domain root folder using IndeedCM.Persistence.AD.Cfg.exe utility. Alternatively, the domain administrator can manually create an Organizational Unit with an arbitrary name and grant full access to the unit and its child objects to the selected user account. The latter, in turn, is used to run the IndeedCM.Persistence.AD.Cfg.exe utility.

To create a data storage, run the IndeedCM.Persistence.AD.Cfg.exe, specifying the /create <LDAP Path> <container name> <subcontainer name> parameter, where:

  • LDAP Path – is the path to container or domain unit, where the storage is to be created
  • container name – is the name of the container to store all the system data in
  • subcontainer name – is the name of subcontainer
Info
iconfalse
titleExample:

IndeedCM.Persistence.AD.Cfg.exe /create LDAP://"OU=CMS Storage,DC=demo,DC=local" "Indeed Identity" "Indeed CM"

Figure 1 shows an example Example of a command to create a data storage in the CMS Storage unit of demo.local domain, with container name of Indeed Identity and subcontainer name of Indeed CM.

Figure 1 – Creating the Indeed CM data storage in Active Directory

Give the service account (servicecm) Full Control to This object and all descendant objects for the created Indeed Identity storage.

To do this, do the following:

  1. Open the Security property of the Indeed Identity container.
  2. Click Add and specify a service account (servicecm).
  3. Click Advanced, select the service account and click Edit.
  4. Select the Applies to: This object and all descendant objects.
  5. Set the Full control in the Permissions list.
  6. Click OK and then Apply.