- Created by Mikhail Yakovlev, last modified on Feb 03, 2021
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 41 Next »
Creating a service account for working with the user catalog and system data storage
For Indeed Certificate Manager system to operate properly, certain rights to access Active Directory objects and certification authorities are required. You can distribute the privileges between several accounts, or create one with maximum rights for system management, depending on the requirements of the company security policy.
Create a service account (say, servicecm) to perform data saving and reading operations in the Active Directory storage.
Configuring the user catalog in Active Directory
Grant the created service account (servicecm) the necessary permissions to work with the object (domains, containers, organizational unit) where the Indeed Certificate Manager users will be located. This account will be used to read and write user attributes.
To do this, do the following:
- Open Security property of the object (domain, container or unit) that contains the Indeed CM system users.
- Click Advanced. Click Add. Click Select a principal.
- In the Enter the object name to select text box, type service account (servicecm). Click OK.
- In the Applies to list box, select Descendant User objects.
- In the Permissions list, activate:
- List contents
Read all properties permission.
By default, permission to read all user properties is granted to all accounts in the domain.
- Reset password - Required to be able to Resetting the user password via the system interface.
- In the Properties list, set the following permissions:
- Write pwdLastSet - Also required to be able to reset the user's password.
- Write thumbnailPhoto or Write jpegPhoto - Required to Photo uploading to a user in Active Directory via the system interface.
- Write userAccountControl - Required for the enable option Enforce smart card logon.
- Click ОК and then Apply.
Set the same set of privileges for each object (domain, container or organizational unit) where Indeed CM users are located.
If reading all user properties are forbidden the domain security policies, then set the rights for the service account access only to the required user attributes according to Table 3 and attributes of the object (domain, container or organizational unit) in which are located the Indeed CM users.
- On the ADSI edit snap-in, open the Security property of the object (domain, container or division) that contains the Indeed CM users.
- For the This object and all descendant objects.
- In the Permissions click the List contents check box.
- In the Properties click the check boxes next to:
- Read сanonicalName
- Read Distinguished Name
- Read objectClass
- Read objectGuid
- Read showInAdvancedViewOnly
- For the Descendant user objects: User objects.
- In the Permissions check the List contents.
- In the Properties select read/write the following sets of properties and attributes corresponding to Table 3:
- Read personal Information
- Read general Information
- Read account restrictions
- Read public Information
- Write pwdLastSet
- Write thumbnailPhoto or Write jpegPhoto
- Write userAccountControl
LDAP Display Names are listed.
Granting access to the properties set increases the system performance significantly and also simplifies the security management (see Property Sets).
Table 3 – Attributes used by Indeed CM to work with user directory.
Attribute (LDAP Display Name) | Common Name | Commentary |
---|---|---|
c | Country/Region Abbreviation or Country/Region Name | Is a part of "Personal information" properties set. |
сanonicalName | Canonical Name | Is a part of the "Public Information" properties set. |
cn | Common Name | Is a part of the "Public Information" properties set. |
company | Company | Is a part of the "Public Information" properties set. |
department | Department | Is a part of the "Public Information" properties set. |
distinguishedName | Distinguished Name | Is a part of the "Public Information" properties set. |
givenName | Given Name | Is a part of the "Public Information" properties set. |
l | Locality Name | Is a part of the "Personal Information" properties set. |
E-mail Addresses | Is a part of the "Public Information" properties set. | |
manager | Manager | Is a part of the "Public Information" properties set. |
objectClass | Object Class | Is a part of the "Public Information" properties set. |
objectGUID | ОbjectGUID | Is a part of the "Public Information" properties set. |
objectSid | Object Sid | Is a part of the "General Information" properties set. |
otherMailbox | Other Mailbox | Is a part of the "Public Information" properties set. |
proxyAddresses | Proxy Addresses | Is a part of the "Public Information" properties set. |
pwdLastSet | Pwd Last Set | Is a part of "User Account Restrictions" properties set. |
sAMAccountName | SAM Account Name | Is a part of the "General Information" properties set. |
sn | Surname | Is a part of the "Public Information" properties set. |
st | State or Province Name | Is a part of the "Personal Information" properties set. |
streetAddress | Address (или Street) | Is a part of the "Personal Information" properties set. |
telephoneNumber | Telephone Number | Is a part of the "Personal Information" properties set. |
thumbnailPhoto or jpegPhoto | Picture | Is a part of the "Personal Information" properties set. |
userAccountControl | User Account Control | Is a part of "User Account Restrictions" properties set. |
userPrincipalName | User Principal Name | Is a part of the "Public Information" properties set. |
- No labels