For Axidian CertiFlow system to operate properly, you must have certain access rights to Active Directory objects and certification authorities. Depending on your company's security policy, you can distribute privileges between several accounts, or create one service account with maximum rights for system management.
Create a service account (e.g. cfServiceAD) and grant it the necessary permissions to work with an object (domain, container, organizational unit) that contains Axidian CertiFlow users. This account will be used to read and write user attributes.
Go through these steps:
- Open Security property of the object (domain, container or organizational unit) that contains Axidian CertiFlow users.
- Click Advanced→Add→Select a principal.
- In the Enter the object name to select text box, enter the name of the service account (cfServiceAD) and click OK.
- In the Applies to list box, select Descendant User objects.
- In the Permissions list, activate:
- List contents
Read all properties
By default, permission to read all user properties is granted to all accounts in the domain.
- Reset password - required to be able to Reset user's password via the system interface.
- In the Properties list, set the following permissions:
- Write pwdLastSet - required to be able to reset user's password.
- Write thumbnailPhoto or Write jpegPhoto - required to be able to Upload a photo to a user in Active Directory via the system interface.
- Write userAccountControl - required to enable Enforce smart card logon option.
- Click ОК and Apply.
Assign the same set of privileges to each object (domain, container or organizational unit) that contains Axidian CertiFlow users. |
In case the domain security policies forbid reading all user properties, you can specify that the service account has permissions to only read the necessary user attributes (Table 3) and object attributes (domain, container, or organizational unit) that contains Axidian CertiFlow users.
Go through these steps:
- In the ADSI edit snap-in, open the Security property of the object (domain, container or division) that contains Axidian CertiFlow users.
- Set the following in This object and all descendant objects field:
- In Permissions check the List contents box.
- In Properties check the following boxes:
- Read сanonicalName
- Read Distinguished Name
- Read objectClass
- Read objectGuid
- Read showInAdvancedViewOnly
- Set the following in Descendant user objects: User objects field:
- In Permissions check the List contents box.
- In Properties select read/write the following sets of properties and attributes (Table 3):
- Read personal Information
- Read general Information
- Read account restrictions
- Read public Information
- Write pwdLastSet
- Write thumbnailPhoto or Write jpegPhoto
- Write userAccountControl
LDAP Display Names are listed below. Granting access to the properties set significantly increases the system performance and simplifies the security management (see Property Sets). |
Table 3. Attributes used by Axidian CertiFlow to work with users catalog
Attribute (LDAP Display Name) | Common Name | Commentary |
|---|---|---|
| c | Country/Region Abbreviation or Country/Region Name | Part of "Personal information" properties set. |
| сanonicalName | Canonical Name | Part of "Public Information" properties set. |
| cn | Common Name | Part of "Public Information" properties set. |
| company | Company | Part of "Public Information" properties set. |
| department | Department | Part of "Public Information" properties set. |
| distinguishedName | Distinguished Name | Part of "Public Information" properties set. |
| givenName | Given Name | Part of "Public Information" properties set. |
| l | Locality Name | Part of "Personal Information" properties set. |
| E-mail Addresses | Part of "Public Information" properties set. | |
| manager | Manager | Part of "Public Information" properties set. |
| objectClass | Object Class | Part of "Public Information" properties set. |
| objectGUID | ОbjectGUID | Part of "Public Information" properties set. |
| objectSid | Object Sid | Part of "General Information" properties set. |
| otherMailbox | Other Mailbox | Part of "Public Information" properties set. |
| proxyAddresses | Proxy Addresses | Part of "Public Information" properties set. |
| pwdLastSet | Pwd Last Set | Part of "User Account Restrictions" properties set. |
| sAMAccountName | SAM Account Name | Part of "General Information" properties set. |
| sn | Surname | Part of "Public Information" properties set. |
| st | State or Province Name | Part of "Personal Information" properties set. |
| streetAddress | Address (or Street) | Part of "Personal Information" properties set. |
| telephoneNumber | Telephone Number | Part of "Personal Information" properties set. |
thumbnailPhoto or jpegPhoto | Picture | Part of "Personal Information" properties set. |
| userAccountControl | User Account Control | Part of "User Account Restrictions" properties set. |
| userPrincipalName | User Principal Name | Part of "Public Information" properties set. |