Creating a service account for working with the user catalog and system data storage
For Indeed Certificate Manager system to operate properly, certain rights to access Active Directory objects and certification authorities are required. You can distribute the privileges between several accounts, or create one with maximum rights for system management, depending on the requirements of the company security policy.
Create a service account (say, servicecm) to perform data saving and reading operations in the Active Directory storage.
Configuring the user catalog in Active Directory
Grant the created service account (servicecm) the necessary permissions to work with the object (domains, containers, organizational unit) where the Indeed Certificate Manager users will be located. This account will be used to read and write user attributes.
To do this, do the following:
- Open Security property of the object (domain, container or unit) that contains the Indeed CM system users.
- Click Advanced. Click Add. Click Select a principal.
- In the Enter the object name to select text box, type service account (servicecm). Click OK.
- In the Applies to list box, select Descendant User objects.
- In the Permissions list, activate:
- Reset password
- List contents
In the Properties list, set the Read all properties permission.
By default, permission to read all user properties is granted to all accounts in the domain.
- In the Properties list, set the following permissions:
- Write pwdLastSet - Also required to be able to reset the user's password.
- Write thumbnailPhoto or Write jpegPhoto - Required to be able to upload a photo to a user in Active Directory via the system interface.
- Write userAccountControl - Required for the enable option Enforce smart card logon.
- Click ОК and then Apply.
Set the same set of privileges for each object (domain, container or organizational unit) where Indeed CM users are located. |
The permission to read all user properties is set for all domain accounts by default. If security policies prohibit reading of all user properties, then set the rights for the service account to read only required properties, according to the Table 3.
If all user properties are not allowed to be read in the domain by security policies, then set the rights for the service account access only to the required user attributes according to the Table 3 and attributes of the object (domain, container or division) in which the Indeed CM users.
When configuring the permissions to read user properties different from default ones, it is also necessary to permit the service account (servicecm) to read the values of object attributes (i.e. Domain, container or organizational unit) that contains Indeed CM users. These attributes are: cn, objectGUID, name and showInAdvancedViewOnly.
- On the ADSI edit snap-in, open the Security property of the object (domain, container or division) that contains the Indeed CM users.
- For the This object and all descendant objects.
- In the Permissions click the List contents check box.
- In the Properties click the check boxes next to:
- Read сanonicalName
- Read Distinguished Name
- Read objectClass
- Read objectGuid
- Read showInAdvancedViewOnly
- For the Descendant user objects: User objects.
- In the Permissions check the List contents.
- In the Properties select read/write the following sets of properties and attributes corresponding to Table 3:
- Read personal Information
- Read General Information
- Read Account restrictions
- Read Public Information
- Write pwdLastSet
- Write thumbnailPhoto or Write jpegPhoto
- Write userAccountControl
- Write userCertificate
LDAP Display Names are listed. Granting access to the properties set increases the system performance significantly and also simplifies the security management (see Property Sets). |
Table 3 – Attributes used by Indeed CM to work with user directory.
Attribute (LDAP Display Name) | Common Name | Commentary |
|---|---|---|
| c | Country/Region Abbreviation or Country/Region Name | Is a part of "Personal information" properties set. |
| cn | Common Name | Is a part of the "Public Information" properties set. |
| company | Company | Is a part of the "Public Information" properties set. |
| department | Department | Is a part of the "Public Information" properties set. |
| objectGUID | ОbjectGUID | Is a part of the "Public Information" properties set. |
| givenName | Given Name | Is a part of the "Public Information" properties set. |
| l | Locality Name | Is a part of the "Personal Information" properties set. |
| E-mail Addresses | Is a part of the "Public Information" properties set. | |
| manager | Manager | Is a part of the "Public Information" properties set. |
| sAMAccountName | SAM Account Name | Is a part of the "General Information" properties set. |
| sn | Surname | Is a part of the "Public Information" properties set. |
| st | State or Province Name | Is a part of the "Personal Information" properties set. |
| streetAddress | Address (или Street) | Is a part of the "Personal Information" properties set. |
| telephoneNumber | Telephone Number | Is a part of the "Personal Information" properties set. |
thumbnailPhoto or jpegPhoto | Picture | Is a part of the "Personal Information" properties set. |
| userAccountControl | User Account Control | Is a part of "User Account Restrictions" properties set. |
| userPrincipalName | User Principal Name | Is a part of the "Public Information" properties set. |