Versions Compared
Key
- This line was added.
- This line was removed.
- Formatting was changed.
Creating a service account for working with the user catalog and system data storage
For Indeed Certificate Manager system to operate properly, certain rights to access Active Directory objects and certification authorities are required. You can distribute the privileges between several accounts, or create one with maximum rights for system management, depending on the requirements of the company security policy.
Create a service account (say, service cm servicecm) to perform data saving and reading operations in the Active Directory storage.
Create a user account (say, servicecm) to use with Indeed Identity container. The said account is used to perform data saving operations in Active Directory. The following permissions must be set for the said account:
- Full Control for the container that stores the system data (default name is “Indeed Identity”) and all of its descendant objects. To do so:
1. Open the Security property of the Indeed Identity container.
2. Click Add and specify the service account (servicecm).
3. Click Advanced, select the service account and click Edit.
4. Select the scope of This object and all descendant objects.
5. Set the Full control permission in the Permissions list.
6. Click ОК and then Apply.
- Permission to Read all Properties:
Configuring the user catalog in Active Directory
Grant the created service account (servicecm) the necessary permissions to work with the object (domains, containers, organizational unit) where the Indeed Certificate Manager users will be located. This account will be used to read and write user attributes.
To do this, do the following:
- Open Security property of the object (domain, container or unit) that contains the Indeed CM system users.
- Click Advanced. Click Add. Click Select
- a principal.
- In the Enter the object name to select text box, type service account (servicecm)
3. Select the
- . Click OK.
- In the Applies to list box, select Descendant User objects
- .
- In the Permissions list, activate the Reset password checkbox.
- In the Properties list, set the Read all properties permission
- .
- In the Properties list, set the following permissions:
- Write:
- pwdLastSet
- Write: thumbnailPhoto or Write: jpegPhoto
- Write:
7.
- userAccountControl
- Click ОК and then Apply.
| Warning |
|---|
Set the same set of privileges for each object (domain, container or organizational unit) where Indeed CM users are located. |
The permission to read all user properties is set for all domain accounts by default. If security policies prohibit reading of all user properties, then set the rights for the service account to read only required properties, according to the Table 3.
When configuring the permissions to read user properties different from default ones, it is also necessary to permit the service account (servicecm) to read the values of object attributes (i.e. Domain, container or organizational unit) that contains Indeed CM users. These attributes are: cn, objectGUID, name and showInAdvancedViewOnly.
| Info |
|---|
LDAP Display Names are listed. Granting access to the properties set increases the system performance significantly and also simplifies the security management (see Property Sets). |
Table 3 – Attributes used by Indeed CM to work with user directory.
| Table auto |
|---|
Attribute (LDAP Display Name) | Common Name | Commentary |
|---|---|---|
| c | Country/Region Abbreviation or Country/Region Name | Is a part of "Personal information" properties set. |
| cn | Common Name | Is a part of the "Public Information" properties set. |
| company | Company | Is a part of the "Public Information" properties set. |
| department | Department | Is a part of the "Public Information" properties set. |
| objectGUID | ОbjectGUID | Is a part of the "Public Information" properties set. |
| givenName | Given Name | Is a part of the "Public Information" properties set. |
| l | Locality Name | Is a part of the "Personal Information" properties set. |
| E-mail Addresses | Is a part of the "Public Information" properties set. | |
| manager | Manager | Is a part of the "Public Information" properties set. |
| sAMAccountName | SAM Account Name | Is a part of the "General Information" properties set. |
| sn | Surname | Is a part of the "Public Information" properties set. |
| st | State or Province Name | Is a part of the "Personal Information" properties set. |
| streetAddress | Address (или Street) | Is a part of the "Personal Information" properties set. |
| telephoneNumber | Telephone Number | Is a part of the "Personal Information" properties set. |
thumbnailPhoto or jpegPhoto | Picture | Is a part of the "Personal Information" properties set. |
| userAccountControl | User Account Control | Is a part of "User Account Restrictions" properties set. |
| userPrincipalName | User Principal Name | Is a part of the "Public Information" properties set. |