User catalog
Axidian Access uses end user data from Active Directory. These are the users who goes through the authentication procedure using Axidian Access.
For user data to appear in Axidian Access, you must prepare an object with end users in Active Directory and create a service account that can read data.
You can configure a separate user organizational unit or use the entire user domain.
If you plan to use a separate organizational unit, all necessary objects (groups, administrators, end users) must be located within this organizational unit.
Axidian Access only reads data from Active Directory, no new data is written.
Create a service account
To create a service account, perform the following action:
- Open Active Directory Users and Computers.
- Select the catalog where you plan to create the service account.
- Click the icon
. - In the window that appears (New Object → User), enter the user name and click Next.
- Enter the password.
- Clear User must change password at next logon.
- Select Password never expires and click Finish.
Grant data read permissions
If your company security policy allows all users in the domain to read data of all objects in the domain, skip the following steps.
If a data read restriction is configured, perform the following action:
- Open Active Directory Users and Computers.
- On the View tab, select the Advanced Features check box.
- Right-click the object with users and select Properties.
- In the Properties window, perform the following action:
- Open the Security tab.
- In the Group or user names section, add the previously created service account.
- In the Permissions for section, select the Read option and click Advanced.
- In the Advanced Security Settings window, select the service account and click Edit.
- In the Permission Entry window, from the Applies to list, select This object and all descendant objects and click OK.
Active Directory user attributes
| User attribute | Settings |
|---|---|
| objectGUID | Global unique object identifier |
| objectSid | A unique security identifier assigned to each object in Active Directory. Used for managing access to resources and authentication of users and objects |
| distinguishedName | A unique name of an object in the Active Directory hierarchy consisting of the full path to the object. For example: CN=testuser,OU=Users,DC=domain,DC=com |
| tokenGroups | A computed attribute containing a list of SIDs of all groups, including nested ones, which the user belongs to when logging in to the system |
| memberOf | Attribute containing the distinguishedName of groups of which the user or computer is a direct member |
| sAMAccountName | Account name of the user, group, or computer used to support compatibility with previous versions of Windows. For example, ivanov |
| msDS-PrincipalName | Canonical name of the user. For example: DOMAIN\username |