User catalog
Configure a user catalog in Active Directory to manage users in Axidian CertiFlow.
Create a service account
Create a service account for reading and writing user attributes.
- Launch the Active Directory Users and Computers (ADUC) snap-in.
- Expand the domain tree and select the container or organizational unit that you want to host the user account.
- On the Action menu, select Create → User.
- Enter the name of the service account.
- Fill in the required fields and click Finish to create the account.
Configure permissions
- Launch the Active Directory Users and Computers snap-in.
- Go to the Security tab of the object which contains the Axidian CertiFlow users.
- Click Advanced→Add→Select a principal.
- In the Enter the object names to select text box, type the service account name and click OK.
- In the Apply to dropdown list, select Descendant User objects.
- In the Permissions list, select:
- List contents.
- Read all properties. By default, all domain service accounts have a permission to read all user properties.
- Reset password
- In the Properties list, select:
- Write pwdLastSet
- Write thumbnailPhoto or Write jpegPhoto
- Write userAccountControl
- Write userCertificate
- Click OK and Apply.
info
Grant the service account the same set of permissions for each object which contains the Axidian CertiFlow users.
Grant read permissions
If domain security policies prohibit reading all user properties, grant the service account permissions to read user attributes and attributes of the object which contains the Axidian CertiFlow users:
- In the ADSI edit snap-in, right-click the relevant object and go to Properties Security.
- In the Apply onto list, select This object and all descendant objects and configure the following settings:
- In the Permissions list, check List contents box.
- In the Properties list, check the following boxes:
- Read сanonicalName
- Read Distinguished Name
- Read objectClass
- Read objectGuid
- Read showInAdvancedViewOnly
- In the Apply onto list, select Descendant user objects:
- In the Permissions list, check List contents.
- In the Properties list, select read/write for the following properties and attributes:
- Read personal Information
- Read general Information
- Read account restrictions
- Read public Information
- Write pwdLastSet
- Write thumbnailPhoto or Write jpegPhoto
- Write userAccountControl
- Write userCertificate
Supported user attributes
info
The following table lists LDAP Display Names of the catalog attributes.
It is recommended to grant access to property sets. For more information about property sets, see Microsoft's documentation.
| Attribute (LDAP Display Name) | Common Name | Info |
|---|---|---|
| c | Country/Region or Country/Region Abbreviation | Personal Information property set |
| сanonicalName | Canonical Name | Public Information property set |
| cn | Common Name | Public Information property set |
| company | Company | Public Information property set |
| **department | Department | Public Information property set |
| distinguishedName | Distinguished Name | Public Information property set |
| givenName | Given Name | Public Information property set |
| l | Locality Name | Personal Information property set |
| E-mail Addresses | Public Information property set | |
| manager | Manager | Public Information property set |
| objectClass | Object Class | Public Information property set |
| objectGUID | Оbject GUID | Public Information property set |
| objectSid | Object Sid | General Information property set |
| otherMailbox | Other Mailbox | Public Information property set |
| proxyAddresses | Proxy Addresses | Public Information property set |
| pwdLastSet | Pwd Last Set | Account Restrictions property set |
| sAMAccountName | SAM Account Name | General Information property set |
| sn | Surname | Public Information property set |
| st | State or Province Name | Personal Information property set |
| streetAddress | Address (or Street) | Personal Information property set |
| telephoneNumber | Telephone Number | Personal Information property set |
| thumbnailPhoto or jpegPhoto | Picture | Personal Information property set |
| userAccountControl | User Account Control | Account Restrictions property set. |
| userCertificate | User Certificate | Personal Information property set |
| userPrincipalName | User Principal Name | Public Information property set |