LDAP
Axidian CertiFlow supports the following LDAP catalogs: Active Directory and FreeIPA.
A LDAP catalog can be compound. It can pull user information from different containers within a single domain or from multiple domains.
Configure a catalog
- Active Directory
- FreeIPA
Create a service account
Create a service account for reading and writing user attributes.
Active Directory
- Launch the Active Directory Users and Computers (ADUC) snap-in.
- Expand the domain tree and select the container or organizational unit that you want to host the user account.
- On the Action menu, select Create → User.
- Enter the name of the service account.
- Fill in the required fields and click Finish to create the account.
Configure permissions
- Launch the Active Directory Users and Computers snap-in.
- Go to the Security tab of the object which contains the Axidian CertiFlow users.
- Click Advanced→Add→Select a principal.
- In the Enter the object names to select text box, type the service account name and click OK.
- In the Apply to dropdown list, select Descendant User objects.
- In the Permissions list, select:
- List contents.
- Read all properties. By default, all domain service accounts have a permission to read all user properties.
- Reset password
- In the Properties list, select:
- Write pwdLastSet
- Write thumbnailPhoto or Write jpegPhoto
- Write userAccountControl
- Write userCertificate
- Click OK and Apply.
info
Grant the service account the same set of permissions for each object which contains the Axidian CertiFlow users.
Grant read permissions
If domain security policies prohibit reading all user properties, grant the service account permissions to read user attributes and attributes of the object which contains the Axidian CertiFlow users:
- In the ADSI edit snap-in, right-click the relevant object and go to Properties Security.
- In the Apply onto list, select This object and all descendant objects and configure the following settings:
- In the Permissions list, check List contents box.
- In the Properties list, check the following boxes:
- Read сanonicalName
- Read Distinguished Name
- Read objectClass
- Read objectGuid
- Read showInAdvancedViewOnly
- In the Apply onto list, select Descendant user objects:
- In the Permissions list, check List contents.
- In the Properties list, select read/write for the following properties and attributes:
- Read personal Information
- Read general Information
- Read account restrictions
- Read public Information
- Write pwdLastSet
- Write thumbnailPhoto or Write jpegPhoto
- Write userAccountControl
- Write userCertificate
Supported user attributes
info
The following table lists LDAP Display Names of the catalog attributes.
It is recommended to grant access to property sets. For more information about property sets, see Microsoft's documentation.
| Attribute (LDAP Display Name) | Common Name | Info |
|---|---|---|
| c | Country/Region or Country/Region Abbreviation | Personal Information property set |
| сanonicalName | Canonical Name | Public Information property set |
| cn | Common Name | Public Information property set |
| company | Company | Public Information property set |
| **department | Department | Public Information property set |
| distinguishedName | Distinguished Name | Public Information property set |
| givenName | Given Name | Public Information property set |
| l | Locality Name | Personal Information property set |
| E-mail Addresses | Public Information property set | |
| manager | Manager | Public Information property set |
| objectClass | Object Class | Public Information property set |
| objectGUID | Оbject GUID | Public Information property set |
| objectSid | Object Sid | General Information property set |
| otherMailbox | Other Mailbox | Public Information property set |
| proxyAddresses | Proxy Addresses | Public Information property set |
| pwdLastSet | Pwd Last Set | Account Restrictions property set |
| sAMAccountName | SAM Account Name | General Information property set |
| sn | Surname | Public Information property set |
| st | State or Province Name | Personal Information property set |
| streetAddress | Address (or Street) | Personal Information property set |
| telephoneNumber | Telephone Number | Personal Information property set |
| thumbnailPhoto or jpegPhoto | Picture | Personal Information property set |
| userAccountControl | User Account Control | Account Restrictions property set. |
| userCertificate | User Certificate | Personal Information property set |
| userPrincipalName | User Principal Name | Public Information property set |
To configure a user catalog in FreeIPA:
- Sign in to the FreeIPA Web UI as an administrator.
- On the Identity tab go to Users, click Add and create a user. By default, the created user is a member of the
ipausersservice domain group. - Create a permission to read and search data in the catalog:
- On the IPA Server tab, in the Role-Based Access Control list, select Permissions and click Add.
- Enter the permission name.
- In the Bind rule type string, select permission.
- In the Granted Rights string, select
read,search. - In the Subtree string, enter the Distinguished name of domain.
- Select Effective attributes:
entryUUID.
- Create a permission to write data to the catalog:
- On the IPA Server tab, in the Role-Based Access Control list, select Permissions and click Add.
- Enter the permission name.
- In the Bind rule type string, select permission.
- In the Granted Rights string, select
write. - In the Type list, select User.
- Select Effective attributes:
userPasswordkrbPasswordExpirationuserCertificatejpegPhoto
- In the Role-Based Access Control list, select Privileges and click Add.
- Create a privilege and add the created permissions to it.
- In the Role-Based Access Control list, select Roles, click Add and create a role.
- In the Roles section, go to the Privileges tab and add the created privilege to the role.
- Assign the role to the service account:
- In the Roles section, select the created role.
- In the user list, click Add and select the created user.
Supported FreeIPA user attributes
| User attribute | Description |
|---|---|
| entryUUID | Universally unique identifier assigned to the entry |
| entryDN | Entry's distinguished name |
| uid | User identifier |
| Email address | |
| telephoneNumber | Phone number |
| givenName | First name |
| sn | Last name |
| cn | Common name |
| krbPrincipalName | Kerberos user principal name (UPN) |
| jpegPhoto | Photo |
| userPassword | Password |
| krbPasswordExpiration | A given user's password expiration date |
| userCertificate | Certificate |