LDAP

Axidian CertiFlow supports the following LDAP catalogs: Active Directory, Samba AD DC, FreeIPA.

A LDAP catalog can be compound. It can pull user information from different containers within a single domain or from multiple domains.

About Samba AD DC

Samba AD DC is able to serve as an Active Directory domain controller or as a primary domain controller.

If Axidian CertiFlow was previously configured to work with a user catalog in Active Directory, and the domain controller is reconfigured to Samba AD DC, do not change the existing user catalog configuration parameters.

When you configure the connection to Samba AD DC user catalog for the first time, select this catalog type when you configure a connection to the catalog in the Axidian CertiFlow Installation Wizard.

Configure a catalog

Active Directory and Samba AD DC

Create a service account

Create a service account for reading and writing user attributes.

Active Directory

1. Launch the Active Directory Users and Computers (ADUC) snap-in.
2. Expand the domain tree and select the container or organizational unit that you want to host the user account.
3. On the Action menu, select Create → User.
4. Enter the name of the service account.
5. Fill in the required fields and click Finish to create the account.

Samba AD DC

Create a service account in Active Directory Users and Computers (ADUC) snap-in or using the samba-tool command line:

1. Create a user:

   samba-tool user add <user name>

   samba-tool user add servicecertiflow

2. If you plan to use the service account as role administrator in Axidian CertiFlow management console, add the UPN (User Principal Name) attribute:

   sudo samba-tool user rename <user name> --upn=<UPN>

   sudo samba-tool user rename servicecertiflow --upn=servicecertiflow@domain.name

Configure permissions

1. Launch the Active Directory Users and Computers snap-in.
2. Go to the Security tab of the object which contains the Axidian CertiFlow users.
3. Click Advanced→Add→Select a principal.
4. In the Enter the object names to select text box, type the service account name and click OK.
5. In the Apply to dropdown list, select Descendant User objects.
6. In the Permissions list, select:
   • List contents.
   • Read all properties. By default, all domain service accounts have a permission to read all user properties.
   • Reset password
7. In the Properties list, select:
   • Write pwdLastSet
   • Write thumbnailPhoto or Write jpegPhoto
   • Write userAccountControl
   • Write userCertificate
8. Click OK and Apply.

info

Grant the service account the same set of permissions for each object which contains the Axidian CertiFlow users.

Grant read permissions

If domain security policies prohibit reading all user properties, grant the service account permissions to read user attributes and attributes of the object which contains the Axidian CertiFlow users:

1. In the ADSI edit snap-in, right-click the relevant object and go to Properties Security.
2. In the Apply onto list, select This object and all descendant objects and configure the following settings:
   1. In the Permissions list, check List contents box.
   2. In the Properties list, check the following boxes:
      • Read сanonicalName
      • Read Distinguished Name
      • Read objectClass
      • Read objectGuid
      • Read showInAdvancedViewOnly
3. In the Apply onto list, select Descendant user objects:
   1. In the Permissions list, check List contents.
   2. In the Properties list, select read/write for the following properties and attributes:
      • Read personal Information
      • Read general Information
      • Read account restrictions
      • Read public Information
      • Write pwdLastSet
      • Write thumbnailPhoto or Write jpegPhoto
      • Write userAccountControl
      • Write userCertificate

Supported user attributes

info

The following table lists LDAP Display Names of the catalog attributes.

It is recommended to grant access to property sets. For more information about property sets, see Microsoft's documentation.

Attribute (LDAP Display Name)	Common Name	Info
c	Country/Region or Country/Region Abbreviation	Personal Information property set
сanonicalName	Canonical Name	Public Information property set
cn	Common Name	Public Information property set
company	Company	Public Information property set
**department	Department	Public Information property set
distinguishedName	Distinguished Name	Public Information property set
givenName	Given Name	Public Information property set
l	Locality Name	Personal Information property set
mail	E-mail Addresses	Public Information property set
manager	Manager	Public Information property set
objectClass	Object Class	Public Information property set
objectGUID	Оbject GUID	Public Information property set
objectSid	Object Sid	General Information property set
otherMailbox	Other Mailbox	Public Information property set
proxyAddresses	Proxy Addresses	Public Information property set
pwdLastSet	Pwd Last Set	Account Restrictions property set
sAMAccountName	SAM Account Name	General Information property set
sn	Surname	Public Information property set
st	State or Province Name	Personal Information property set
streetAddress	Address (or Street)	Personal Information property set
telephoneNumber	Telephone Number	Personal Information property set
thumbnailPhoto or jpegPhoto	Picture	Personal Information property set
userAccountControl	User Account Control	Account Restrictions property set.
userCertificate	User Certificate	Personal Information property set
userPrincipalName	User Principal Name	Public Information property set

FreeIPA

To configure a user catalog in FreeIPA:

1. Sign in to the FreeIPA Web UI as an administrator.
2. On the Identity tab go to Users, click Add and create a user. By default, the created user is a member of the ipausers service domain group.
3. Create a permission to read and search data in the catalog:
   1. On the IPA Server tab, in the Role-Based Access Control list, select Permissions and click Add.
   2. Enter the permission name.
   3. In the Bind rule type string, select permission.
   4. In the Granted Rights string, select read, search.
   5. In the Subtree string, enter the Distinguished name of domain.
   6. Select Effective attributes: entryUUID.
4. Create a permission to write data to the catalog:
   1. On the IPA Server tab, in the Role-Based Access Control list, select Permissions and click Add.
   2. Enter the permission name.
   3. In the Bind rule type string, select permission.
   4. In the Granted Rights string, select write.
   5. In the Type list, select User.
   6. Select Effective attributes:
   • userPassword
   • krbPasswordExpiration
   • userCertificate
   • jpegPhoto
5. In the Role-Based Access Control list, select Privileges and click Add.
6. Create a privilege and add the created permissions to it.
7. In the Role-Based Access Control list, select Roles, click Add and create a role.
8. In the Roles section, go to the Privileges tab and add the created privilege to the role.
9. Assign the role to the service account:
   1. In the Roles section, select the created role.
   2. In the user list, click Add and select the created user.

Supported FreeIPA user attributes

User attribute	Description
entryUUID	Universally unique identifier assigned to the entry
entryDN	Entry's distinguished name
uid	User identifier
mail	Email address
telephoneNumber	Phone number
givenName	First name
sn	Last name
cn	Common name
krbPrincipalName	Kerberos user principal name (UPN)
jpegPhoto	Photo
userPassword	Password
krbPasswordExpiration	A given user's password expiration date
userCertificate	Certificate