User Directory Accounts
Axidian Privilege interacts with end users through a service account that reads directory users and their attributes.
Account to Use with User Directory
- Active Directory
- FreeIPA
- OpenLDAP
- Run the Active Directory Users and Computers snap-in.
- Open the context menu of the organizational unit or container.
- Select Create → User item from the menu.
- Specify the user name, e.g, IPAMADReadOps.
- Fill in the required fields and complete the account creation.
- Run the FreeIPA snap-in as a user with administrator privileges.
- Create a user, for example, IPAMADReadOps.
- Open the IPA Server tab.
- From the Role-Based Access Control drop-down menu, select Permissions.
- Create a permission with the following values:
- Permission name:
pam_attr_read. - Granted Rights:
read,search. - Effective attributes:
entryDn,entryUUID,ipaUniqueID,ipaNTSecurityIdentifier,memberOf,uid,givenName,krbPrincipalName,cn,sn,photo(orjpegPhoto),member,nsOsVersion,fqdn,initials,krbPasswordExpiration.
- Permission name:
- From the Role-Based Access Control drop-down menu, select Privileges.
- Create a new privilege (e.g.
pam_privilege_read) and add the createdpam_attr_readpermission to it. - From the Role-Based Access Control drop-down menu, select Roles.
- Create a new role (for example,
IPAMADReadOps_role) and add the createdpam_privilegeprivilege to it. - Assign the created role to the IPAMADServiceOps user in one of the following ways:
- assign a role to a user;
- assign the role to a user group and add the user to that group.
- Create a user, for example, IPAMADReadOps.
- Grant the user read permissions to the following attributes:
entryUUIDentryDnuidcnosVersiongroupOfUniqueNamesuniqueMember
Account for Service Operations in Active Directory
- Active Directory
- FreeIPA
- OpenLDAP
- Run the Active Directory Users and Computers snap-in.
- Open the context menu of the organizational unit or container.
- Select Create → User item from the menu.
- Specify the user name, e.g, IPAMADServiceOps.
- Fill in the required fields and complete the account creation.
- Open the context menu of organizational unit, container or domain root.
- Select Properties.
- Open Security tab.
- Click Add.
- Select an account IPAMADServiceOps and click Ok.
- Click Advanced.
- Select an account IPAMADServiceOps and click Edit.
- Specify the value of the field Applies to to the Descendant User objects.
- In the Permissions section check the Reset password checkbox.
- Save.
- Run the FreeIPA snap-in as a user with administrator privileges.
- Create a user, for example, IPAMADServiceOps.
- Open IPA Server tab.
- From the Role-Based Access Control drop-down menu, select Permissions.
- Create a permission with the following values:
- Permission name:
pam_attr_read. - Granted Rights:
read,search. - Effective attributes:
entryDn,entryUUID,ipaUniqueID,ipaNTSecurityIdentifier,memberOf,uid,givenName,krbPrincipalName,cn,sn,photo(orjpegPhoto),member,nsOsVersion,fqdn,initials,krbPasswordExpiration.
- Permission name:
- Create another permission with the following values:
- Permission name:
pam_attr_write. - Granted Rights:
write. - Effective attributes:
userPassword,krbPasswordExpiration.
- Permission name:
- From the Role-Based Access Control drop-down menu, select Privileges.
- Create a new privilege (e.g.
pam_privilege_change_pswd) and add the two permissionspam_attr_readandpam_attr_writeyou just created to it. - From the Role-Based Access Control drop-down menu, select Roles.
- Create a new role (for example,
IPAMADServiceOps_role) and add the createdpam_privilege_change_pswdprivilege to it. - Assign the created role to the IPAMADServiceOps user in one of the following ways:
- assign a role to a user;
- assign the role to a user group and add the user to that group.
- Create a user, for example, IPAMADServiceOps.
- Grant the user read permissions to the following attributes:
entryUUIDentryDnuidcnosVersiongroupOfUniqueNamesuniqueMember
- Grant the user write permissions for the
userPasswordattribute.