Overview

This documentation provides information regarding Active Directory ACLs for the service account used by the WebADM framework (proxy_user).

The LDAP service account is utilized by WebADM to access and manage necessary LDAP resources without requiring administrator login. Examples include incrementing the authentication counter, registering token metadata on user accounts, performing actions on behalf of end-users through web applications like SelfDesk, Helpdesk, PWReset, and during authentication processes.

The service account is specified in /opt/webadm/conf/webadm.conf using the proxy_user setting.

This documentation is fully dedicated to the proxy_user rights.

The necessary permissions for that service account depend on the WebADM schema setup chosen during installation. As a reminder, there are two options:

  • Extended Schema setup
  • Not Extended Schema setup

In this documentation, we focus on the domain rcdevsdocs.com.

The User Search Base configured in WebADM Domain is pointing to CN=Users,DC=rcdevsdocs,DC=com.

The Group Search Base configured in WebADM Domain is pointing to CN=Groups,DC=rcdevsdocs,DC=com.

Information needed to setup ACLs and related to the domain:

PS C:\Users\administrator> (Get-ADRootDSE).rootDomainNamingContext
DC=rcdevsdocs,DC=com
PS C:\Users\administrator> (Get-WmiObject Win32_NTDomain).DomainName
RCDEVSDOCS

The service account SamAccountName value is proxy_user.

When writing to AD administrators or any privileged AD accounts, additional permissions are necessary due to the fact that AdminSDHolder overwrites these permissions every hour. Refer to Privileged Accounts sections in that documentation.

AD ACLs for Extended Schema

  • webadmData: is the attribute where the applications store the user data (ex. OpenOTP enrolled Token states).
  • webadmSettings: is the attribute where WebADM stores user-specific settings (ex. per-user OTP policy).

Domain Users

Found below, the different ACLs needed:

dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:WPRP;webadmData'
dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:WPRP;webadmSettings'

If you are using the VOICE biometric feature of OpenOTP, then you need the following ACLs:

  • webadmVoice: is the attribute used to store the voice fingerprint. It is useless to configure that ACLs if you are not using that OpenOTP feature under license option.
dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:WPRP;webadmVoice'

Privileged accounts

For writing on AD administrators, rights previously settled are not enough because AdminSDHolder overwrites these rights every hour. So we need also to apply these rules on AdminSDHolder object and wait one hour that it's applied on all admin users and groups of the domain. These rights must be applied only if you want to perform OpenOTP logins, Spankey logins or use self-service application with your Domain Admins accounts:

dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:WPRP;webadmData'
dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:WPRP;webadmSettings'
dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:WPRP;webadmVoice'

AD ACLs for Not Extended Schema

  • bootfile : is the attribute where the applications store the user data (ex. OpenOTP enrolled Token states).
  • bootparameter: is the attribute where WebADM stores user-specific settings (ex. per-user OTP policy).

Domain Users

Found below, the different ACLs needed:

dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:WPRP;bootfile'
dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:WPRP;bootparameter'

If you are using the VOICE biometric feature of OpenOTP, then you need the following ACL:

  • audio: is the attribute used to store the voice fingerprint. It is useless to configure that ACLs if you are not using that OpenOTP feature under license option.
dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:WPRP;audio'

Privileged Users

For writing on AD administrators, rights previously settled are not enough because AdminSDHolder overwrites these rights every hour. So we need also to apply these rules on AdminSDHolder object and wait one hour that it's applied on all admin users and groups of the domain. These rights must be applied only if you want to perform OpenOTP logins, Spankey logins or use self-service application with your Domain Admins accounts:

dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:WPRP;bootFile'
dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:WPRP;bootParameter'
dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:WPRP;audio'

Common Permissions

From now on, ACLs are no longer dependent on your schema setup.

Users Actication (licensing)

Activating accounts modifies the objectClass attributes of users you intend to activate.
In some circumstances, the proxy_user account can be used to activate accounts, for example if you utilize the command-line tool /opt/webadm/bin/extend or activate accounts through the Helpdesk application.

Domain Users

dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:WPRP;objectClass'

Privileged Users

dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:WPRP;objectClass'

Mobile badging operations

User added/removed from groups after badge-in / badge-out or check-in operations

With the RCDevs badging feature, you can group users based on badged-in/check-in operations. The proxy_user is involved in these operations, which is why you need to grant the following permissions to enable these operations.

Domain Users groups
dsacls "CN=groups,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:RPWP;member'

If the group is POSIX extended, WebADM will also attempt to modify the memberUid attribute of the group. This ensures that members are populated for UNIX integrations. In that case, you need to grant the following additional permission:

dsacls "CN=groups,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:RPWP;memberUid'
Privileged Users groups
dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:RPWP;member'

If the group is POSIX extended, WebADM will also attempt to modify the memberUid attribute of the group. This ensures that members are populated for UNIX integrations. In that case, you need to grant the following additional permission:

dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:RPWP;memberUid'

Account Lockout after badge-out operation

After a badge-out operation or when the user is outside of the check-in window configured in the WebADM OptionSet, the account can be locked at the LDAP level using the logonHours attribute to prevent user logins.

To use this feature, you need to provide the following ACLs to your proxy_user on your user search base:

Domain Users
dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:RPWP;logonHours'
Privileged Users
dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:RPWP;logonHours'

Attributes used by Web Applications

If you use WebADM Self-Services and depending on what you allow the users to do within the Self-Service applications, then WebADM proxy_user may need some additional permissions:

For example, if you want users to reset their LDAP password, set their mobile numbers or email addresses, then the Proxy user will need to have write permissions to the corresponding LDAP attributes.
The following ones can be configured:

  • mail (only if Self-Services are used to set email addresses)
  • mobile (only if Self-Services are used to set mobile numbers)
  • preferredLanguage (only if Self-Services are used to set user language)
  • userPassword or unicodePwd only if Self-Services are used to set user password
  • lockouttime is used to unlock an AD account at the AD level through WebADM admin GUI or PWReset application.
  • useraccountcontrol is used to change the AD accounts flags (Disabled account, Normal account, User can not change password...)
  • userCertificate is used when the user want to create and register a new user certificate on his account from Web applications.
  • Reset Password Reset user passwords and force password change at next logon.

For the following attributes, it makes sense to set the corresponding permissions only if you have created a WebADM Administrator Role, are utilizing proxy_user permissions within the configured role and if through that role you allow POSIX extensions for users.

  • uidnumber is an attribut used for Spankey user.
  • gidnumber is an attribut used for Spankey user.
  • unixhomedirectory is an attribut used for Spankey users.
  • loginshell is an attribut used for Spankey user.

For the following attribute, it makes sense to set the corresponding permissions only if you have created a WebADM Administrator Role, are utilizing proxy_user permissions within the configured role and if through that role you allow POSIX extensions for groups.

  • gidnumber is also an attribut used for Spankey groups.

Domain Users

dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:WPRP;mail'
dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:WPRP;mobile'
dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:WPRP;preferredLanguage'
dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:WPRP;userPassword'
dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:WPRP;unicodepwd'
dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:WPRP;lockouttime'
dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:WPRP;useraccountcontrol'
dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:CA;Reset Password'
dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:WPRP;userCertificate'
dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:WPRP;member'
dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:WPRP;memberuid'
dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:RPWP;uidnumber'
dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:RPWP;gidnumber'
dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:RPWP;unixhomedirectory'
dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:RPWP;loginshell'

Domain Groups

dsacls "CN=Groups,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:RPWP;gidnumber'

Privileged Users

dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:WPRP;mail'
dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:WPRP;mobile'
dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:WPRP;preferredLanguage'
dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:WPRP;userPassword'
dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:WPRP;unicodepwd'
dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:WPRP;lockouttime'
dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:WPRP;useraccountcontrol'
dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:CA;Reset Password'
dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:WPRP;userCertificate'
dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:WPRP;member'
dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:WPRP;memberuid'
dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:RPWP;uidnumber'
dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:RPWP;gidnumber'
dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:RPWP;unixhomedirectory'
dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:RPWP;loginshell'

Privileged Groups

dsacls "CN=AdminSDHolder,CN=System,DC=rcdevsdocs,DC=com" /G 'RCDEVSDOCS\proxy_user:RPWP;gidnumber'

ACL on the user search base

The proxy_user needs to read user objects and user attributes. This can be done thorugh the following ACLs:

dsacls "CN=Users,DC=rcdevsdocs,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:RP'

ACL on the WebADM Configuration Container

In this example CN=webadm,DC=RCDEVSDOCS,DC=com is our config_container defined in /opt/webadm/conf/webadm.conf:

dsacls "CN=webadm,DC=RCDEVSDOCS,DC=com" /I:S /G 'RCDEVSDOCS\proxy_user:RP'

Viewing effective access

In case you are not sure the permissions are set correctly on a specific user account, you can view the effective access a user has to another account.

First open Active Directory Users and Computers and find the user which has a problem logging in.

Open the "Properties > Security > Advanced Security Settings" page for the user.

First check permission inheritance. If you have "Enable inheritance" button, that means the AD object is NOT inheriting permissions from the parent object. This could be for example because the user has previously been in Domain Admin group.

Next, open the effective access page and select the 'proxy_user' you have configured in webadm.conf

Then click the "View Effective Access" button. This will show you the detailed permissions that the proxy user has to user.