000022130 - Minimum requirements for RSA ClearTrust bind to Microsoft Active Directory

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022130
Applies ToRSA ClearTrust 5.5.3 Entitlements Server (EServer)
Microsoft Windows 2000
Microsoft Windows Server 2003
Microsoft Active Directory 2000
Microsoft Active Directory 2003
RSA ClearTrust 5.5.3 Data Adapter Active Directory
IssueMinimum requirements for RSA ClearTrust bind to Microsoft Active Directory
CauseA default RSA ClearTrust installation uses a Microsoft Active Directory domain administrator account to do an LDAP bind from ClearTrust to Active Directory. In a production environment, this user is not usually permitted for security reasons. A ClearTrust system may need to be configured in such a way that it conforms with the security policy of a company.
ResolutionWhen configuring the LDAP.CONF file to use a Microsoft Active Directory bind, details must be supplied for the username used to connect into Active Directory to read and write the RSA ClearTrust data during the running and administration of a ClearTrust system. The user specified must have the appropriate object permissions in Active Directory to perform all the tasks. On a new Windows 2000 or Windows 2003 system (e.g. just installed), the "Administrator" user will be the only user which has the right permissions. This "Administrator" user has the correct permissions to be used for the binddn user value in LDAP.CONF. If a different user is selected or desired, the installer must ensure the following permissions are granted to the selected user. For any entries in LDAP.CONF for a binddn user, the basic permissions required are:

    Read
    Write
    Create All Child Objects
    Delete All Child Objects

An additional permission is required found in the advanced section:

    List Contents

In RSA ClearTrust 5.5.3, there are various binddn user locations referenced in LDAP.CONF - these are identified with the following keys:

    cleartrust.data.ldap.user.basedn               * See note 1
    cleartrust.data.ldap.group.basedn             * See note 1
    cleartrust.data.ldap.admin.group.basedn
    cleartrust.data.ldap.admin.basedn
    cleartrust.data.ldap.applicationdata.basedn
    cleartrust.data.ldap.policy.basedn
    cleartrust.data.ldap.libertystore.basedn
    cleartrust.data.ldap.identity_mapping_store.basedn

NOTE 1: These 2 keys may have additional restrictions (e.g. Read only) where the User or Group datastore is designated as read-only elsewhere in LDAP.CONF

NOTE 2: The creation of the initial datastore and schema installation is a separate task as outlined under "Installing the Active Directory" on page 32 of the RSA ClearTrust 5.5.3 Servers Installation and Configuration Guide, and the user might be different to the bind user configured in LDAP.CONF

RSA Security advises that changing the user or privileges of a user on a running system has not been tested, and that the decision about the permissions for the user should be considered at installation. Changing LDAP permissions on an existing (running) system may have unforeseen and undesirable effects.

For advice on how to configure these granular permissions on an active directory account please refer to Microsoft documentation. Useful Microsoft resources can be found at the following locations:

http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/2044d125-cfb2-428c-aa8c-c4e5ac007ba4.mspx

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/373a4e2b-89a6-4ccc-9e20-be07c741f47b.mspx

In all circumstances where the granular permissions have been applied and problems are encountered, you should retest your system using the domain administrator account by putting the "Administrator" name back into the following locations:

    cleartrust.data.ldap.directory.activedirectory.binddn
    cleartrust.data.ldap.directory.activedirectory-bind.binddn

If this change stops your problem occurring, reexamine your granular permissions carefully to ensure they have not been subsequently altered or updated by the inter-working of another product. If any problems persist when the "Administrator" account is being used, contact RSA Security Customer Support or your designated ClearTrust support channel where an intermediate support organization is involved.
Legacy Article IDa27103

Attachments

    Outcomes