LDAP Directories
ActivID CMS leverages your corporate directory by extracting the necessary user information for smart card management. For example, this user information can take the form of email addresses and user names to be inserted on the certificates that are placed on the smart cards. The security of your corporate directory depends upon the information being stored and on the requirements within your organization.
Securing the Windows Server
This section provides links that contain some general recommendations from Microsoft regarding the security of the Active Directory and the Windows Server. Reference the following URL for details related to securing the directories and information on your Windows Server:
-
Read and review the section “Securing Domain Controllers Against Attacks”.
Schema Extension
If it is a requirement for your network environment or organization to know which user is linked to a specific card, then ActivID CMS can be configured to store the card serial number in a dedicated directory user attribute. In this case, this new attribute should have the following characteristics:
-
Be a multi-valued attribute
-
Be in the form of an octet string
-
Must be applied to all user objects
-
Use a name relevant to your organization (for example, Org-SmartCardSerialNumber).
You can set this dedicated attribute using the Operator Portal. The User Attribute to Store Card Serial Number field is available when you select “Directories” from the Select a Topic menu on the Customization sub-tab of the Configuration tab.
ActivID CMS-Related Security Considerations
ActivID CMS stores and updates information in the corporate LDAP Lightweight Directory Access Protocol directory and requests certificates on the user’s behalf. To perform such tasks, ActivID CMS requires access to the LDAP Directory and to the Certificate Authority (CA). This access must be carefully restricted to ensure that this user account cannot be used to compromise the ActivID CMS environment.
The following recommendations apply related to the LDAP configuration in ActivID CMS:
-
Create a dedicated LDAP account that can be used by ActivID CMS to access the LDAP directory. This account should only be used to read the LDAP directory and write to the smart card serial number attribute (if this is required).
-
Use different accounts for the IIS service and the LDAP access.
-
Use LDAPS with a client certificate to authenticate the ActivID CMS LDAP account to LDAP. If a client certificate to authenticate ActivID CMS to LDAP is not a feasible option, implement a password change procedure for this LDAP account. The procedure should be executed regularly in accordance with your internal policies.
The reason for this password change recommendation is because the user ID and password of the user that connects to the LDAP directory is configured in the ActivID CMS Operator Portal. The password is encrypted and stored in the ActivID CMS database.
Note: If the password expires and is not changed, ActivID CMS will not function correctly.
-
Create the dedicated account with only the access it needs. This account typically requires only write access to the smart card serial number attribute, and read access to the branches from which it queries the user attributes.
-
Use the ActivID CMS Operator Portal to configure ActivID CMS to use LDAPS for any communication with the LDAP server.
