proxy_user & super_admin rights on MS Active Directory
  Download PDF

How To Set WebADM Access Rights for Active Directory

There are two things to be considered in order to implement fine-grained LDAP permission for WebADM and its applications.

  1. WebADM Proxy user permissions: This system user is used by WebADM to access and manipulate the required LDAP resources without an administrator login, for example, to increase the false authentication counter.

  2. Administrator users permissions: These accounts login to the Admin portal in order to manage LDAP resources and registered applications.

These users are defined in /opt/webadm/conf/webadm.conf with proxy_user and super_admins.

1. Proxy User

The proxy user needs to perform wide LDAP search and reads. It also requires read-only permissions to the WebADM LDAP configurations (ie. configured containers) and to the user Domains subtrees. The proxy user needs to do some write operations to a few LDAP attributes because it needs to store dynamic application user data into the users.

In some circumstances, the Proxy user will also need to write an application setting on the users and groups. The following attributes are part of the WebADM LDAP schema and need Proxy user read/write permissions:

1.1 Mandatory Attributes used for Extended Schema

  • webadmData: is the attribute where the applications store the user data (ex. OpenOTP enrolled Token states).

  • webadmSettings: is the attribute where WebADM stores user-specific settings (ex. per-user OTP policy).

1.2 Mandatory Attributes used for Not Extended Schema

  • bootFiles: is the attribute where the applications store the user data (ex. OpenOTP enrolled Token states).

  • bootParameters: is the attribute where WebADM stores user-specific settings (ex. per-user OTP policy).

1.3 Optional Attributes

If you use WebADM Self-Services and depending on what you allow the users to do within the Self-Service applications, then WebADM Proxy user may need some additional permissions:

For example, if you want users to reset their LDAP password, set their mobile numbers or email addresses, then the Proxy user will need to have write permissions to the corresponding LDAP attributes. The following ones can be configured:

  • mail (only if Self-Services are used to set email addresses)

  • mobile (only if Self-Services are used to set mobile numbers)

  • preferredLanguage (only if Self-Services are used to set user language)

  • userPassword or unicodePwd and pwdlastset for Windows AD (only if Self-Services are used to set user password)

1.4 Set the proxy_user Rights for Extended Schema

In this example, we work with the domain test.local and the User Search Base configured in WebADM Domain is CN=Users,DC=test,DC=local:

PS C:\Users\administrator> (Get-ADRootDSE).rootDomainNamingContext
DC=test,DC=local
PS C:\Users\administrator> (Get-WmiObject Win32_NTDomain).DomainName
TEST

We set minimal rights easily with Powershell for all groups and users in Users container for the proxy_user user:

dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\proxy_user:WPRP;webadmData'
dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\proxy_user:WPRP;webadmSettings'

1.5 Set the proxy_user Rights for Not Extended Schema

In this example, we work with the domain test.local and the User Search Base configured in WebADM Domain is CN=Users,DC=test,DC=local:

PS C:\Users\administrator> (Get-ADRootDSE).rootDomainNamingContext
DC=test,DC=local
PS C:\Users\administrator> (Get-WmiObject Win32_NTDomain).DomainName
TEST

We set minimal rights easily with Powershell for all groups and users in Users container for the proxy_user user:

dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\proxy_user:WPRP;bootFiles'
dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\proxy_user:WPRP;bootParameters'

1.6 Set the proxy_user Optional Rights

We can also add access rights to others attributes in the same way:

dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\proxy_user:WPRP;mail'
dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\proxy_user:WPRP;mobile'
dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\proxy_user:WPRP;preferredLanguage'
dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\proxy_user:WPRP;userPassword'
dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\proxy_user:WPRP;pwdlastset'

2. super_admins

When a WebADM administrator login on the WebADM Admin Portal, he always accesses and manages the LDAP resources under his own LDAP permissions. This means the user/group/configuration management permissions are enforced at the LDAP level. For example, a Windows AD Domain Administrator will be able to manage users and groups.

If the WebADM administrator is not an Active Directory administrator, we need to add permissions, depending on what the administrator is allowed to change in user’s attributes.

2.1 Rights for an Extended Schema

In this example, we work with the domain test.local, webadm_admins is the super_admin and and the User Search Base configured in WebADM Domain is CN=Users,DC=test,DC=local:

dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\webadm_admins:WPRP;objectClass'
dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\webadm_admins:WPRP;webadmData'
dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\webadm_admins:WPRP;webadmSettings'

2.2 Rights for Not Extended Schema

In this example, we work with the domain test.local, webadm_admins is the super_admin and and the User Search Base configured in WebADM Domain is CN=Users,DC=test,DC=local:

dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\webadm_admins:WPRP;objectClass'
dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\webadm_admins:WPRP;bootFiles'
dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\webadm_admins:WPRP;bootParameters'

2.3 Optional Attributes for super_admins

In this example, we work with the domain test.local, webadm_admins is the super_admin and and the User Search Base configured in WebADM Domain is CN=Users,DC=test,DC=local:

dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\webadm_admins:WPRP;mail'
dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\webadm_admins:WPRP;mobile'
dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\webadm_admins:WPRP;preferredLanguage'
dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\webadm_admins:WPRP;userPassword'
dsacls "CN=Users,DC=test,DC=local" /I:T /G 'TEST\webadm_admins:WPRP;pwdlastset'

3. Domain Administrators Permissions (AdminSDHolder)

For writting on AD administrators, rights previously settled are not enough because AdminSDHolder overwrites these rights every hour. So we need also to apply these rules on AdminSDHolder object and wait one hour that it’s applied on all admin users and groups of the domain:

3.1 Rights for Extended Schema

In this example, we work with the domain test.local and webadm_admins is the super_admin:

dsacls "CN=AdminSDHolder,CN=System,DC=test,DC=local" /G 'TEST\webadm_admins:WPRP;objectClass'
dsacls "CN=AdminSDHolder,CN=System,DC=test,DC=local" /G 'TEST\webadm_admins:WPRP;webadmData'
dsacls "CN=AdminSDHolder,CN=System,DC=test,DC=local" /G 'TEST\webadm_admins:WPRP;webadmSettings'

3.2 Rights for Not Extended Schema

In this example, we work with the domain test.local and webadm_admins is the super_admin:

dsacls "CN=AdminSDHolder,CN=System,DC=test,DC=local" /G 'TEST\webadm_admins:WPRP;objectClass'
dsacls "CN=AdminSDHolder,CN=System,DC=test,DC=local" /G 'TEST\webadm_admins:WPRP;bootFile'
dsacls "CN=AdminSDHolder,CN=System,DC=test,DC=local" /G 'TEST\webadm_admins:WPRP; bootParameter'

3.3 Optional Attributes

In this example, we work with the domain test.local and webadm_admins is the super_admin:

dsacls "CN=AdminSDHolder,CN=System,DC=test,DC=local" /G 'TEST\webadm_admins:WPRP;mail'
dsacls "CN=AdminSDHolder,CN=System,DC=test,DC=local" /G 'TEST\webadm_admins:WPRP;mobile'
dsacls "CN=AdminSDHolder,CN=System,DC=test,DC=local" /G 'TEST\webadm_admins:WP;preferredLanguage'
dsacls "CN=AdminSDHolder,CN=System,DC=test,DC=local" /G 'TEST\webadm_admins:WPRP;userPassword'
dsacls "CN=AdminSDHolder,CN=System,DC=test,DC=local" /G 'TEST\webadm_admins:WPRP;pwdlastset'

In this example, all WebADM configuration containers are under CN=webadm,DC=test,DC=local, we add full access to all descendants of this container.

4. Rights on the WebADM Container

In this example, we work with the domain test.local, webadm_admins is the super_admin and proxy_user is our proxy user:

For WebADM administrators:

dsacls "CN=webadm,DC=test,DC=local" /I:S /G 'TEST\webadm_admins:GA'

For proxy_user user:

dsacls "CN=webadm,DC=test,DC=local" /I:S /G 'TEST\proxy_user:RP'