External user accounts

This topic describes how to manage external user accounts and groups.

Modify external user accounts

After External User Accounts and Groups have been created in the Vault, you can view their properties and modify some of them in the External User Account in the Vault.

  1. Log on to the PrivateArk Administrative Client as a Vault administrator.

  2. From the Tools menu, select Administrative Tools and then Users and Groups; the Users and Groups window appears.

    The Users list displays all the users and groups that have been created in the Vault. LDAP users and groups are marked with special icons.

     

  3. Select the External User Account to modify, then click Update; the Update Users window appears.

    In the Update Users window, you can change the following user properties:

    The method that the user will use to authenticate to the Vault, including the following:

    • Password properties

    • The user certificate DN

    • Whether a user is disabled or not.

  4. Update the user account properties as required, then click OK; the modifications are applied to the selected External User Account.

Set up PKI authentication when the certificate subject names are different from the Active Directory DNs

If a user's Distinguished Name (DN) in the Active Directory does not match the Subject in their PKI certificate, their user will not be identified and they will not be able to log onto the Vault. However, if at least one element of the DN matches the certificate subject, you can configure the Vault to identify LDAP users according to that specific element.

In the LDAP Profile file for the relevant directory, specify the following parameters:

Parameter

Description

UserNameDNElement

The DN element of the Certificate Subject that will be used to match the user who is attempting to log on with the given PKI certificate.

ObjectCommonName

Specifies the field in the Active Directory that will be matched with the value of the certificate DN element that is specified in the UserNameDNElement parameter.

The following example shows the DN listed in the Active Directory and the corresponding DN listed in the PKI certificate:

DN in Active Directory:

CN=User;OU=mycompany;DC=com

Subject in PKI certificate:

CN=User;OU=mycompany;DC=eu

As the values of CN and OU are the same in both DNs, in the Profile set, you could specify either of them in the UserNameDNElement parameter. If you decide to specify CN, you would also specify CN in the ObjectCommonName parameter to enable the system to search in the Active Directory according to this DN element.

Change the external user’s certificate

If the certificates that can be used to enable PKI authentication to the Vault are in the external directory, you can change the certificate that is specified in the External User’s Account.

  1. Log on to the PrivateArk Administrative Client as a Vault administrator.

  2. From the Tools menu, select Administrative Tools and then Users and Groups; the Users and Groups window appears.

  3. From the Users list, select the LDAP User Account to modify, then click Update; the Update Users window appears.

  4. Select the Authentication tab; the User’s authentication settings appear.

    changing cert

  5. Click Select; the Choose Certificate window appears.

  6. Select a certificate from a local certificate store:

    1. Select From Local Store, then click Browse, and select the certificate from the certificate list; the certificates Distinguished Name appears in the Choose Certificate window.

    2. Click OK; the specified certificate’s Distinguished Name appears in the authentication tab of the Update User window and can now be used to authenticate the LDAP user to the Vault.

      or,

      Select a certificate from an LDAP directory:

    3. Select From Directory, then click Browse to display the Choose Directory and Branch window.

    4. Select a directory. If you are not logged on to the LDAP directory, the Connect to Directory window appears,

      or,

      To log on as a different user and choose a group from a different LDAP directory, click LDAP Connection and specify the User credentials that will give you access to those directories.

    5. Select the branch that contains the required certificate, then click Select; the directory name and branch appear in the Choose Certificate window.

    6. Specify the Query Filter, then click Search; all the certificates that meet the query filter criteria are displayed in the Search Results.

      changing cert 3

    7. Select the required certificate, then click OK; the specified certificate’s Distinguished Name appears in the authentication tab of the Update User window and will now be used to authenticate the LDAP User to the Vault.

  7. Click OK; the LDAP User Account’s authentication properties will be updated.

Modify LDAP groups’ properties

After LDAP groups have been created in the Vault, their Safe Ownership properties can be altered.

  1. Log on to the PrivateArk Administrative Client as a Vault administrator.

  2. From the Tools menu, select Administrative Tools and then Users and Groups; the Users and Groups window appears.

  3. Select the LDAP group to modify; only the Delete and Safe Ownership buttons are active, indicating that these are the only activities that can be carried out on these groups.

  4. Modify the Safe Ownership properties as required, then click OK; the modifications are applied to the selected Group.