# Active Directory Plugin {% hint style="warning" %} Keeper has also launched a zero-trust Password Rotation feature with KeeperPAM. This new capability is recommended for most password rotation use cases. The Documentation is linked below: * [Password Rotation with KeeperPAM](https://docs.keeper.io/en/keeperpam/secrets-manager/password-rotation) * Commander [KeeperPAM commands](https://docs.keeper.io/en/keeperpam/commander-cli/command-reference/keeperpam-commands) {% endhint %} This plugin provides IT Admins with the ability to rotate the password of an Active Directory user account. This plugin can be run on any system that has network access to the AD server. ## Prerequisites #### Install the ldap3 module ``` pip3 install ldap3 ``` ## Prepare Record for Rotation ### Create a Record for Rotation Rotation supports legacy and typed records. If using typed record, a 'Password' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below. {% hint style="info" %} See the [Troubleshooting ](https://docs.keeper.io/en/keeperpam/troubleshooting-commander-cli#typed-vs-untyped-records-v3-vs-v2)section for more information on legacy vs typed records {% endhint %} ### Set the Password Field #### In the Keeper record, put the user's current password in the "Password" field ![](https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2FhvLF8beyM5y2szJUXhWN%2Fimage.png?alt=media\&token=70598eb8-dbb7-4320-bc69-d87d20d29c1b) ### Set the Hostname and Port ![](https://762006384-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MJXOXEifAmpyvNVL1to%2Fuploads%2Fe5jiWMkFQPzwi5UDLvp1%2Fimage.png?alt=media\&token=90c83a72-367e-4398-9cb6-bcc916432de0) If using an untyped record, the host and port can be set to custom fields. See below. {% hint style="info" %} TIP: If no rotation plugin is specified, Commander will use the port number to guess which rotation to use. Port 389 will use AD rotation {% endhint %} ### Add the following required fields The following fields are required for AD rotation. Create each field with the label indicated and supply the required information. | Label | Value | Comment | | ------------- | ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | | cmdr:use\_ssl | True or False | Whether or not to use SSL connection to AD Server | | cmdr:userdn | | [Distinguished name](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366101.aspx) of the AD user you want to rotate the password on. | ### Additional Rotation Settings The following values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table. | Label | Value | Comment | | ----------- | -------- | ---------------------------------------------------------------------------------------------------------------------------------------- | | cmdr:plugin | adpasswd | | | cmdr:host | | Host name or IP address of your AD Server | | cmdr:port | | Optional: Port number of your AD Server. Default value: 389 | | cmdr:rules | | Optional [password complexity rules](https://github.com/Keeper-Security/Commander/tree/master/keepercommander/plugins/password_rules.md) | ## Rotate Record To rotate Active Directory passwords, use the `rotate` command in Commander. Pass the command a record title or UID (or use `--match` with a regular expression to rotate several records at once) ``` rotate "AD Password Rotator" --plugin adpasswd ``` {% hint style="info" %} The plugin can be supplied to the command as shown here, or added to a record field (see options above).\ Adding the plugin type to the record makes it possible to rotate several records at once with different plugins. {% endhint %} ## Notes and Troubleshooting: {% hint style="info" %} The Keeper "Login" field is not used for this plugin. The user is identified with the **cmdr:userdn** custom field. {% endhint %} If you get the error "Error during connection to AD server" try the following: * Ensure your AD supports secure bind via TLS. The certificate can be self-signed if needed. * Disable 'Minimum password age’ group policy. It is set to one day by default. * Verify connectivity to the host server, make sure it is accessible. Download a tool such as the [Softerra LDAP Browser](http://www.ldapadministrator.com/download.htm) to test if you're able to connect to Active Directory. * Check that your Distinguished Name **cmdr:userdn** is set correctly. It needs to be exactly right or else the connection will fail. You can check the value of this from within the Softerra LDAP browser software or you can run the below command prompt utility on the **AD Server:** ``` C:\Users\craig>dsquery user -name Craig* "CN=Craig Lurey,CN=Users,DC=keeper,DC=test,DC=keepersecurity,DC=com" ``` For connecting as Craig in this scenario, make sure the **cmdr:userdn** custom field contains this exact string (without the quotes). ### Connecting to Active Directory Microsoft Active Directory requires SSL connection in order to change the password. The following link explains how to setup a secure connection to Active Directory