# PAM Directory

## Overview A PAM Directory record is a type of KeeperPAM resource that represents an Active Directory or OpenLDAP service, either on-prem or hosted in the cloud.

PAM Record Type	Supported Assets
PAM Directory	Active Directory, OpenLDAP

## Features Available The PAM Machine resource supports the following features: * Password rotation using either LDAP, LDAPS or WinRM * Connections using RDP * TCP Tunnels over any protocol * Session recording and playback * Sharing access without sharing credentials {% hint style="info" %} Connecting to the PAM Directory requires only that the Keeper Gateway has access to the target directory service. The Keeper Vault operates independently and does not require direct connectivity to the service, leveraging Keeper's zero-trust network access model to securely manage access through the Gateway. See the [network architecture diagram](https://docs.keeper.io/en/keeperpam/privileged-access-manager/getting-started/architecture/system-architecture) for more details. {% endhint %} ## Creating a PAM Directory Prior to creating a PAM Directory Record type, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Directory contains information of an asset, such as a Active Directory server, within that target infrastructure. To create a PAM Directory: * Click on **Create New** * Depending on your use case, click on "Rotation", "Tunnel", or "Connection" * On the prompted window: * Select "**New Record**" * Select the Shared Folder you want the record to be created in * Specify the Title * Select "**Directory**" for the Target * Click "**Next**" and complete all of the required information.

## PAM **Directory** Record Type Fields The following table lists all the configurable fields on the PAM Directory Record Type:

Field	Description	Notes
Hostname or IP Address	Address of the directory resource	Required
Port	Port to connect on	Required Typically 389 or 636 (LDAP/LDAPS) Active Directory only supports 636
Use SSL	Use SSL when connecting	Required for Active Directory
Alternative IPs	List of failover IPs for the directory, used for Discovery	Newline separated
Directory ID	Instance ID for AD resource in Azure and AWS hosted environments	Required if Azure Active Directory or AWS Directory Service AWS Example: "d-9a423d0d3b'
Directory Type	Directory type, used for formatting of messaging	Required Must be Active Directory or OpenLDAP
User Match	Match on OU to filter found users during Discovery	Optional Either match the right side of the DN or surround with slashes for a regular expression. Example: `OU=Users,DC=company,DC=com` Example: `/OU=Users/`
Domain Name	domain managed by the directory	Required Example: `some.company.com`
Provider Group	Provider Group for directories hosted in Azure	Required for directories hosted in Azure
Provider Region	AWS region of hosted directory	Required for directories hosted in AWS Example: `us-east-2`

## PAM Settings and Administrative Credentials On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential.

### PAM Settings

Field	Description	Required
PAM Configuration	Associated PAM Configuration record which defines the environment	Required
Administrative Credential Record	Linked PAM User credential used for connection and administrative operations	Required
Protocol	Native protocol used for connecting the session from the Gateway to the target	Required
Session Recording	Options for recording sessions and typescripts	See session recording
Connection Parameters (multiple)	Connection-specific protocol settings which can vary based on the protocol type	Depends on protocol. We recommend specifying the Connection Port at a minimum.

Note: PAM User is only required to successfully configure connections and rotation, and not required for Tunnels. **Configuration Steps:** 1. On the PAM Database record, navigate to the PAM Settings section 2. Select the PAM Configuration and Administrative Credential Record 3. To configure Keeper Connections and Keeper Tunnels settings, visit the following page: 1. [Keeper Connections](https://docs.keeper.io/en/keeperpam/privileged-access-manager/connections) 2. [Keeper Tunnels](https://docs.keeper.io/en/keeperpam/privileged-access-manager/tunnels) The following screenshot is a PAM Directory Record with LDAPS rotation, RDP connections and LDAPS tunnels enabled: