Active Directory or OpenLDAP User

Rotating Active Directory or OpenLDAP user accounts remotely using KeeperPAM

Overview

In this guide, you'll learn how to remotely rotate Active Directory or OpenLDAP user accounts using KeeperPAM.

Prerequisites

This guide assumes the following tasks have already taken place:

The Keeper Gateway is able to communicate via LDAPS (port 636) or LDAP (port 389) to your directory.

1. Set up a PAM Directory credential

Keeper Rotation will use the linked admin credential to rotate other accounts in your directory. This account does not need to be a domain admin account, but needs to be able to successfully change passwords for other accounts.

The linked admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.

PAM Directory Record Fields

Field

Description

Record Type

PAM Directory

Title

Keeper record title

Hostname or IP Address

IP address, hostname or FQDN of the directory server. Examples: 10.10.10.10, dc01.mydomain.local

Port

636 - LDAPS is required for rotation on Active Directory. LDAP over port 389 is insecure and should be avoided.

Use SSL

Must be enabled for use with Active Directory

Administrative Credentials

Linked PAM User credential used for performing the LDAP rotation. Example: rotationadmin

Domain Name

Domain name of the Active Directory. Example: mydomain.local

Directory Type

Set to Active Directory or OpenLDAP

2. Set up a PAM Configuration

Note: You can skip this step if you already have a PAM Configuration set up for this environment.

Field

Description

Title

Configuration name, example: My Active Directory

Environment

Select: Local Network

Gateway

Select the Gateway that has access to your directory server

Application Folder

Select the Shared folder that contains the PAM Directory record

Other fields

3. Set up PAM User records

KeeperPAM will use the credentials linked from the "PAM Directory" record to rotate other "PAM User" records in your environment. The PAM User credential needs to be saved in a shared folder that is assigned to the secrets manager application. In the example below, the AD user demouser can be rotated.

PAM User Record Fields

Field

Description

Record Type

PAM User

Title

Keeper record title, e.g. AD User - demouser

Login

Username of the account being rotated. The format of the username depends on the target system and type of service. Examples: demouser demouser@domain.local

Password

Account password is optional. In most cases, a password rotation will not require the existing password to be present. However there are some scenarios and protocols which may require it.

Distinguished Name

Required for Active Directory and OpenLDAP directories. The LDAP DN for the user, e.g. CN=Demo User,CN=Users,DC=lureydemo,DC=local

If you don't know the user's DN, the following PowerShell command can be used to find it:

Get-ADUser -Identity <username> -Properties DistinguishedName

4. Configure Rotation on the Record

Select the PAM User record, edit the record and open the "Password Rotation Settings".

The "Rotation" should be of type "General".
The "PAM Resource" field should select the "PAM Directory" credential setup previously.
Select the desired schedule and password complexity.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.

Troubleshooting

An easy way to test if LDAP is properly configured is to run 'LDP.exe' and test the connection. If this connection succeeds, then Keeper Rotation should also succeed.

Testing with a Self-Signed Cert

For the purpose of testing an Active Directory user account rotation with Keeper, it is necessary to ensure that the LDAPS connection is active and using a valid certificate. If you are just testing and don't have a production certificate, the instructions below provide you with a self-signed cert.

Using a self-signed certificate with AD is only for testing purposes, do not use in production

Create a cert

From PowerShell running as an administrator, create a self-signed cert. Note that the subject name and alternate names of the certificate must match with the server hostname. In this example, the primary name is XYZ123.company.local with alternate names company.local and company.

New-SelfSignedCertificate -DnsName XYZ123.company.local,company.local,company, -CertStoreLocation cert:\LocalMachine\My

Install the cert

This script will locate the cert in the personal section of the certificate manager and copy it into the trusted domains. Replace the company parameter in the first line of this script with the domain in step 1.

# Get the cert we just created
$cert = Get-ChildItem -Path "Cert:\LocalMachine\My" | Where-Object {$_.Subject -like "*company*"}
$thumbprint = ($cert.Thumbprint | Out-String).Trim()

# Copy to NTDS through registry
$certStoreLoc = 'HKLM:/Software/Microsoft/Cryptography/Services/NTDS/SystemCertificates/My/Certificates'
if (!(Test-Path $certStoreLoc)) {
    New-Item $certStoreLoc -Force
}
Copy-Item -Path HKLM:/Software/Microsoft/SystemCertificates/My/Certificates/$thumbprint -Destination $certStoreLoc

# Copy to Trusted Root store
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store([System.Security.Cryptography.X509Certificates.StoreName]::Root, 'LocalMachine')
$rootStore.Open('ReadWrite')
$rootStore.Add($cert)
$rootStore.Close()

Restart NTDS

After restarting the NTDS service, the certificate should be installed.

Restart-Service NTDS -force

Check the connectivity

Run 'LDP.exe' and make sure that you're able to connect to the local domain over port 636 with SSL enabled.

PreviousLocal Network NextWindows User

Last updated 2 months ago

Was this helpful?