KeeperPAM resource for managing directory services, either on-prem or in the cloud
A PAM Directory record is a type of KeeperPAM resource that represents an Active Directory or OpenLDAP service, either on-prem or hosted in the cloud.
The PAM Machine resource supports the following features:
Password rotation using either LDAP, LDAPS or WinRM
Connections using RDP
TCP Tunnels over any protocol
Session recording and playback
Prior to creating a PAM Directory Record type, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Directory contains information of an asset, such as a Active Directory server, within that target infrastructure.
To create a PAM Directory:
Click on Create New
Depending on your use case, click on "Rotation", "Tunnel", or "Connection"
On the prompted window:
Select "New Record"
The following table lists all the configurable fields on the PAM Directory Record Type:
On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential.
Note: PAM User is only required to successfully configure connections and rotation, and not required for Tunnels.
Configuration Steps:
On the PAM Database record, navigate to the PAM Settings section
Select the PAM Configuration and Administrative Credential Record
To configure Keeper Connections and Keeper Tunnels settings, visit the following page:
The following screenshot is a PAM Directory Record with LDAPS rotation, RDP connections and LDAPS tunnels enabled:
Select the Shared Folder you want the record to be created in
Specify the Title
Select "Directory" for the Target
Click "Next" and complete all of the required information.
Newline separated
Directory ID
Instance ID for AD resource in Azure and AWS hosted environments
Required if Azure Active Directory or AWS Directory Service AWS Example: "d-9a423d0d3b'
Directory Type
Directory type, used for formatting of messaging
Required Must be Active Directory or OpenLDAP
User Match
Match on OU to filter found users during Discovery
Optional
Either match the right side of the DN or surround with slashes for a regular expression.
Example: OU=Users,DC=company,DC=com
Example: /OU=Users/
Domain Name
domain managed by the directory
Required
Example: some.company.com
Provider Group
Provider Group for directories hosted in Azure
Required for directories hosted in Azure
Provider Region
AWS region of hosted directory
Required for directories hosted in AWS
Example: us-east-2
Connection Parameters (multiple)
Connection-specific protocol settings which can vary based on the protocol type
Depends on protocol. We recommend specifying the Connection Port at a minimum.
PAM Directory
Active Directory, OpenLDAP
Hostname or IP Address
Address of the directory resource
Required
Port
Port to connect on
Required Typically 389 or 636 (LDAP/LDAPS) Active Directory only supports 636
Use SSL
Use SSL when connecting
Required for Active Directory
Alternative IPs
PAM Configuration
Associated PAM Configuration record which defines the environment
Required
Administrative Credential Record
Linked PAM User credential used for connection and administrative operations
Required
Protocol
Native protocol used for connecting the session from the Gateway to the target
Required
Session Recording
Options for recording sessions and typescripts
List of failover IPs for the directory, used for Discovery