PAM Directory
KeeperPAM resource for managing directory services, either on-prem or in the cloud
Last updated
Was this helpful?
KeeperPAM resource for managing directory services, either on-prem or in the cloud
Last updated
Was this helpful?
A PAM Directory record is a type of KeeperPAM resource that represents an Active Directory or OpenLDAP service, either on-prem or hosted in the cloud.
PAM Directory
Active Directory, OpenLDAP
The PAM Machine resource supports the following features:
Password rotation using either LDAP, LDAPS or WinRM
Connections using RDP
TCP Tunnels over any protocol
Session recording and playback
Sharing access without sharing credentials
Connecting to the PAM Directory requires only that the Keeper Gateway has access to the target directory service. The Keeper Vault operates independently and does not require direct connectivity to the service, leveraging Keeper's zero-trust network access model to securely manage access through the Gateway. See the network architecture diagram for more details.
Prior to creating a PAM Directory Record type, make sure you have already created a PAM Configuration. The PAM Configuration contains information of your target infrastructure while the PAM Directory contains information of an asset, such as a Active Directory server, within that target infrastructure.
To create a PAM Directory:
Click on Create New
Depending on your use case, click on "Rotation", "Tunnel", or "Connection"
On the prompted window:
Select "New Record"
Select the Shared Folder you want the record to be created in
Specify the Title
Select "Directory" for the Target
Click "Next" and complete all of the required information.
The following table lists all the configurable fields on the PAM Directory Record Type:
Hostname or IP Address
Address of the directory resource
Required
Port
Port to connect on
Required Typically 389 or 636 (LDAP/LDAPS) Active Directory only supports 636
Use SSL
Use SSL when connecting
Required for Active Directory
Alternative IPs
List of failover IPs for the directory, used for Discovery
Newline separated
Directory ID
Instance ID for AD resource in Azure and AWS hosted environments
Required if Azure Active Directory or AWS Directory Service AWS Example: "d-9a423d0d3b'
Directory Type
Directory type, used for formatting of messaging
Required Must be Active Directory or OpenLDAP
User Match
Match on OU to filter found users during Discovery
Domain Name
domain managed by the directory
Required
Example: some.company.com
Provider Group
Provider Group for directories hosted in Azure
Required for directories hosted in Azure
Provider Region
AWS region of hosted directory
Required for directories hosted in AWS
Example: us-east-2
On the "PAM Settings" section of the vault record, you can configure the KeeperPAM Connection and Tunnel settings and link a PAM User credential for performing rotations and connections. Tunnels do not require a linked credential.
PAM Configuration
Associated PAM Configuration record which defines the environment
Required
Administrative Credential Record
Linked PAM User credential used for connection and administrative operations
Required
Protocol
Native protocol used for connecting the session from the Gateway to the target
Required
Connection Parameters (multiple)
Connection-specific protocol settings which can vary based on the protocol type
Depends on protocol. We recommend specifying the Connection Port at a minimum.
Note: PAM User is only required to successfully configure connections and rotation, and not required for Tunnels.
Configuration Steps:
On the PAM Database record, navigate to the PAM Settings section
Select the PAM Configuration and Administrative Credential Record
To configure Keeper Connections and Keeper Tunnels settings, visit the following page:
The following screenshot is a PAM Directory Record with LDAPS rotation, RDP connections and LDAPS tunnels enabled: