Active Directory or OpenLDAP User

Overview

In this guide, you'll learn how to remotely rotate Active Directory or OpenLDAP user accounts using KeeperPAM.

Prerequisites

This guide assumes the following tasks have already taken place:

• Rotation enforcements are configured for your role

• A Keeper Secrets Manager application has been created

• Your Keeper Gateway is online

• The Keeper Gateway is able to communicate via LDAPS (port 636) or LDAP (port 389) to your directory.

1. Set up a PAM Directory credential

Keeper Rotation will use the linked admin credential to rotate other accounts in your directory. This account does not need to be a domain admin account, but needs to be able to successfully change passwords for other accounts.

PAM Directory Record Fields

2. Set up a PAM Configuration

Note: You can skip this step if you already have a PAM configuration setup.

A PAM Configuration associates an environment with a Keeper Gateway and credentials. If you don't have a PAM Configuration set up yet for this use case, create one.

3. Set up PAM User records

KeeperPAM will use the credentials linked from the "PAM Directory" record to rotate other "PAM User" records in your environment. The PAM User credential needs to be saved in a shared folder that is assigned to the secrets manager application. In the example below, the AD user demouser can be rotated.

PAM User Record Fields

If you don't know the user's DN, the following PowerShell command can be used to find it:

Get-ADUser -Identity <username> -Properties DistinguishedName

4. Configure Rotation on the Record

Select the PAM User record, edit the record and open the "Password Rotation Settings".

Any user with edit rights to a PAM User record and enforcement policies allowing rotation has the ability to set up rotation for that record.

• The "Rotation" should be of type "General".

• The "PAM Resource" field should select the "PAM Directory" credential setup previously.

• Select the desired schedule and password complexity.

• Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.

Troubleshooting

An easy way to test if LDAP is properly configured is to run 'LDP.exe' and test the connection. If this connection succeeds, then Keeper Rotation should also succeed.

Testing with a Self-Signed Cert

For the purpose of testing an Active Directory user account rotation with Keeper, it is necessary to ensure that the LDAPS connection is active and using a valid certificate. If you are just testing and don't have a production certificate, the instructions below provide you with a self-signed cert.

New-SelfSignedCertificate -DnsName XYZ123.company.local,company.local,company, -CertStoreLocation cert:\LocalMachine\My

# Get the cert we just created
$cert = Get-ChildItem -Path "Cert:\LocalMachine\My" | Where-Object {$_.Subject -like "*company*"}
$thumbprint = ($cert.Thumbprint | Out-String).Trim()

# Copy to NTDS through registry
$certStoreLoc = 'HKLM:/Software/Microsoft/Cryptography/Services/NTDS/SystemCertificates/My/Certificates'
if (!(Test-Path $certStoreLoc)) {
    New-Item $certStoreLoc -Force
}
Copy-Item -Path HKLM:/Software/Microsoft/SystemCertificates/My/Certificates/$thumbprint -Destination $certStoreLoc

# Copy to Trusted Root store
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store([System.Security.Cryptography.X509Certificates.StoreName]::Root, 'LocalMachine')
$rootStore.Open('ReadWrite')
$rootStore.Add($cert)
$rootStore.Close()

Restart-Service NTDS -force