Active Directory

Rotating active directory accounts remotely using LDAP

Overview

In this guide, you'll learn how to remotely rotate Active Directory accounts via LDAP using Keeper Rotation.

Prerequisites

This guide assumes the following tasks have already taken place:

  • Keeper Secrets Manager is enabled for your enterprise and your role.

  • Keeper Rotation is enabled for your role.

  • A Keeper Secrets Manager application has been created.

  • A Keeper Rotation gateway is already installed, running, and is able to communicate via LDAPs to your directory server.

1. Set up a PAM Directory credential

Keeper Rotation will use an admin credential to rotate other accounts in your environment. This account does not need to be a domain admin account, but needs to be able to successfully change passwords for other accounts.

The admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.

PAM Directory Record Fields

2. Set up a PAM Configuration

Note: You can skip this step if you already have a PAM configuration setup.

A PAM Configuration associates a Keeper Gateway with credentials. If you don't have a PAM Configuration set up yet for this use case, create one. On the left menu of the Vault, select "Secrets Manager", then select the "PAM Configurations" tab and create a new configuration for Active Directory rotation.

3. Set up one or more PAM User records

Keeper Rotation will use the credentials in the "PAM Directory" record to rotate "PAM User" records in your environment.

The user credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites.

PAM User Record Fields

The following PowerShell command can be used to get the correct DN for the user: Get-ADUser -Identity bsmith -Properties DistinguishedName

4. Configure Rotation on the Record

Select the PAM User record, edit the record and open the "Password Rotation Settings".

Any user with Can Edit rights to a PAM User record has the ability to set up rotation for that record.

  • Select the desired schedule and password complexity.

  • The "Rotation Settings" should use the PAM Configuration setup previously.

  • The "Resource Credential" field should select the "PAM Directory" credential setup previously.

  • Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.

Troubleshooting

An easy way to test if LDAP is properly configured is to run 'LDP.exe' and test the connection. If this connection succeeds, then Keeper Rotation should also succeed.

Last updated