Rotate passwords on any remote system using Keeper Commander plugins
Keeper has also launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for most password rotation use cases. The Documentation is linked below:
Password Rotation with Keeper Secrets Manager
Commander KeeperPAM commands
Keeper Commander has a feature which can communicate to internal and external systems for the purpose of rotating a password and synchronizing the change to your Keeper Vault. We accomplish this by associating a Keeper record with a physical system through the use of custom fields. For example, you might want to rotate your MySQL password, Active Directory password and local Administrator password automatically.
Typed records add simplicity to Commander rotation. Commander can scan fields and make intelligent decisions about the rotation type, and connection details. Record types such as the standard "SSH Key" or "Server" types make it easy to create records that are ready for rotation.
Each rotation plugin has slightly different requirements, select from the list of plugins on the left nested under this page to learn more.
Commander will identify the type of rotation to use automatically based on the values supplied to the record. For example a record with a PORT value of 22 will use the SSH rotation plugin by default. The rotation plugin can also be specified during rotation or with a custom record field.
Optionally, any records can use custom fields as configuration for rotation. See table below for an example of custom fields.
Not sure the difference between typed and untyped records? See the Troubleshooting section
Older, non-typed records require some additional setup in order to support Commander rotation.
To support a rotation plugin, simply add a set of custom field values to the Keeper record. The custom field values tell Commander which plugin to use, and what system to communicate with when rotating the password. To modify your Keeper record to include custom fields, login to Keeper on the Web Vault or Keeper Desktop app.
Example custom fields for MySQL password rotation:
Custom Field Name
Custom Field Value
cmdr:plugin
mysql
cmdr:host
192.168.1.55
cmdr:db
testing
Typed records also support custom record fields. If an older record is converted to be typed (and the fields are unchanged) it will work with Commander rotation.
When a plugin is specified in a record, Commander will search in the plugins/ folder to load the module based on the name provided (e.g. mysql.py) then it will use the values of the Keeper record to connect, rotate the password and save the resulting data.
Check out the plugins folder for all of the available plugins. Keeper's team adds new plugins on an ongoing basis. If you need a particular plugin created, send us an email to commander@keepersecurity.com.
https://github.com/Keeper-Security/Commander/tree/master/keepercommander/plugins
To activate a plugin for a particular Keeper record, you first need to update the custom fields for that record with special keywords that are used by Commander. See the specific plugin for the custom field requirements.
To perform a rotation use the rotate
command.
Keeper's team is expanding the number of plugins on an ongoing basis. If you need a particular plugin created or modified, email us at commander@keepersecurity.com.
Commands for performing password rotations on target systems.
Keeper has launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for all password rotation use cases. The Documentation is linked below:
Password Rotation with Keeper Secrets Manager
Whether using the interactive shell, CLI or JSON config file, Keeper supports the following commands, each command supports additional parameters and options.
To get help on a particular command, run:
help <command>
Command
Explanation
rotate
or r
Rotate the password in a record
set
Set environment variables that can be used for substitution within other commands or arguments
echo
Display environmental variables
Command: rotate
or r
Detail: Rotate a record's password
To be eligible for rotation, a record must have the custom field 'cmdr:plugin'='noop'
Parameters:
Record name or UID to rotate
Switches:
--print display updated record content after rotation
--match <REGULAR EXPRESSION> select all records that match this expression to rotate
--password <NEW PASSWORD> sets a new password. Commander generates random password if switch omitted. Ignored when passwords are rotated with --match parameter.
Examples:
Rotate the password of the record titled "dev" in the "servers" folder
Rotate the password of the record with the given UID
Rotate the password of all records that end with "machine" (Using regex)
Rotate the password of the give record UID with the specific password provided
For more information and examples see Connection to hosts documentation
Command: set
Detail: Set an environment variable
Parameters:
environment name, value to set
format:
set <name> <value>
Examples:
Set the MySecret variable to XXX
Command: echo
Detail: Display environmental variables
Parameters:
argument to display (optional)
format:
echo ${<variable>}
If no argument is given, all environment variables are shown
Examples:
Display all currently set environment variables
Display the value for the MySecret variable
Rotate AWS Passwords and Keys
Keeper has launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for all password rotation use cases. The Documentation is linked below:
Password Rotation with Keeper Secrets Manager
You need to configure your AWS environment on the environment with an account that has administrative privileges in order to modify the Password for the specified user.
Rotation supports legacy and typed records. Additional fields may be added depending on the rotation type as well. See the instructions below.
See the Troubleshooting section for more information on legacy vs typed records
To run a rotation of AWS Keys, use the rotate
command in Commander. Pass the command a record title or UID (or use --match
with a regular expression to rotate several records at once)
The plugin can be supplied to the command as shown here, or added to a record field (see options below). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.
The following optional values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
For an easier time creating new AWS rotation records, create a custom record type with the text type fields defined
cmdr:plugin
awskey
(Optional) Tells Commander to use AWS Key rotation. This should be either set to the record, or supplied to the rotation command
cmdr:aws_profile
(Optional) AWS profile to use to login to AWS with
cmdr:aws_sync_profile
(Optional) if supplied, the AWS secret for the given profile will be updated to the AWS credentials file
cmdr:aws_assume_role
AWS Role ARN
(Optional) if supplied, the password rotation plugin assumes this role. The role requires these permissions:
iam:DeleteAccessKey iam:CreateAccessKey iam:ListAccessKeys
After rotation is completed, the Access Key ID and Secret Key are stored in custom fields on the record with labels: cmdr:aws_key_id
and cmdr:aws_key_secret
.
Any Keeper user or Keeper Shared Folder associated with the record is updated instantly.
cmdr:aws_key_id
generated AWS Access Key ID
cmdr:aws_key_secret
generated AWS Secret Access Key
The 'Password' field is ignored when rotating keys
To run a rotation of AWS passwords, use the rotate
command in Commander. Pass the command a record title or UID (or use --match
with a regular expression to rotate several records at once)
The plugin can be supplied to the command as shown here, or added to a record field (see options below). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.
The following optional values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
cmdr:plugin
awspswd
(Optional) Tells Commander to use AWS Key rotation. This should be either set to the record, or supplied to the rotation command
cmdr:aws_profile
(Optional) AWS profile to use to login to AWS with
The Password
field of the Keeper record contains a new password to AWS account.
Rotate Azure AD account passwords
Keeper has launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for all password rotation use cases. The Documentation is linked below:
Password Rotation with Keeper Secrets Manager
This plugin generates/rotates Azure AD password for any user.
Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
See the Troubleshooting section for more information on legacy vs typed records
Populate the 'Login' field of the Keeper record with the Azure login name
The following fields are required for Azure AD rotation. Create each field with the label indicated and supply the required information.
cmdr:azure_secret
Displayed upon Registration of a new application (under Azure portal -> Azure Active Directory
-> App Registrations
-> New Registration
.
cmdr:azure_client_id
Azure portal -> Azure Active Directory
-> App Registrations
-> [App name] -> Application (client) ID
cmdr:azure_tenant_id
Azure portal -> Azure Active Directory
-> App Registrations
-> [App name] -> Directory (tenant) ID
cmdr:azure_cloud
Optional. Azure Cloud. There are 4 physical Azure cloud locations
1. Global
. Default location. Omit this property.
2. China
3. German
4. USGov
For an easier time creating new Azure rotation records, create a custom record type with theses text type fields defined
The following values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
cmdr:plugin
azureadpwd
(Optional) Tells Commander to use Azure AD Key rotation. This should be either set to the record, or supplied to the rotation command
To rotate Azure passwords, use the rotate
command in Commander. Pass the command a record title or UID (or use --match
with a regular expression to rotate several records at once)
The plugin can be supplied to the command as shown here, or added to a record field (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.
After rotation is completed, the new password will be stored in the Password
field of the record
Rotate SQL Server passwords
Keeper has launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for all password rotation use cases. The Documentation is linked below:
Password Rotation with Keeper Secrets Manager
This plugin allows rotating a user's password in Microsoft SQL Server
Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
See the Troubleshooting section for more information on legacy vs typed records
Commander will use these settings to connect.
TIP: If the port is set to 1433, or the host begins with "mssql://" Commander will automatically recognize the record as Microsoft SQL credentials and will use that rotation method unless otherwise configured
Commander will use the password to login to perform the rotation
Create a Text type custom field labeled "cmdr:db" and fill in the name of the database to connect to.
Instead of using the fields above, custom fields can be added with the shown label
cmdr:plugin
mssql
Tells Commander to use Microsoft SQL Key rotation. This should be either set to the record, or supplied to the rotation command
cmdr:host
Hostname of your MSSQL server
cmdr:rules
'# uppercase, # lowercase, # numeric, # special'
(e.g. 4,6,3,8)
Password generation rules
To rotate MSSQL passwords, use the rotate
command in Commander. Pass the command a record title or UID (or use --match
with a regular expression to rotate several records at once)
The plugin can be supplied to the command as shown here added to a record field, or automatically assigned based on the port number (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.
After rotation is completed, the new password will be stored in the Password
field of the record
Rotate and Connect to MySQL databases with Keeper Commander
Keeper has launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for all password rotation use cases. The Documentation is linked below:
Password Rotation with Keeper Secrets Manager
The MySQL Commander Plugin requires the PyMySQL plugin version 0.10.1 and does not support more recent versions.
Create a record using either the Keeper Vault UI, or Keeper Commander.
Commander rotation supports all record types. A "Login" field is required on the record.
If using an untyped record, the host and port can be set to custom fields. See below.
Commander will use the mysql plugin automatically for records with the port number 3306, or with a hostname that starts with "mysql//"
replace 'XXX' with the current database password for this user
cmdr:plugin
mysql
Tells Commander to use MySQL rotation. This should be either set to the record, or supplied to the rotation command
cmdr:host
Hostname of your MySQL server. This can be set here if not set in the record's host field
cmdr:rules
# uppercase, # lowercase, # numeric, # special'
(e.g. 4,6,3,8)
Password generation rules
cmdr:port
MySQL port. 3306 assumed if omitted This can be set here if not set in the record's host field
cmdr:user_host
User host. '%' assumed if omitted
For Commander versions greater than 4.88
For Commander versions 4.88 and before
for more information about the edit command, see the command documentation
Find the UID in the record information popup
Use the search command to find the UID for your record. Replace "MySQL Example" with the name of your record.
To rotate MySQL passwords, use the rotate
command in Commander. Pass the command a record title or UID (or use --match
with a regular expression to rotate several records at once)
The plugin can be supplied to the command as shown here added to a record field, or automatically assigned based on the port number or based on the host starting with "mysql://" (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.
After rotation is completed, the new password will be stored in the Password
field of the record
connect
commandCustom Field Name
Custom Field Value
connect:xxx:env:MYSQL_PWD
${password}
connect:xxx
mysql -u${login} -h${cmdr:host}
xxx
refers to the 'friendly name' which can be referenced when connecting on the command line
Here's a screenshot of the Keeper Vault record for this use case:
For more information on the connect
command, see the documentation
Rotate Oracle database passwords with Commander
Keeper has launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for all password rotation use cases. The Documentation is linked below:
Password Rotation with Keeper Secrets Manager
This plugin allows rotating a user's password in Oracle Database Server
Oracle requires Instant Client setup to enable client applications.
Consult the following page: http://www.oracle.com/technetwork/database/features/instant-client/index-097480.html
Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
See the Troubleshooting section for more information on legacy vs typed records
To connect with DSN string:
cmdr:dsn
ex: "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost)(PORT=1521))(CONNECT_DATA=(SID=XE)))"
Oracle DSN string
To connect using database host and service name
If cmdr:dsn
is used then cmdr:host
and cmdr:db
properties will be ignored.
cmdr:host
Hostname of your Oracle server
cmdr:db
Database service to connect to on Oracle server
cmdr:plugin
oracle
(Optional) Tells Commander to use Oracle rotation. This should be either set to the record, or supplied to the rotation command
Commander will use the oracle plugin automatically for records with a hostname that starts with "oracle//"
Record Example:
To rotate Oracle passwords, use the rotate
command in Commander. Pass the command a record title or UID (or use --match
with a regular expression to rotate several records at once)
The plugin can be supplied to the command as shown here, or added to a record field (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.
After rotation is completed, the new password will be stored in the Password
field of the record
Rotate PostgreSQL database passwords with Commander
Keeper has launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for all password rotation use cases. The Documentation is linked below:
Password Rotation with Keeper Secrets Manager
This plugin allows rotating a user's password in PostgreSQL Server
Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
See the Troubleshooting section for more information on legacy vs typed records
Populate the 'Login' field of the Keeper record with the PostgreSQL login name
If using an untyped record, the host and port can be set to custom fields. See below.
TIP: If no rotation plugin is specified, Commander will use the port number or host prefix to guess which rotation to use. Port 5432, or a hostname that begins with "postgresql://" will use PostgreSQL rotation
Add a custom field to the record labeled "cmdr:db" and fill the field with the name of the database to use.
These fields can be added to affect the rotation
cmdr:plugin
postgresql
(Optional) Tells Commander to use PostgreSQL rotation. This should be either set to the record, or supplied to the rotation command
cmdr:host
Hostname of your PostgreSQL server. Legacy records require this custom field, typed records can use the hostname and port fields.
cmdr:rules
# uppercase, # lowercase, # numeric, # special'
(e.g. 4,6,3,8)
(Optional) Password generation rules
cmdr:port
(Optional) PostgreSQL port. 5432 assumed if omitted
connect
commandCustom Field Name
Custom Field Value
connect:xxx:env:PGPASSWORD
${password}
connect:xxx
psql --host=${cmdr:host} --port=${cmdr:port} --username=${login} --dbname=${cmdr:db} --no-password
Here's a screenshot of the Keeper Vault record for this use case:
For more information on the connect
command, see the documentation
Rotate remote admin passwords with PSPasswd
Keeper has launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for all password rotation use cases. The Documentation is linked below:
Password Rotation with Keeper Secrets Manager
This plugin provides IT Admins with the ability to rotate the password of a remote system's administrative local password. The password is rotated using the widely used "pspasswd" utility and the change is synchronized to a specific Keeper record in your vault.
The way this plugin is implemented requires that Commander and pspasswd is installed on the Domain Controller.
The instructions in this README assume that you are executing Commander scripts from the Domain Controller.
Assuming all computers are domain-attached and reachable from the Domain Controller, ensure that "Remote Service Management" is allowed for inbound in Domain by enabling the relevant Firewall rule on all computers.
On each of the target computers, go to Windows Firewall rules -> Inbound Rules -> and enabled the "Remote Service Management" rule.
Download the PSTools Package from Microsoft
Extract the PSTools.zip folder to a location on your computer
Add this PSTools folder to your user or system environmental variable "PATH"
(System Properties -> Advanced -> Environmental Variables)
Select PATH and then "Edit"
On some systems, you have to append the location where you installed PSTools, e.g.:
;C:\Users\craig\PSTools
On newer systems, just click "New" then type in the full path to the install, e.g.: C:\Users\craig\PSTools
Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
See the Troubleshooting section for more information on legacy vs typed records
Populate the 'Login' field of the Keeper record with the login to use with this rotation.
If using an untyped record, the host and port can be set to custom fields. See below.
The following values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
cmdr:plugin
pspasswd
(Optional) Tells Commander to use PSPasswd rotation. This should be either set to the record, or supplied to the rotation command
cmdr:host
Hostname of Computer or Computers where the local account exists. This can be set here if not set in the record's host field
cmdr:rules
# uppercase, # lowercase, # numeric, # special
(e.g. 4,6,3,8)
(Optional) Password generation rules
To rotate PSPasswd passwords, use the rotate
command in Commander. Pass the command a record title or UID (or use --match
with a regular expression to rotate several records at once)
The plugin can be supplied to the command as shown here, or added to a record field (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.
After rotation is completed, the new password will be stored in the Password
field of the record
Rotate SSH keys with Commander
Keeper has launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for all password rotation use cases. The Documentation is linked below:
Password Rotation with Keeper Secrets Manager
The SSH plugin for Keeper Commander gives you the ability to generate and rotate SSH keys to one or more target systems, or rotate any local or remote user's Unix/Linux password.
This plugin requires OpenSSL and OpenSSH packages to be installed on the computer running Keeper Commander.
To verify Installation, open the Terminal application and make sure 'openssl'
and 'ssh'
commands are installed and accessible with the system PATH environment variable.
Plugin name: ssh
Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
The standard "SSH Key" record type is a good fit for SSH rotations.
See the Troubleshooting section for more information on legacy vs typed records
If using an untyped record, the host and port can be set to custom fields. See below.
TIP: If no rotation plugin is specified, Commander will use the port number to guess which rotation to use. Port 22 will use SSH rotation
The following values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
cmdr:plugin
sshkey | ssh
(Optional) Tells Commander to use ssh key or ssh password rotation. This should be either set to the record, or supplied to the rotation command
cmdr:host
(Optional) Host name or IP address of target server. Can be added as a custom field if not entered as a record field
cmdr:rules
# uppercase, # lowercase, # numeric, # special'
(e.g. 4,6,3,8)
(Optional) Password generation rules
For SSH Key rotation, In order to automate the rotation of the public key on the target server, the public key must be manually updated one time
in .ssh/authorized_keys on the target host(s).
After it has been set this first time, subsequent rotations will be automated and updated by Commander.
When setting up this plugin for the first time please use the following steps:
Populate the Title, Login, and Hostname or IP and Port fields of the Keeper record.
Execute the rotate
command on the Keeper shell for this record. Commander will generate the public and private keys and store them in the record. Copy or save the public key and save this to the file .ssh/authorized_keys
in the target hosts - this step must be done manually the first time or you can use the ssh-copy-id
unix command.
Make sure to set the permissions of the authorized_keys file on the target system. chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys
Execute rotate
command on Keeper shell to perform a full rotation. If successful, the target hosts will be updated with the newly generated public key and the Keeper record will be updated with the private/public key pair.
This plugin makes an assumption that the target system uses the default settings for SSH service, i.e. authorized_keys
file is located in the .ssh
directory of the user HOME directory.
For more information on the rotate
command see documentation
To rotate SSH passwords, use the rotate
command in Commander. Pass the command a record title or UID (or use --match
with a regular expression to rotate several records at once)
The plugin can be supplied to the command as shown here, or added to a record field (see options above). If not supplied, Commander will use the port field to identify which plugin to use. In this case port 22 means the ssh plugin is used. Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.
Rotate Unix passwords with Commander
Keeper has launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for all password rotation use cases. The Documentation is linked below:
Password Rotation with Keeper Secrets Manager
This plugin allows rotating a local user's password using the Unix passwd
command.
Rotation supports legacy and typed records. If using typed record, a 'Login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
See the Troubleshooting section for more information on legacy vs typed records
Populate the 'Login' field of the Keeper record with the login to use with this rotation.
The following values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
Name
Value
Comment
cmdr:plugin
unixpasswd
(Optional) Tells Commander to use Unix password rotation. This should be either set to the record, or supplied to the rotation command
cmdr:rules
# uppercase, # lowercase, # numeric, # special'
(e.g. 4,6,3,8)
(Optional) Password generation rules
To rotate Unix passwords, use the rotate
command in Commander. Pass the command a record title or UID (or use --match
with a regular expression to rotate several records at once)
The plugin can be supplied to the command as shown here, or added to a record field (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.
After rotation is completed, the new password will be stored in the Password
field of the record
Rotate Windows user passwords with Commander
Keeper has launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for all password rotation use cases. The Documentation is linked below:
Password Rotation with Keeper Secrets Manager
This plugin allows rotating a windows user's password using the net user
command.
Rotation supports legacy and typed records. If using typed record, a 'login' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
See the Troubleshooting section for more information on legacy vs typed records
Populate the 'Login' field of the Keeper record with the login to use with this rotation.
This plugin rotates passwords for both local and Active Directory accounts. When rotating Active Directory password use DOMAIN\USERNAME
syntax for Login field.
cmdr:plugin
windows
(Optional) Tells Commander to use Windows rotation. This should be either set to the record, or supplied to the rotation command
cmdr:rules
# uppercase, # lowercase, # numeric, # special'
(e.g. 4,6,3,8)
(Optional) Password generation rules
To rotate Windows passwords, use the rotate
command in Commander. Pass the command a record title or UID (or use --match
with a regular expression to rotate several records at once)
The plugin can be supplied to the command as shown here, or added to a record field (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.
After rotation is completed, the new password will be stored in the Password
field of the record
Automatic password rotation with Commander
Keeper has launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for all password rotation use cases. The Documentation is linked below:
Password Rotation with Keeper Secrets Manager
You can automate password resets using Commander plugins, with a custom Commander configuration file
Example:
In this example, we are telling Commander to first download and decrypt records, then rotate the password (record UID iaOXP1fnApRh5DbaRd7MWA) using the plugin programmed into the record. To locate the Record UID, simply view it on the commander interactive shell or view it on the Keeper Web Vault and Desktop App (as seen below).
For more information on running Commander commands with a configuration file, see the documentation
Active Directory plugin for Keeper Commander rotation
Keeper has launched a new Password Rotation feature with Keeper Secrets Manager. This new capability is recommended for all password rotation use cases. The Documentation is linked below:
Password Rotation with Keeper Secrets Manager
This plugin provides IT Admins with the ability to rotate the password of an Active Directory user account. This plugin can be run on any system that has network access to the AD server.
Rotation supports legacy and typed records. If using typed record, a 'Password' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
See the Troubleshooting section for more information on legacy vs typed records
If using an untyped record, the host and port can be set to custom fields. See below.
TIP: If no rotation plugin is specified, Commander will use the port number to guess which rotation to use. Port 389 will use AD rotation
The following fields are required for AD rotation. Create each field with the label indicated and supply the required information.
cmdr:use_ssl
True or False
Whether or not to use SSL connection to AD Server
The following values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
cmdr:plugin
adpasswd
cmdr:host
Host name or IP address of your AD Server
cmdr:port
Optional: Port number of your AD Server. Default value: 389
To rotate Active Directory passwords, use the rotate
command in Commander. Pass the command a record title or UID (or use --match
with a regular expression to rotate several records at once)
The plugin can be supplied to the command as shown here, or added to a record field (see options above). Adding the plugin type to the record makes it possible to rotate several records at once with different plugins.
The Keeper "Login" field is not used for this plugin. The user is identified with the cmdr:userdn custom field.
If you get the error "Error during connection to AD server" try the following:
Ensure your AD supports secure bind via TLS. The certificate can be self-signed if needed.
Disable 'Minimum password age’ group policy. It is set to one day by default.
Verify connectivity to the host server, make sure it is accessible. Download a tool such as the Softerra LDAP Browser to test if you're able to connect to Active Directory.
Check that your Distinguished Name cmdr:userdn is set correctly. It needs to be exactly right or else the connection will fail. You can check the value of this from within the Softerra LDAP browser software or you can run the below command prompt utility on the AD Server:
For connecting as Craig in this scenario, make sure the cmdr:userdn custom field contains this exact string (without the quotes).
Microsoft Active Directory requires SSL connection in order to change the password. The following link explains how to setup a secure connection to Active Directory