Rotating active directory accounts remotely using LDAP
In this guide, you'll learn how to remotely rotate Active Directory accounts via LDAP using Keeper Rotation.
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role.
Keeper Rotation is enabled for your role.
A Keeper Secrets Manager application has been created.
A Keeper Rotation gateway is already installed, running, and is able to communicate via LDAPs to your directory server.
Keeper Rotation will use an admin credential to rotate other accounts in your environment. This account does not need to be a domain admin account, but needs to be able to successfully change passwords for other accounts.
The admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
Record Type
PAM Directory
Title
Keeper record title
Hostname or IP Address
IP address, hostname or FQDN of the directory server. Examples: 10.10.10.10
, dc01.mydomain.local
Port
636
- LDAPs is required for rotation. Note: LDAP over port 389
is insecure, and does not support credential rotation.
Use SSL
Must be enabled
Login
Username of the account performing the LDAP rotation. Example: rotationadmin
Password
Admin account password
Domain Name
Domain name of the Active Directory. Example: mydomain.local
Other fields
These should be left blank
Note: You can skip this step if you already have a PAM configuration setup.
A PAM Configuration associates a Keeper Gateway with credentials. If you don't have a PAM Configuration set up yet for this use case, create one. On the left menu of the Vault, select "Secrets Manager", then select the "PAM Configurations" tab and create a new configuration for Active Directory rotation.
Title
Configuration name, example: LDAP Rotation
Environment
Select: Local Network
Gateway
Select the Gateway that has access to your Active Directory server from the pre-requisites
Application Folder
Select the Shared folder that contains the PAM Directory record above
Admin Credentials Record
Select the PAM Directory record, this list is filtered to records in the application folder
Add Resource Credential
Add any optional credentials to be attempted in addition to the primary credential
Default Rotation Schedule
Optional
Other fields
These should be left blank
Keeper Rotation will use the credentials in the "PAM Directory" record to rotate "PAM User" records in your environment.
The user credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites.
Record Type
PAM User
Title
Keeper record title
Login
Username of the account being rotated. Example: bsmith
Password
Account password is optional, rotation will set one if blank
Distinguished Name
The LDAP DN for the user
Other fields
These should be left blank
The following PowerShell command can be used to get the correct DN for the user: Get-ADUser -Identity bsmith -Properties DistinguishedName
Select the PAM User record, edit the record and open the "Password Rotation Settings".
Any user with Can Edit rights to a PAM User record has the ability to set up rotation for that record.
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the "PAM Directory" credential setup previously.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
An easy way to test if LDAP is properly configured is to run 'LDP.exe' and test the connection. If this connection succeeds, then Keeper Rotation should also succeed.