Active Directory

Rotating active directory accounts remotely using LDAP


In this guide, you'll learn how to remotely rotate Active Directory accounts via LDAP using Keeper Rotation.


This guide assumes the following tasks have already taken place:

  • Keeper Secrets Manager is enabled for your enterprise and your role.

  • Keeper Rotation is enabled for your role.

  • A Keeper Secrets Manager application has been created.

  • A Keeper Rotation gateway is already installed, running, and is able to communicate via LDAPs to your directory server.

1. Set up a PAM Directory credential

Keeper Rotation will use an admin credential to rotate other accounts in your environment. This account does not need to be a domain admin account, but needs to be able to successfully change passwords for other accounts.

The admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.

PAM Directory Record Fields


Record Type

PAM Directory


Keeper record title

Hostname or IP Address

IP address, hostname or FQDN of the directory server. Examples:, dc01.mydomain.local


636 - LDAPs is required for rotation. Note: LDAP over port 389 is insecure, and does not support credential rotation.


Must be enabled


Username of the account performing the LDAP rotation. Example: rotationadmin


Admin account password

Domain Name

Domain name of the Active Directory. Example: mydomain.local

Other fields

These should be left blank

2. Set up a PAM Configuration

Note: You can skip this step if you already have a PAM configuration setup.

A PAM Configuration associates a Keeper Gateway with credentials. If you don't have a PAM Configuration set up yet for this use case, create one. On the left menu of the Vault, select "Secrets Manager", then select the "PAM Configurations" tab and create a new configuration for Active Directory rotation.



Configuration name, example: LDAP Rotation


Select: Local Network


Select the Gateway that has access to your Active Directory server from the pre-requisites

Application Folder

Select the Shared folder that contains the PAM Directory record above

Admin Credentials Record

Select the PAM Directory record, this list is filtered to records in the application folder

Add Resource Credential

Add any optional credentials to be attempted in addition to the primary credential

Default Rotation Schedule


Other fields

These should be left blank

3. Set up one or more PAM User records

Keeper Rotation will use the credentials in the "PAM Directory" record to rotate "PAM User" records in your environment.

The user credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites.

PAM User Record Fields


Record Type

PAM User


Keeper record title


Username of the account being rotated. Example: bsmith


Account password is optional, rotation will set one if blank

Distinguished Name

The LDAP DN for the user

Other fields

These should be left blank

The following PowerShell command can be used to get the correct DN for the user: Get-ADUser -Identity bsmith -Properties DistinguishedName

4. Configure Rotation on the Record

Select the PAM User record, edit the record and open the "Password Rotation Settings".

Any user with Can Edit rights to a PAM User record has the ability to set up rotation for that record.

  • Select the desired schedule and password complexity.

  • The "Rotation Settings" should use the PAM Configuration setup previously.

  • The "Resource Credential" field should select the "PAM Directory" credential setup previously.

  • Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.


An easy way to test if LDAP is properly configured is to run 'LDP.exe' and test the connection. If this connection succeeds, then Keeper Rotation should also succeed.

Last updated