Active Directory
Rotating active directory accounts remotely using LDAP
Overview
In this guide, you'll learn how to remotely rotate Active Directory accounts via LDAP using Keeper Rotation.
Prerequisites
This guide assumes the following tasks have already taken place:
Keeper Secrets Manager is enabled for your enterprise and your role.
Keeper Rotation is enabled for your role.
A Keeper Secrets Manager application has been created.
A Keeper Rotation gateway is already installed, running, and is able to communicate via LDAPs to your directory server.
1. Set up a PAM Directory credential
Keeper Rotation will use an admin credential to rotate other accounts in your environment. This account does not need to be a domain admin account, but needs to be able to successfully change passwords for other accounts.
The admin credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites. Only the KSM application needs access to this privileged account, it does not need to be shared with any users.
PAM Directory Record Fields
| Field | Description |
|---|---|
Record Type | PAM Directory |
Title | Keeper record title |
Hostname or IP Address | IP address, hostname or FQDN of the directory server. Examples: |
Port |
|
Use SSL | Must be enabled |
Login | Username of the account performing the LDAP rotation. Example: |
Password | Admin account password |
Domain Name | Domain name of the Active Directory. Example: |
Other fields | These should be left blank |
2. Set up a PAM Configuration
Note: You can skip this step if you already have a PAM configuration setup.
A PAM Configuration associates a Keeper Gateway with credentials. If you don't have a PAM Configuration set up yet for this use case, create one. On the left menu of the Vault, select "Secrets Manager", then select the "PAM Configurations" tab and create a new configuration for Active Directory rotation.
| Field | Description |
|---|---|
Title | Configuration name, example: |
Environment | Select: |
Gateway | Select the Gateway that has access to your Active Directory server from the pre-requisites |
Application Folder | Select the Shared folder that contains the PAM Directory record above |
Admin Credentials Record | Select the PAM Directory record, this list is filtered to records in the application folder |
Add Resource Credential | Add any optional credentials to be attempted in addition to the primary credential |
Default Rotation Schedule | Optional |
Other fields | These should be left blank |
3. Set up one or more PAM User records
Keeper Rotation will use the credentials in the "PAM Directory" record to rotate "PAM User" records in your environment.
The user credential needs to be in a shared folder that is shared to the KSM application created in the pre-requisites.
PAM User Record Fields
| Field | Description |
|---|---|
Record Type | PAM User |
Title | Keeper record title |
Login | Username of the account being rotated. Example: |
Password | Account password is optional, rotation will set one if blank |
Distinguished Name | The LDAP DN for the user |
Other fields | These should be left blank |
The following PowerShell command can be used to get the correct DN for the user: Get-ADUser -Identity bsmith -Properties DistinguishedName
4. Configure Rotation on the Record
Select the PAM User record, edit the record and open the "Password Rotation Settings".
Any user with Can Edit rights to a PAM User record has the ability to set up rotation for that record.
Select the desired schedule and password complexity.
The "Rotation Settings" should use the PAM Configuration setup previously.
The "Resource Credential" field should select the "PAM Directory" credential setup previously.
Upon saving, the rotation button will be enabled and available to rotate on demand, or via the selected schedule.
Troubleshooting
An easy way to test if LDAP is properly configured is to run 'LDP.exe' and test the connection. If this connection succeeds, then Keeper Rotation should also succeed.
Last updated
