Automated Password Rotation for Multiple AD Servers

Password Reset for Multiple or Uniquely Configured Active Directory Servers.

The following guide describes the configuration process to automate the password reset or rotation of user and administrator accounts in multiple Active Directory servers or those requiring unique configuration compared to integration.

Assumptions

This guide assumes the following environment

  1. Network includes several Active Directory servers or your Active Directory server under management has different configuration properties as compared to your AD Integration.
  2. PAM server is deployed and operates successfully in the network
  3. Network configuration allows PAM server to directly connect to all Active Directory domain controllers involved in the configuration
  4. It is not required for PAM server to integrate with any of the Active Directory servers for authentication purposes
  5. The goal of the guide is to configure PAM server to manage accounts (rotate or set passwords based on specified policies) in Active Directory servers

Concepts

To support the scenario described in the Assumptions section of this guide, the PAM System Admin first has to create a record of the record type LDAP Server to represent each Active Directory domain controller.

This LDAP Server record contains three vital properties: LDAP host, admin user and password of the admin user.

When PAM needs to reset a password for an Active Directory account, it connects to this AD using the host, user and password defined in the corresponding LDAP Server record.

 

After configuring LDAP Server records for each of the AD domain controllers, PAM System Admin creates user accounts that need to be managed using LDAP User record.

This LDAP User record contains the user and password properties to indicate an AD user to manage the password for.

LDAP User record includes default task list with two tasks: Check Status LDAP and Password Reset LDAP.

To indicate that this particular user is defined in a specific LDAP Server, the PAM System Admin makes the LDAP Server record for this specific AD domain controller a Shadow Account of the task list of this specific LDAP User.

 

When PAM decides to reset the LDAP User password as it is defined by the policies attached to the LDAP User tasks, PAM will connect to the AD domain controller using a shadow account on record given by LDAP Server record and then PAM will change the password of the main LDAP User record.

 

At the end, PAM will contain few LDAP Server records, each representing specific Active Directory domain controller.

In addition, PAM will contain multiple LDAP User records representing accounts to manage.

Each LDAP User record will have a Shadow Record defined in its task list to indicate the specific AD domain controller and admin credentials used to rotate password for this user.

 

PAM System Admins might take advantage of PAM record type inheritance to simplify management of multiple accounts related to the same active directory.

To do that, the PAM system admin creates a Record Type for each Active Directory to designate a user of this Active Directory.

This Specific LDAP User record type must have its parent record type defined as a LDAP User. Also, this Specific LDAP User record type must have a task list including

Check Status LDAP and Password Reset LDAP with the shadow account defined as a specific LDAP Server for this Active Directory domain controller.

With this Specific LDAP User record type in place, all managed accounts for this Active Directory server could be created using Specific LDAP User record type so that each managed account will have an automatically defined (and centrally managed) task list with the appropriate shadow account.

The steps with Specific LDAP User record type has to be repeated for all other Active Directories creating Specific2 LDAP User and Specific3 LDAP User record types for Specific2 and Specific3 Active Directories under management, each with different shadow account on their record type task lists.

 

For PAM it does not matter where exactly (Vaults, folders or sub-folders) the records of LDAP Server, LDAP User or Specific LDAP User record types are located.

However, it might be beneficial to copy related records to folders corresponding to specific active directories to simplify management and permission structure of these records.

PAM system admins might decide to store LDAP Server records representing Active Directory servers in the separate folder or keep LDAP Server record in the folder related to its active directory together with all other accounts in this active directory.

The folder organization depends on the general folder architecture of the PAM deployment.

Note that PAM forbids reusing shadow accounts between different Vault for security reasons.

PAM requires a secure LDAPS connection to Active Directory to perform password reset and rotation. For more information about how PAM uses LDAPS and how it is configured, please review our Secure Connectivity to an Active Directory Domain Controller article.

Prerequisites

  1. The PAM configuration should be performed using an PAM System Administrator account
  2. Enable the LDAP User and LDAP Server record types which are disabled in an out of the box PAM deployment

    1. Navigate to Administration > Records Types.

    2. Locate and select the Record Types LDAP Server and LDAP User, then click the Bulk Actions dropdown and choose Enable. This will make both Record Types available to be used as Records in PAM.

  3. Establish trust with each Active Directory server under management by using the SSLImport command in the PAM CLI utility as described here.

Configuration

  1. Create a new LDAP Server record. Navigate to your PAM Record List location and select LDAP Server from the Add Record dropdown menu.
  2. For this new LDAP Server record, enter the URL to your LDAP server, the LDAP Administrator UPN and this Administrator’s Password. For example:

    • LDAP URL: ldaps://dc-host.company.com:636

    • User: admin@company.com

    • Password: Adm1nP3ss@word8

  3. Click Save and Return when finished.

  4. Create a new LDAP User record. This record will contain the user account whose password will be reset or automatically rotated.

  5. Enter the values in the new LDAP User record as needed. For example:

    • User: user@company.com

    • Password: usersPassword

  6. Click Save and Return when finished.

  7. Open this LDAP User’s record Task list using Manage > Tasks button

  8. Click Make Unique button on the record task list.

  9. Select your LDAP Server record created earlier as a Shadow Account on this record.

  10. Click Save when finished.

  11. Execute the Password Reset LDAP task on the LDAP User record to test and verify the configuration.

  12. Repeat from step 4 to create additional LDAP User records to manage more active directory accounts in the AD defined by the LDAP Server record created in the step 1.

  13. Repeat all steps to add another AD domain controller with managed accounts in this domain controller.

Configuring Automation using Record Types

  1. Create your LDAP Server record as described in the steps 1, 2 and 3 of the previous Configuration section.
  2. Navigate to Administration > Record Types.
  3. Click New Record Type to create a new record type.
  4. Specify your new record type parameters

    • Name: Some Recognizable AD Name LDAP Users

    • Parent Type: LDAP User

  5. Save your new Record Type.

  6. Click the Tasks button on this new record type’s edit page.

  7. Add Check Status LDAP and Password Reset LDAP to the task list with the desired password rotation policy events.

  8. Save the Task list.

  9. Select your LDAP Server record created on the step 1 as a Shadow Record for the Task list.

    10. Note: By associating the LDAP Server record as a Shadow Account for the LDAP User record type, this configures PAM to use the User and Password for the Server to execute the Password Reset task for all the LDAP User records.

  10. Save the Task list.

    11. Note: You can also customize the password complexity policy by clicking the Formula button on this page.

  11. Repeat the process for other Active Directory servers you wish to use under management.

  12. Navigate to the record list and create a new record of the record type Some Recognizable AD Name LDAP Users as in the Configuration section. This time, the record will already contain shadow account for the Specific Active Directory which simplifies the management process of multiple accounts in the same Active Directory.