Implementing the Active Directory Global Catalog with PAM
search cancel

Implementing the Active Directory Global Catalog with PAM

book

Article ID: 122398

calendar_today

Updated On: 03-04-2024

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

Depending on the complexity of the AD forest, it may be easier to point PAM at the AD Global Catalog, rather than configure multiple LDAP servers on the 3rd party page.

Environment

Release:
Component: CAPAMX

Resolution

Connecting to the Global Catalog works just fine.  It works via 3268 (cleartext or STARTTLS) or 3269 (LDAPS).  They are used instead of 389 or 636, respectively.  Below are some notes based on what we've learned during one such deployment. 

In complex Active Directory (AD) deployments where AD (universal) groups contain members from different sub-domains, an easy way to configure PAM to support such environments, i.e. to be able to successfully import all the users and devices from the (universal) group, even if they are in different subdomains, is to configure PAM to use the global catalog which contains information about all objects in the AD forest:

https://technet.microsoft.com/en-us/library/cc978012.aspx

Change the LDAP port in the 3rd Party Configuration from 389/636 to 3268/3269.

The Global Catalog is an optional domain controller role so not all domain controllers may have it, you may need to configure PAM with the right DC to use the global catalog.

If you encounter a problem implementing this, please open a support ticket.