PAM Setting UP LDAPS Connection to AD

book

Article ID: 130290

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

The steps for setting up AD connection in PAM is the same regardless of whether you have FIPS mode activated or not.
This demonstration is based on FIPS enabled PAM server but the steps are exactly the same for Non-FIPS.

Environment

Release: 3.2.x, 3.3.x and 3.4.x
Component: CAPAMX

Resolution

From the "System Info" page you can see this environment is PAM 3.2.0.331 and FIPS Mode is Enabled.

My test environment has the following AD setup.
IP: 172.17.8.1
AD Domain: TEST.LAB
AD Account for PAM to use for connecting to AD:
 * CN=fips connector,OU=FIPS-Mode,DC=TEST,DC=LAB
 * samaccountname=fipsadconnector

There are 2 prerequisites.
1. Active Directory has Server Certificate Installed and listening on tcp Port 636 for LDAPS
2. TCP Port 636 is open


If the Port does not show as "open" then you will need to work with your network team to ensure this tcp port is open from PAM to AD for 2 way communication. Stop here if it is "filtered".

Step 1: Add Device



Step 2: Add Target Application


You MUST specify the LDAPS port here so it cannot be 389. You MUST NOT specify the Global Catalogue Port(3268 or 3269). It must be the 636 port as standard.

Step 3: Add Target Account(Account for AD Connection)


Ensure the Password Update is set to both.


The Target Account MUST SHOW as "VERIFIED"!

Step 5: Add LDAP Domain (Config-3rdParty-LDAP)


Step 6: Logout and Login again. (From now on you will have option to choose LDAP for authentication type)


Step 7: Import LDAP Groups(Users-Manage User Groups)

Select the Group that you want to import.
You can see this group has 2 users as members.
You can also see the target account "CN=fips connector" in the screenshot above.
You can see at the bottom of screenshot that PAM is connecting to "172.17.8.1:636" for "DC=test,DC=lab"
Click on the "Register Groups" button to register this group.

You can see "2 Users Processed: 2 New Users".
You can close the "CA PAM LDAP Browser"

You will now see at the "Users - Manage Users" that you have 2 new users registered.

You can also find at the "Users - Manage User Groups" that you have the LDAP Group registered.

Additional Information

LDAPS Cipher mismatch: https://knowledge.broadcom.com/external/article?articleId=128932

Attachments