Importing LDAP groups containing objects from different domains in the forest

book

Article ID: 130363

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

In a complex organization, whose directory structure consists of several child domains in a forest, it may be necessary to manage user or device groups from this structure in PAM.

At times it may also be advisable to have the users log in into PAM using the root domain instead of having to specify for each case its subdomain. To easily achieve this, customer may have created a group in the root of the forest containing users from different domains. 

According to the documentation

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/3-4-1/implementing/configuring-your-server/authenticate-users-logging-in-to-the-server/how-to-set-up-ldap-servers-for-user-authentication/how-to-configure-active-directory-for-user-authentication.html

this is possible, but following these recommendations there are situations where this does not work. Browsing in LDAP browser is possible, and group membership is visible, but importing throws out an error

LDAP member CN=XXX,OU=Computers,OU=YY, OU=ZZ, DC=DOM, DC=domain, DC=com not found in domain.

even if user is present in a group in domain.com

How can I make sure I can import PAM groups containing users from different domains in the forest are successfully imported ?

Environment

CA PAM 3.X all versions

Resolution

You need to make sure that the LDAP port configured in Configuration/3rd Party in PAM is pointing to port 3268 (unsecure) or port 3269 (secure) which correspond to the Global Catalog ports for the forest. Pointing LDAP to the standard LDAP ports, 389 or 636 will result in objects being visible in the browser but not able to import them

 

It is worth noting that when the port is correctly configured, we will be able to see the different subdirectories in the forest in the LDAP browser, whereas if we are pointing to port 389 or 636, these will not be visible in the LDAP browser, even if it will possible to navigate to them or even to see the different devices in the groups containing multi-domain objects

As can be seen in the following screenshot, the configured LDAP/AD is for "DC=kimlabs,DC=net" but LDAP Browser can now see devices from "DC=partners,DC=kimlabs,DC=lab" as PAM is connecting to Global Catalogue port.

If pointing to standard LDAP ports, cross domain objects would not appear.

 

Attachments