Impact on UNAB When AD Bind User Password Is Changed
search cancel

Impact on UNAB When AD Bind User Password Is Changed


Article ID: 254000


Updated On:


CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager - Server Control (PAMSC) CA Virtual Privilege Manager


It is required to periodically change the password for the Active Directory user which UNAB uses for registration. What is the impact to UNAB endpoints when the password change occurs?


Unix Authentication Broker, all versions


When a UNAB endpoint is registered with Active Directory, it will generate a Kerberos authentication ticket and store it locally in a keytab. This keytab is used whenever UNAB makes an LDAP connection as part of its regular operation (when building the user/group databases, looking up an AD user as part of user login, etc.). UNAB does not store the bind user's password locally since it uses the keytab to authenticate.

When a UNAB endpoint's LDAP connection is recycled, a new connection will go through authentication again. If the keytab has been updated in the meantime, updated endpoint credentials will be used transparently, preventing an outage even if UNAB is running throughout the process.

Some impact may exist if keytab update by registration overlaps in time with agent's access to the keytab while opening an LDAP connection. Since the re-registration is a one-off operation, the chances of that occurring is minimal.