The login returns the domain and LDAP server of our internal network
search cancel

The login returns the domain and LDAP server of our internal network

book

Article ID: 95354

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

In CA PAM, LDAP may be used to authenticate users accessing the appliance, and there are also target applications which are connecting to LDAP to perform credential management operations. These are two different parts of the product which are not necessarily connected. The LDAP directory defined in third party will be displayed publicly for anyone logging into PAM.

We have defined an internal directory in Configuration/Third Party. This directory is used only to authenticate Target Accounts, but it is showing in the LDAP client login screen as one of the authentication methods. However, we don't want it to be visible to clients as it compromises our security. How can we sort this out ?

Environment

CA PAM 2.X and 3.X

Resolution

There is a misconception here. The LDAP directory defined in Configuration/Third Party is the one that will be used to authenticate users logging into the PAM server and to import LDAP users and groups into the product. It is not used by the Credential Management part of the product to perform any operation.

By design, PAM will show in the Authentication Type in the LDAP directories that it can do authentication against to allow users to access PAM, and these are the directories defined in the Configuration/Third Party section of the product.

These directories need not be the ones used in Credential Management for Target Accounts. These ones will not be exposed and will not be used to authenticate users in PAM