This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How start host with login ldap user

Hello! I have one ldap credential (edirectory) login "admin" and 4 windows host. And i don't create pam local user. In my ldap server create username "test". Can i start windows host with rdp relay used login and password user "test"? I want do this without credentials windows host.
  • 0  
    Yes, you can have the "test" user authenticated by LDAP (E.g. eDirectory) and then login to the Windows Server as some privileged account or even the end-user "test" themselves depending on the use case.

    What credential are you wanting to login to the Windows Server/Workstation with? For example, "Administrator" ?
  • 0 in reply to   
    I do not want user spoofing to occur. I have a user "test" in AD. My workstation is on a domain. I do not want to create a credential, but I want to take the user and password under which I entered my personal account
  • 0 in reply to 

    I followed the steps outlined in this article.

    /cyberres/pam/f/pam_discussions/206847/pam-rdp-error

    But RDP Relay for Submit User still doesn't work for me. I have created an LDAP eDirectory with an admin account. I don't understand what it means to create an empty LDAP account. My rule is as followsScreenshot_5.png

    Screenshot_6.png

     i am using pam 3.7

  • Verified Answer

    0   in reply to 
    1. From the screenshots, I see that you have configured an eDirectory LDAP Server and are using this in the command control rule to authorize access for the user. This is suggesting to me that you are intending to login as an eDirectory LDAP User 'test' and then want to receive access to the Windows domain server as this same 'test' edirectory user. In this case, Windows won't be able to authenticate 'idm\test' because that user does not exist or cannot be authenticated within the Windows domain environment. You could, however, provide privileged elevation through a command control rule where the 'test' credential exists within the Windows Resource of the PAM Vault and also the Windows domain can authenticate it.

    2. PAM does not currently have 'Submit User' as 'Run User' support for Windows RDP Relay; however, there is support for this use-case in the Direct RDP approach. For more details about this use-case, please refer to documentation: see Direct Remote Desktop Protocol. This use-case you could login directly to the Windows server as 'test' where it is authenticated by the Windows domain and you receive access with the same privilege/credentials as 'test' user, but receive the benefit of having an audited session from PAM.