This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to Integrate PAM with Active Directory & Import Users to Framework User Manager ?

I just want to know ,How to Integrate PAM 3.7 with Active Directory & Import AD Users to Framework User Manager ? I have searched through PAM documentation & couldn't find the relevant information .

  • 0  

    You cannot "import" AD users into framework user manager, but you can delegate user login to an LDAP server and map framework roles to LDAP groups. See: https://www.netiq.com/documentation/privileged-account-manager-37/npam_admin/data/user_account_settings.html#bjflv4n

     

    Authentication Domain: Specify a configured privileged resource. Privileged resources are configured through Credential Vault. Valid authentication domains can be configured to validate against NetIQ eDirectory or Microsoft Active Directory. Authentication Domains are used for External Groups within Command Control, or for authentication to the RDP Relay Console.

  • 0 in reply to   

    Hi ,

    Does it requires to integrate with IDM ? 

  • 0   in reply to 

    If you actually want to create local users in PAM, that could be done via IDM. You'll have to create a custom REST driver though. The out-of-the-box IDM driver for PAM does not do User provisioning.

    If you are fine with external framework users, then no IDM is needed.

  • 0 in reply to   

    Suppose ,If I have 10 Active Directory Users in one AD Group.I just want to give them PAM User Portal Logins & Need to assign Different command control policies.I need to do without IDM integration. Can We do it ? Here are you suggesting ,create local users in framework user manager & map them with AD Users right ?

  • 0   in reply to 

    If you define AD as the authentication source, then your 10 users (actually all your AD users) can login to the portal.  Command control rules will apply to them via groups in AD if you like.

    You can define a group that is mapped to an LDAP group in AD. (It is in the docs, we discussed in the forums a week or two ago, you specify a Regex that describes the group name, not my favorite approach).

    Unless you want them to manage PAM they do not need to be framework users.

  • 0   in reply to   

    Actually, they don't have to be Framwork Users (aka local PAM users):

    LDAP users (Microsoft Active Directory, NetIQ eDirectory, or OpenLDAP) can get administration privileges on PAM framework through their LDAP group membership. To achieve this, map the LDAP groups of the LDAP users to the Framework groups in the PAM Administration Console. This assigns the roles configured in the Framework group to the logged-in LDAP users, based on their group membership in the LDAP server.

  • 0   in reply to   

    Good point Norbert. I was thinking of doing some PAM side tasks.

    Wondering is there anything only a Framework user can do that a LDAP user authorized via group cannot do?

  • 0

    Hi Team,

    we are doing a POC with a customer and we are facing a problem when integrating AD into MF-PAM.

    when we create a user in the framework users and add a rule as RDP we can access RDP server and all session capturing and keystroke tracking working fine. But when we integrate AD as an authentication source we cannot  authenticate (192.168.50.5/.../ invalid credentials) Please find the attached screenshot 

    use case - allow RDP access to LDAP users (PAMtest group users)

    test LDAP user name -test

    test LDAP user group- PAMtest

    can you find any configuration errors. Plz help 

  • Verified Answer

    0   in reply to 

    OK, first off, why on your connection did you set the Search depth to "one"?  I would think subtree to find stuff elsewhere in teh domain would needed.  (If a user is NOT a direct child of the domain level, I expect they will fail to login, which could be your invalid creds error)

    Second in your PAMTest Framework group, you used the default Regex right out of the docs. I agree the docs are somewhat less than helpful on this, but I think you missed the point. The Regex is supposed to select the group name in a Regex, so

    %:=~/^[Cc][Nn]=G*/

    The Regex in there: ^[Cc][Nn]=G* means - ^ start at the beginning anchor point.  Then find a C or a c, (It is case senstive) then an N or n then an = sign  So CN= or cn= or Cn= whatever.

    Then a G then any other character. So your group did not map, sinceit is is names PAMTest.  You need to chaneg that =G* to  =PAMTest* (or maybe =PAMTest.*)

    Then your AD group of users should match and work.

     

     

  • 0 in reply to   

    Hi Geoffc,

    it's now working fine. thanks for your support.

    As you guided we changed the users as  %:=~/^[Cc][Nn]=PAMTest*/ and  the scope as the "subtree" in the credential vault  

    BR,

    Vimukthi.