This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
amilak
Lieutenant
Lieutenant
‎2020-06-11 10:22
1167 views

How to Integrate PAM with Active Directory & Import Users to Framework User Manager ?

Jump to solution

I just want to know ,How to Integrate PAM 3.7 with Active Directory & Import AD Users to Framework User Manager ? I have searched through PAM documentation & couldn't find the relevant information .

Reply
Report Inappropriate Content
1 Solution

Accepted Solutions
geoffc
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2020-06-15 14:17

Jump to solution

OK, first off, why on your connection did you set the Search depth to "one"?  I would think subtree to find stuff elsewhere in teh domain would needed.  (If a user is NOT a direct child of the domain level, I expect they will fail to login, which could be your invalid creds error)

Second in your PAMTest Framework group, you used the default Regex right out of the docs. I agree the docs are somewhat less than helpful on this, but I think you missed the point. The Regex is supposed to select the group name in a Regex, so

%:=~/^[Cc][Nn]=G*/

The Regex in there: ^[Cc][Nn]=G* means - ^ start at the beginning anchor point.  Then find a C or a c, (It is case senstive) then an N or n then an = sign  So CN= or cn= or Cn= whatever.

Then a G then any other character. So your group did not map, sinceit is is names PAMTest.  You need to chaneg that =G* to  =PAMTest* (or maybe =PAMTest.*)

Then your AD group of users should match and work.

 

 

View solution in original post

Tags (1)
Reply
Report Inappropriate Content
13 Replies
klasen
Micro Focus Expert
Micro Focus Expert
‎2020-06-11 11:38

Jump to solution

You cannot "import" AD users into framework user manager, but you can delegate user login to an LDAP server and map framework roles to LDAP groups. See: https://www.netiq.com/documentation/privileged-account-manager-37/npam_admin/data/user_account_settings.html#bjflv4n

 

Authentication Domain: Specify a configured privileged resource. Privileged resources are configured through Credential Vault. Valid authentication domains can be configured to validate against NetIQ eDirectory or Microsoft Active Directory. Authentication Domains are used for External Groups within Command Control, or for authentication to the RDP Relay Console.

--
Norbert
Reply
Report Inappropriate Content
amilak
Lieutenant
Lieutenant
‎2020-06-11 16:21

Jump to solution

Hi ,

Does it requires to integrate with IDM ? 

Reply
Report Inappropriate Content
klasen
Micro Focus Expert
Micro Focus Expert
‎2020-06-11 16:41

Jump to solution

If you actually want to create local users in PAM, that could be done via IDM. You'll have to create a custom REST driver though. The out-of-the-box IDM driver for PAM does not do User provisioning.

If you are fine with external framework users, then no IDM is needed.

--
Norbert
Reply
Report Inappropriate Content
amilak
Lieutenant
Lieutenant
‎2020-06-12 05:13

Jump to solution

Suppose ,If I have 10 Active Directory Users in one AD Group.I just want to give them PAM User Portal Logins & Need to assign Different command control policies.I need to do without IDM integration. Can We do it ? Here are you suggesting ,create local users in framework user manager & map them with AD Users right ?

Reply
Report Inappropriate Content
geoffc
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2020-06-12 12:12

Jump to solution

If you define AD as the authentication source, then your 10 users (actually all your AD users) can login to the portal.  Command control rules will apply to them via groups in AD if you like.

You can define a group that is mapped to an LDAP group in AD. (It is in the docs, we discussed in the forums a week or two ago, you specify a Regex that describes the group name, not my favorite approach).

Unless you want them to manage PAM they do not need to be framework users.

0 Likes
Reply
Report Inappropriate Content
klasen
Micro Focus Expert
Micro Focus Expert
‎2020-06-12 14:25

Jump to solution

Actually, they don't have to be Framwork Users (aka local PAM users):

LDAP users (Microsoft Active Directory, NetIQ eDirectory, or OpenLDAP) can get administration privileges on PAM framework through their LDAP group membership. To achieve this, map the LDAP groups of the LDAP users to the Framework groups in the PAM Administration Console. This assigns the roles configured in the Framework group to the logged-in LDAP users, based on their group membership in the LDAP server.

--
Norbert
Reply
Report Inappropriate Content
geoffc
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2020-06-12 15:39

Jump to solution

Good point Norbert. I was thinking of doing some PAM side tasks.

Wondering is there anything only a Framework user can do that a LDAP user authorized via group cannot do?

0 Likes
Reply
Report Inappropriate Content
vimukthi
Cadet 1st Class
Cadet 1st Class
‎2020-06-15 12:28

Jump to solution

Hi Team,

we are doing a POC with a customer and we are facing a problem when integrating AD into MF-PAM.

when we create a user in the framework users and add a rule as RDP we can access RDP server and all session capturing and keystroke tracking working fine. But when we integrate AD as an authentication source we cannot  authenticate (https://192.168.50.5/pam/#/login ---error- invalid credentials) Please find the attached screenshot 

use case - allow RDP access to LDAP users (PAMtest group users)

test LDAP user name -test

test LDAP user group- PAMtest

can you find any configuration errors. Plz help 

Preview file
389 KB
Reply
Report Inappropriate Content
geoffc
Knowledge Partner Knowledge Partner
Knowledge Partner
‎2020-06-15 14:17

Jump to solution

OK, first off, why on your connection did you set the Search depth to "one"?  I would think subtree to find stuff elsewhere in teh domain would needed.  (If a user is NOT a direct child of the domain level, I expect they will fail to login, which could be your invalid creds error)

Second in your PAMTest Framework group, you used the default Regex right out of the docs. I agree the docs are somewhat less than helpful on this, but I think you missed the point. The Regex is supposed to select the group name in a Regex, so

%:=~/^[Cc][Nn]=G*/

The Regex in there: ^[Cc][Nn]=G* means - ^ start at the beginning anchor point.  Then find a C or a c, (It is case senstive) then an N or n then an = sign  So CN= or cn= or Cn= whatever.

Then a G then any other character. So your group did not map, sinceit is is names PAMTest.  You need to chaneg that =G* to  =PAMTest* (or maybe =PAMTest.*)

Then your AD group of users should match and work.

 

 

View solution in original post

Tags (1)
Reply
Report Inappropriate Content
vimukthi
Cadet 1st Class
Cadet 1st Class
‎2020-06-16 04:53

Jump to solution

Hi Geoffc,

it's now working fine. thanks for your support.

As you guided we changed the users as  %:=~/^[Cc][Nn]=PAMTest*/ and  the scope as the "subtree" in the credential vault  

BR,

Vimukthi. 

 

Reply
Report Inappropriate Content
vimukthi
Cadet 1st Class
Cadet 1st Class
‎2020-06-16 07:00

Jump to solution

Hi Team,

we are facing another issue now.

for the framework users, we can access the given RDP resources but for the LDAP users we cannot access the resources for the same RDP rule

framework user - "pam" (UG-RDP-RELAY-2 Group)

LDAP user - "test" (PAMtest Group)

RDP Rule - IF (user IN UG-RDP-RELAY-2 OR user IN PAMtest AND command IN RDP Session AND runhost IN HG-RDP-RELAY-2)

Please find the attached screenshot and please send us some suggestions 

BR,

Vimukthi. 

 

Preview file
261 KB
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.