Managing Active Directory
This section describes how an Active Directory can be setup to be used as a user account source for users logging into Osirium PAM. The following topics are covered:
- Active Directory integration in Osirium PAM
- Adding an Active Directory
- Active Directory named page
- Deleting an Active Directory
Active Directory integration in Osirium PAM
Active Directory can be integrated into Osirium PAM to enable your users to log onto the UI using their existing Active Directory user credentials.
Only a single Active Directory can be selected as the user authentication service.
To integrate Active Directory users we recommend you create user groups with an Active Directory source. This will allow you to synchronise all users in your Active Directory global security group with users in your Osirium PAM. Any users that don't already exist will be automatically created.
Note
For more information, see User Groups.
Active Directory authentication service can also be used to manage accounts used for outbound device connections and tasks as well as provision Active Directory member devices.
Adding an Active Directory
An Active Directory Service must be added before the following functionality can be used:
- Active Directory user group synchronisation.
- Active Directory authentication into PAM.
- Management of Active Directory accounts.
- Provisioning Active Directory devices.
To add an Active Directory Service:
-
In the left-hand menu click Active Directory :
-
Within the Manage Active Directory page click
NEW ACTIVE DIRECTORY
. -
Within the New Active Directory window fill in the configuration information for your Active Directory service.
Field Name Description Name The Name will be used internally to reference the Active Directory. Domain (FQDN) Enter the fully qualified domain name of your Active Directory. The domain name will be used with a valid username/password to authenticate and provision the Active Directory.
Domain Controller IP/Hostname(s) Enter the IP / hostname of the Domain Controllers with Active Directory configured. Multiple Domain Controllers IP / hostname(s) can be entered by comma separating them within the field.
Fully managed account OU DN For deployments where the PAM Server should be able to create, delete, and manage the passwords and permissions of Active Directory accounts, the Active Directory should be provisioned using a set of Domain Admin credentials. In this type of deployment, the PAM Server will create an Organizational Unit (OU) in which to do this account and group management.
If the container input field is given a name, for example Management Accounts, then the OU that gets created will be called Management Accounts and will be placed in the root of the Active Directory.
By default, the container name is OU=Osirium. The container is created in the root of the Active Directory.
If the container needs to be placed inside another (or multiple) parent OUs then a DN can be specified to define where to add the PAM Server OU. For example, for the PAM Server to create an OU called Management Accounts inside a parent OU called Management Tools then use the following:
OU=Management Accounts, OU=Management Tools
For deployments where the PAM Server does not need to manage accounts in this way, the Active Directory can be provisioned with Domain User permissions. In this case, no OU will be created and any data in this field will be ignored.
NOTE The reverse order of OUs in the DN. Do not include any Domain Component attributes (DCs). All parent OUs must already exist, the PAM Server does not create any parent OUs.
Groups of interest The Active Directory group(s) that should be audited by the PAM Server. This field is useful to narrow down the auditing of accounts to those that have high levels of privileges and may pose a security risk. NOTE If this field is left blank, all users from the Domain Users group will be audited.
In the Edit value window, click the
New
drop-down and selectAdd entry
. A new value field will appear in the table. Add the name of the group you want to be audited. The group name entered must match the name of the group on the Active Directory server.
Multiple groups can be added by selectingNew >
Add entry again
.Groups of interest can be removed from the Active Directory, but doing so will make any accounts that are only members of the removed group invisible to Osirium PAM after the next Active Directory audit. The records for these accounts will no longer be visible in the Active Directory accounts view.
If any of these accounts were in a Known or Managed state, you will lose the ability to:
- Use these accounts as control accounts.
- Use them as access levels in a profile.
- Reveal/manage the credentials of the accounts.
- View their credentials in a new Breakglass report.For this reason we do not recommend removing a group of interest until all accounts in that group are set to either an approved or unapproved state.
Create device control account If the checkbox is ticked, the PAM Server will create a device access account to manage any member servers provisioned as Fully managed. The device access account is named osirium_deviceaccess_account.
It is located in the Osirium OU, Users OU.Alternatively, if you want to switch a Known or Managed member servers to Fully managed, you should select this account as the device's control account.
If you don’t create the PAM Server control account at this time then it can be created another time through the Manage accounts > Active Directory accounts tab and clicking
Create account
button.User Authentication Service Select whether this Active Directory should be used for both inbound Active Directory user authentication. NOTE Only one Active Directory service can be selected as the user authentication service.
Before clicking
Yes
take note of the following. If you already have another Active Directory service selected as the User Authentication Service, choosing a new User Authentication Service may affect existing Active Directory user authentication into the PAM UI.Use Secure LDAP Default is enabled. Select whether this Active Directory should use secure LDAP (LDAPS) or standard LDAP. -
Click
SAVE
. -
Within the Authentication details window enter a valid Username and Password.
Note
If you are using Groups of interest then the username/password used to authenticate the Active Directory must exist in one of the groups added.
-
Click
PROCEED
.A number of tasks are run by the PAM Server to provision and audit the Active Directory.
If the Create device control account checkbox was ticked, the Create device control account task will be run to create the osirium_deviceaccess_account. This account is created in Osirium > Admins OU in Active Directory.
The osirium_deviceaccess_account will be seen on the Manage accounts > Authentication Service accounts tab and will be linked to the PAM Server.
Active Directory named page
The Active Directory detail page provides information relating to the Active Directory service, and allows you to administer the Active Directory and it's accounts.
To view the Active Directory detail page, click on its name in the table.
The following administrative tasks can be carried out on this page:
Action | Description |
---|---|
Name | Change the name you reference your Active Directory within Osirium PAM. |
Domain Controller IP/hostname(s) | Change or add multiple Active Directory Domain Controllers IP/hostname(s). Multiple entries should be separated by a comma to separate them. |
Groups of interest | Enables you to add further groups of interest, Active Directory groups with high levels of privilege that may, therefore, pose a greater security risk. Any changes made will trigger an automatic audit on the Active Directory service. |
User Authentication Service | Enable to use the Active Directory for inbound user authentication to the UI. NOTE Only one Active Directory service can be selected as the user authentication service. |
Trigger audit | See Trigger Audit Button. |
The accounts section displays all the accounts that exist on the Active Directory.
The information presented in the table includes:
Heading | Description |
---|---|
Service control account | The account marked as the service control account will be the account (username/password) that will be used to manage the Active Directory authentication service. Osirium PAM will use the account to perform the following: NOTE Only accounts with a state of Known or higher can be made a Service control account. |
Device control account | The Device control account will be marked with a . The Device control account will be used to: - Manage the member servers provisioned. - Run tasks on the member servers. - Audit the member servers. NOTE Only accounts with a state of Known or higher can be made a Service control account. |
State | A State is set for each of the accounts discovered on the Active Directory Service when a DeviceAudit task is run. See Manage Account. |
Account | Name of the user account that exists on the Account source. |
Display name | Display name that exists on the Active Directory. |
User logon name | Prefix of the User Principal Name (UPN) that exists on the Active Directory. |
sAMAccountName | Pre-Windows 2000 logon name that exists on the Active Directory. |
Locked | The Active Directory account has been locked and can not be used to login. |
Credential(s) changed | Timestamp of when the PAM Server last changed the account credentials. |
Failed logon | Timestamp of when the PAM Server last failed to logon with this account. |
Linked to users | The PAM Server user(s) to which the account is linked. |
Deleting an Active Directory
An Active Directory service cannot be removed if it is being used by member servers. All member servers will need to be unprovisioned before deleting the Active Directory.
To delete an Active Directory:
-
In the left-hand menu, click on
Active Directory
. -
On the Manage Active Directory page, right-click on the Active Directory to be removed and select
Delete
from the context menu. -
Within the Question window, click
YES
, if you are sure you want to delete the Active Directory. If there is no other Active Directory authentication service set, then users that require an Active Directory to authenticate will no longer be able to login into Osirium PAM.