Skip to content

Managing Active Directory

This section describes how an Active Directory can be setup to be used as a user account source for users logging into Osirium PAM. The following topics are covered:

Active Directory integration in Osirium PAM

Active Directory can be integrated into Osirium PAM to enable your users to log onto the UI using their existing Active Directory logon credentials.

Only a single Active Directory can be selected as the user authentication service.

To integrate Active Directory users we recommend you create user groups with an Active Directory source. This will allow you to synchronise all users in your Active Directory global security group with users in your Osirium PAM. Any users that don't already exist will be automatically created.

Note

For more information, see User Groups.

Active Directory authentication service can also be used to manage accounts used for outbound device connections and tasks as well as provision Active Directory member devices.

Prerequisites

Osirium PAM uses LDAPS (Lightweight Directory Access Protocol over SSL) for Active Directory integration.

Adding an Active Directory

An Active Directory Service must be added before the following functionality can be used:

  • Active Directory user group synchronisation.
  • Active Directory authentication into the UI.
  • Management of Active Directory accounts.
  • Provisioning Active Directory devices.

To add an Active Directory Service:

  1. On left-hand menu, under Manage, either:

    • Click the Plus icon icon to the right of Active Directory.
    • Click New Active Directory within Active Directory.

    The New Active Directory window appears.

    New Active Directory

  2. In the Create Active Directory window, fill in the configuration information for your Active Directory service.

    Note

    Bold headings are required fields.

    Field Name Description
    Name The Name will be used internally to reference the Active Directory.
    Domain (FQDN) Enter the fully qualified domain name of your Active Directory.

    The domain name will be used with a valid username/password to authenticate and provision the Active Directory.

    Domain Controller IP/Hostname(s) Enter the IP / hostname of the Domain Controllers with Active Directory configured.

    Multiple Domain Controllers IP / hostname(s) can be entered by comma separating them within the field.

    Fully managed account OU DN For deployments where the PAM Server should be able to create, delete, and manage the passwords and permissions of Active Directory accounts, the Active Directory should be provisioned using a set of Domain Admin credentials.

    In this type of deployment, the PAM Server will create an Organizational Unit (OU) in which to do this account and group management.

    If the container input field is given a name, for example Management Accounts, then the OU that gets created will be called Management Accounts and will be placed in the root of the Active Directory.

    By default, the container name is OU=Osirium. The container is created in the root of the Active Directory.

    If the container needs to be placed inside another (or multiple) parent OUs then a DN can be specified to define where to add the PAM Server OU. For example, for the PAM Server to create an OU called Management Accounts inside a parent OU called Management Tools then use the following:

    OU=Management Accounts, OU=Management Tools

    For deployments where the PAM Server does not need to manage accounts in this way, the Active Directory can be provisioned with Domain User permissions. In this case, no OU will be created and any data in this field will be ignored.

    NOTE The reverse order of OUs in the DN. Do not include any Domain Component attributes (DCs). All parent OUs must already exist, the PAM Server does not create any parent OUs.

    Groups of interest The Active Directory group(s) that should be audited by the PAM Server. This field is useful to narrow down the auditing of accounts to those that have high levels of privileges and may pose a security risk.

    NOTE If this field is left blank, all users from the Domain Users group will be audited.

    In the Edit value window, click the New drop-down and select Plus icon Add entry. A new value field will appear in the table. Add the name of the group you want to be audited. The group name entered must match the name of the group on the Active Directory server.

    Create AD service Group of Interest
    Multiple groups can be added by selecting New > Plus icon Add entry again.

    Groups of interest can be removed from the Active Directory, but doing so will make any accounts that are only members of the removed group invisible to Osirium PAM after the next Active Directory audit. The records for these accounts will no longer be visible in the Active Directory accounts view.

    If any of these accounts were in a Known or Managed state, you will lose the ability to:
    - Use these accounts as control accounts.
    - Use them as access levels in a profile.
    - Reveal/manage the credentials of the accounts.
    - View their credentials in a new Breakglass report.

    For this reason we do not recommend removing a group of interest until all accounts in that group are set to either an approved or unapproved state.

    Create device control account If the checkbox is ticked, the PAM Server will create a device access account to manage any member servers provisioned as Fully managed.

    The device access account is named osirium_deviceaccess_account.
    It is located in the Osirium OU, Users OU.

    Alternatively, if you want to switch a Known or Managed member servers to Fully managed, you should select this account as the device's control account.

    If you don’t create the PAM Server control account at this time then it can be created another time through the Manage accounts > Active Directory accounts tab and clicking Create account button.

    User Authentication Service Select whether this Active Directory should be used for both inbound Active Directory user authentication.

    NOTE Only one Active Directory service can be selected as the user authentication service.

    Before clicking Yes take note of the following. If you already have another Active Directory service selected as the User Authentication Service, choosing a new User Authentication Service may affect existing Active Directory user authentication into the PAM UI.

  3. Click Save.

  4. Within the Authentication details window enter a valid Username/Password.

    Authentication details window

  5. Click Proceed.

    A number of tasks are run by the PAM Server to provision and audit the Active Directory.

    If the Create device control account checkbox was ticked, the Create device control account task will be run to create the osirium_deviceaccess_account. This account is created in Osirium > Admins OU in Active Directory.

    The osirium_deviceaccess_account will be seen on the Manage accounts > Authentication Service accounts tab and will be linked to the PAM Server.

Active Directory detail page

The Active Directory detail page provides information relating to the Active Directory service, and allows you to administer it.

To view the Active Directory detail page, click on its name in the table. Alternatively, highlight an Active Directory name, right-click for the context menu. Within the context menu select Show and you will be navigated to the page.

AD detail window

The following administrative tasks can be carried out for an Active Directory on the details page:

Action Description
Name Change the name you reference your Active Directory within Osirium PAM.
Domain Controller IP/hostname(s) Change or add multiple Active Directory Domain Controllers IP/hostname(s). Multiple entries should be separated by a comma to separate them.
Groups of interest Enables you to add further groups of interest, Active Directory groups with high levels of privilege that may, therefore, pose a greater security risk.

Any changes made will trigger an automatic audit on the Active Directory service.
User Authentication Service Enable to use the Active Directory for inbound user authentication to the UI.

NOTE Only one Active Directory service can be selected as the user authentication service.

Trigger audit See Trigger Audit Button.

The accounts section displays all the accounts that exist on the Active Directory.

The information presented in the table includes:

Heading Description
Service control account The account marked as the service control account Checked box icon will be the account (username/password) that will be used to manage the Active Directory authentication service.

Osirium PAM will use the account to perform the following:
- Create and delete Osirium PAM accounts/groups on the Active Directory.
- Update Active Directory users account information if they already exist in Osirium PAM.
- Create Active Directory users in Osirium PAM if they don't already exist.
- Audit user accounts.

NOTE Only accounts with a state of Known or higher can be made a Service control account.

Device control account The Device control account will be marked with a Checked box icon . The Device control account will be used to:
- Manage the member servers provisioned.
- Run tasks on the member servers.
- Audit the member servers.

NOTE Only accounts with a state of Known or higher can be made a Service control account.

State A State is set for each of the accounts discovered on the Active Directory Service when a DeviceAudit task is run.

See Manage Account.

Account Name of the user account that exists on the Account source.
Display name Display name that exists on the Active Directory.
User logon name Prefix of the User Principal Name (UPN) that exists on the Active Directory.
sAMAccountName Pre-Windows 2000 logon name that exists on the Active Directory.
Locked The Active Directory account has been locked and can not be used to login.
Credential(s) changed Timestamp of when the PAM Server last changed the account credentials.
Failed logon Timestamp of when the PAM Server last failed to logon with this account.
Linked to users The PAM Server user(s) to which the account is linked.

Deleting an Active Directory

An Active Directory service cannot be removed if it is being used by member servers. All member servers will need to be unprovisioned before deleting the Active Directory.

To delete an Active Directory:

  1. In the left-hand menu, click on Active Directory.

  2. On the Manage Active Directory page, right-click on the Active Directory to be removed and select Delete icon from the context menu.

  3. Within the Question window, click Yes, if you are sure you want to delete the Active Directory. If there is no other Active Directory authentication service set, then users that require an Active Directory to authenticate will no longer be able to login into Osirium PAM.

    AD Delete qustion