Layer7 Privileged Access Management

Expand all | Collapse all

What type of user should I request to integrate PAM with active directory?

Jump to Best Answer
  • 1.  What type of user should I request to integrate PAM with active directory?

    Posted 02-27-2018 08:07 AM

    I working at integrate PAM 3.1.1 with Active Directory. i request to customer one user with peivileged from Domain Admin, but i reading the documentation and not find information about of this type of user or permission that the user will to have. The customer request the oficial documentation for create the user.

     

    What type of user should I request to integrate PAM with active directory?



  • 2.  Re: What type of user should I request to integrate PAM with active directory?

    Posted 02-27-2018 08:43 AM

    Hi Julian,

     

    Here is a link to the information on importing LDAP groups: Import LDAP User Groups - CA Privileged Access Manager - 3.1.1 - CA Technologies Documentation 

     

    You will note in step 9 of Import LDAP Groups it states, "The default role is Standard User." 

     

    When I'm advising a customer on how to import from LDAP, I recommend users are placed in groups that are more easily managed in CA PAM. For example, DBAs should be placed in the appropriate DBA group whether it be Microsoft, Oracle or MySQL; Server Administrators placed in an appropriate group and so on. This way when they are imported to PAM they are in the appropriate group and they can be managed from there.

     

    I hope this helps,

    Christo



  • 3.  Re: What type of user should I request to integrate PAM with active directory?

    Posted 02-27-2018 12:07 PM

    If your question is regarding account requirement for integrating pam with Active Directory then You need an AD account(generally reffered as service account)  which  should have permission to read active directory tree. 



  • 4.  Re: What type of user should I request to integrate PAM with active directory?
    Best Answer

    Posted 03-02-2018 04:13 AM

    Hello Julian,

    By default in MS-AD any member of the "Authenticated Users" group has READ permissions on all user and group objects in the compete tree.

    (This can be changed with  Users&Computers / View / Advanced / right-click-the-object / Properties / Security)

     

    To answer your question, for integrating AD via LDAP to MS-AD an ordinary user is sufficient.