Can I have same AD account on-boarded in two CA PAM standalone instances and keep the same password between two PAM instance ? how can we reconcile AD accounts ?
Just curious - what is the reason behind this query?
As we have three separate environment for PAM, but having only one AD domain. and we would like to manage devices as per environment with single authentication source.
I take it you'd be creating separate AD branches to contain the environment-specific users, devices. Perhaps you could create an admin account for each branch. Regardless, I can see how there would be challenges.
User node is same in AD. and same account is being used across all devices to access and login. for example User1 will user x_user1 account to login to dev windows machine and prod windows machine.
Hi Bipin, There is no built-in mechanism in PAM to GET password updates from other credential sources. It would require an external tool that uses API calls to retrieve target account passwords from the PAM instance that manages the accounts, and set the passwords on the other PAM instance if the current password there doesn't match.
Thank you Ralf, we uses individual user AD account to login to all windows machine. and same account can't be managed in two separate PAM instances due to credential manager password will go out of sync.
Can we run any external job from PAM which trigger whenever a password change occurs in one PAM and update the password in other PAM ?
Bipin, You can integrate PAM with a syslog server which will get messages when an account password is updated.
Splunk is configured as syslog server. but it is very hard to keep track of thousands accounts at a time.
If you configure a workflow in Splunk that spawns a task whenever a password update event is received, the task would get the new password from the PAM server that updated the password and publish it to the others. Once it works it shouldn't matter much how many accounts you have.
You mean to utilize splunk for getting the recent password and update it to other PAM instance. Not sure if that is possible with current splunk infrastructure.
No, that's not what I meant. I meant for Splunk to launch a task/command when a password update message is received. That external command would be your customer application that gets the password from one PAM server and sends it to the others.
Got it. Let me try that option. meanwhile if you see same scenario with other customer please let me know the solution if anything else can be done. Thanks again
Just to be clear - is the AD Account being onboarded from a single AD Domain by two standalone (separate) PAM instances (i.e. Clusters)? I cannot grasp why this would be needed or possible.
Yes, same single AD domain and same AD account. we want to separate the servers based on environment like preprod and prod.
I would think that is outside the scope of what CA PAM can do. As , I believe Ralf mentioned, you may be able to script or code a process to synchronize the password change but that is not something CA would support and could cause confusion in the future. It is not recommended that any 2 separate (not in the same cluster) PAM appliances manage or rotate credentials.