Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon

Does saviynt supports PAM for LDAP targets?

Saathvik
All-Star
All-Star

Team,

We know that Saviynt support PAM for Active Directory connections but wanted to confirm if it supports the same for LDAP?

Because for LDAP also we use same connection type as AD so can we assume that it supports similar features of AD at least for some of the basic features like below?

  1. Discovery, Visibility, and Bootstrapping
  2. Privileged Account and Access Lifecycle Management

We went through the Feature Support Matrix and other CPAM related documentation but nowhere we see it officially mentioned the support of LDAP. So wanted someone to confirm what features it can support for LDAP


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.
9 REPLIES 9

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hi Saathvik,

We're looking into it and will get back to you shortly.

Thank you!

If you find the above response useful, Kindly Mark it as "Accept As Solution".

shreem
Saviynt Employee
Saviynt Employee

Hi @Saathvik 

Can you give more details on what exactly is the target?
We had done a POC a while back to integrate PAM with OUD(using AD Connector) and the below usecases had worked -

1. Discovery of Accounts 

2. Bootstrapping

3. Credential Checkout/Check-In and password rotation

So ideally the PAM integration will work for your target aswell if the AD connector you have configured, supports importing accounts/access, and password management.

@shreem :

We are using Novell/ OpenText NetIQ e-directory and we do have similar uses along with that we do also have service account use cases

  1. Discovery of Accounts
  2. Bootstrapping
  3. Credential Checkout/Check-In and password rotation
  4. Manage Service Account Creation, vaulting their credentials & manage their credentials

We noticed some issues in rotation of credentials for regular accounts so hence thought of checking before making any assumptions as documentation didn't clearly stated this out.


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

NageshK
Saviynt Employee
Saviynt Employee

@Saathvik Most of the PAM supportability will depend on the change password functionality. Are you using a certificate in the connection? Usually change password fails when there is no certificate presented. Also, what kind of issues were noticed while rotating credentials for regular accounts? Has change pwd task been successful for non-regular (admin?) accounts? 

Thanks

Nagesh K

@NageshK : Yes we do have certificate attached to connection and we are using SSL connection. Change password tasks gets completed and PAM is enabled on Account but we noticed that password is not changed on target. Upon further troubleshooting we see error in provisioning comments "LDAP: error code 17 - Undefined Attribute Type" though task is marked as completed, ticket has been already opened for the same

 


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

NageshK
Saviynt Employee
Saviynt Employee

@Saathvik Thanks for the details. Have you mentioned anything in the change pwd field of the connection? If yes, please share it here.

Thanks

Nagesh K

@NageshK : Actually we removed the changeandresetpassword JSON and it completed the change password task. But still some of the use case related to service account like adding access/removing access are also failing with same error. This may not be a PAM use case but in general now we need to ask whether LDAP connector supports Novell/ OpenText NetIQ e-directory for access provisioning as connection don't have JSON where we can configure for add and remove access which we will try to get response through ticket. 

For now related to PAM support for LDAP targets, is it safe to say it will support above mentioned use cases ?


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.

NageshK
Saviynt Employee
Saviynt Employee

@Saathvik Yes, the attributes and the schema will have differences as compared to AD. So, it is expected that the functionalities that work for AD may not work for other LDAP based targets. Were you using AD Connection type or LDAP Connection Type?

As long as the change password task is working, you should technically be able to vault the accounts and implement credential checkout, pwd rotation use cases for PAM. However, as the target is not officially declared supported, any support related tasks will be challenging and may not get the right visibility/acceptance. 

Thanks

Nagesh K

@NageshK : We don't have LDAP as connection type, We use AD as connection type and then we use LDAP OR AD connection attribute to define whether it is LDAP OR AD

Saathvik_0-1727272091132.png

Saathvik_1-1727272154588.png

Now based on your response what I understand is that target is not officially supported but it may work which may have to validate for each use case. And any issues down the line may not get right attention from support as it is not supported officially?


Regards,
Saathvik
If this reply answered your question, please Accept As Solution and give Kudos to help others facing similar issue.