Click HERE to see how Saviynt Intelligence is transforming the industry. |
09/12/2024 10:05 AM
Team,
We know that Saviynt support PAM for Active Directory connections but wanted to confirm if it supports the same for LDAP?
Because for LDAP also we use same connection type as AD so can we assume that it supports similar features of AD at least for some of the basic features like below?
We went through the Feature Support Matrix and other CPAM related documentation but nowhere we see it officially mentioned the support of LDAP. So wanted someone to confirm what features it can support for LDAP
09/15/2024 10:35 PM
Hi Saathvik,
We're looking into it and will get back to you shortly.
Thank you!
09/16/2024 03:52 AM
Hi @Saathvik
Can you give more details on what exactly is the target?
We had done a POC a while back to integrate PAM with OUD(using AD Connector) and the below usecases had worked -
1. Discovery of Accounts
2. Bootstrapping
3. Credential Checkout/Check-In and password rotation
So ideally the PAM integration will work for your target aswell if the AD connector you have configured, supports importing accounts/access, and password management.
09/16/2024 07:24 AM
@shreem :
We are using Novell/ OpenText NetIQ e-directory and we do have similar uses along with that we do also have service account use cases
We noticed some issues in rotation of credentials for regular accounts so hence thought of checking before making any assumptions as documentation didn't clearly stated this out.
09/23/2024 11:01 AM
@Saathvik Most of the PAM supportability will depend on the change password functionality. Are you using a certificate in the connection? Usually change password fails when there is no certificate presented. Also, what kind of issues were noticed while rotating credentials for regular accounts? Has change pwd task been successful for non-regular (admin?) accounts?
Thanks
Nagesh K
09/23/2024 02:11 PM - edited 09/24/2024 06:01 AM
@NageshK : Yes we do have certificate attached to connection and we are using SSL connection. Change password tasks gets completed and PAM is enabled on Account but we noticed that password is not changed on target. Upon further troubleshooting we see error in provisioning comments "LDAP: error code 17 - Undefined Attribute Type" though task is marked as completed, ticket has been already opened for the same
09/24/2024 09:04 AM
@Saathvik Thanks for the details. Have you mentioned anything in the change pwd field of the connection? If yes, please share it here.
Thanks
Nagesh K
09/24/2024 12:42 PM - edited 09/24/2024 12:54 PM
@NageshK : Actually we removed the changeandresetpassword JSON and it completed the change password task. But still some of the use case related to service account like adding access/removing access are also failing with same error. This may not be a PAM use case but in general now we need to ask whether LDAP connector supports Novell/ OpenText NetIQ e-directory for access provisioning as connection don't have JSON where we can configure for add and remove access which we will try to get response through ticket.
For now related to PAM support for LDAP targets, is it safe to say it will support above mentioned use cases ?
09/24/2024 05:28 PM
@Saathvik Yes, the attributes and the schema will have differences as compared to AD. So, it is expected that the functionalities that work for AD may not work for other LDAP based targets. Were you using AD Connection type or LDAP Connection Type?
As long as the change password task is working, you should technically be able to vault the accounts and implement credential checkout, pwd rotation use cases for PAM. However, as the target is not officially declared supported, any support related tasks will be challenging and may not get the right visibility/acceptance.
Thanks
Nagesh K
09/25/2024 06:52 AM
@NageshK : We don't have LDAP as connection type, We use AD as connection type and then we use LDAP OR AD connection attribute to define whether it is LDAP OR AD
Now based on your response what I understand is that target is not officially supported but it may work which may have to validate for each use case. And any issues down the line may not get right attention from support as it is not supported officially?