Secure Connectivity to an Active Directory Domain Controller

PAM use of Secure Connectivity to Active Directory Domain Controller.

Through Microsoft’s requirements, password rotation in Active Directory has to be done using the LDAPS protocol, which implies that LDAP Server host is specified in the format ldaps://dc-host.company.com:port format.

Furthermore, it implies that the AD domain controller is configured using a trusted certificate to secure the communication link.

This trusted certificate has to be generated for the exact name (dc-host.company.com) used in the host property of the LDAP Server describing this AD domain controller; otherwise, the PAM password rotation routine will not trust the certificate and will fail to connect to the domain controller even with your valid Admin credentials.

In the case where your AD domain controller does not support LDAPS connectivity protected by the trusted certificate, PAM cannot rotate passwords for users in this domain controller.

 

In the case where your AD domain controller supports LDAPS connectivity but the certificate is not signed by trusted internet authorities so that PAM does not trust it out of the box, PAM will attempt to import this certificate automatically into its key store during first connection attempt.

At this time, the first connection attempt might fail while consequent connections might succeed because the certificate will be automatically imported into the PAM key store.

 

In the case where your domain controller certificate does not include the host name used in the AD host connection string ldaps://dc-host.company.com:port,PAM will fail to trust the certificate even it is imported successfully to PAM key store.

In this case, the only resolution to this issue is to align the name on the certificate with the name of the AD domain controller host in the connection string.

One way to do it is to regenerate a certificate for AD and apply it to LDAPS connection in domain controller.

The other way is to create a host record in the OS hosting PAM for the domain controller to address it by the name on the certificate and then use this exact name in the AD connection string in LDAP Server record.

Troubleshooting

To troubleshoot certificate issues and to force loading AD domain controller certificate into PAM key store in a supervised way, perform the following steps:

  1. Login to PAM host as an PAM owner (Linux/Unix) or run command prompt as Administrator (Windows). Navigate to $PAM_HOME folder (such as /opt/pam or c:\pam). Do not navigate to the bin subfolder of $PAM_HOME folder.
  2. Execute the following command where

    3. dc-host.company.com is the host name of the Active Directory domain controller

    port is the LDAPS port of the Active Directory domain controller like 636 or 3269

    For Linux:

    Copy 
    bin/PamDirectory.sh SSLImport dc-host.company.com port

    For Windows:

    Copy 
    bin\PamDirectory.cmd SSLImport dc-host.company.com port

     

The command will either complete with success indicating that PAM trusts the Active Directory domain controller certificate or it will print the certificate on the screen and prompt to import certificate to the PAM key store.

Note that it is possible that the command will print several certificates indicating some intermediate certificates are required to set up trust to the domain controller. Import all certificates into the PAM key store as prompted and repeat the procedure to confirm successful connection.

This command may also generate an error in case of name mismatch of the host in the parameter with the name on the certificate that break the trust.

This issue has to be resolved by using the name on the certificate to connect.