Configure transparent user management using LDAP

The PAM - Self-Hosted solution can be configured to communicate with LDAP-compliant directory servers to obtain user identification and security information. This enables automatic user and group provisioning, providing transparent user management.

In this section:


Users are provisioned with their user information (such as full name and email address), and also with their security information such as groups. The latter can provide transparent access control management as users can be given permissions in the vault based on their LDAP group membership.

In order to maintain a high level of security in the Vault, the security attributes of LDAP user accounts and groups are managed internally.

LDAP users and groups

An LDAP user account is created the first time a user is referenced in one of the following situations:

The user logs on to the Vault
The user is added as a Safe member
The user is added as a group member

LDAP groups are created when groups that are defined in one or more external directories are added as Safe owners or as members of a regular group in the CyberArk Vault.

For details, see Manage LDAP users.

Directory maps

A directory map determines whether a user account or group may be created in the Vault, and according to which criteria. Each map contains a rules list which specifies the users and groups who can access the Vault, and a template which contains the security attributes and authorizations that will be applied when an LDAP user account is created.

During installation, the PAM - Self-Hosted solution creates built-in directory maps for the most common PAM - Self-Hosted solution users. You can use these directory maps immediately, modify them with relevant mapping rules according to your enterprise standards, or create new directory maps.

For details, see LDAP integration in V10.

See alsoLDAP Authentication