AD bridging through PSM for SSH

This topic describes the PAM - Self-Hosted AD bridging solution.


PAM - Self-Hosted integrates with Microsoft’s Active Directory (AD) to provision users transparently on remote UNIX systems, streamlining user management and reducing administrative overhead. In addition to automatic user provisioning, this CyberArk solution benefits from all standard CyberArk security and management features, including access control and auditing.

The solution allows users who authenticate with passwords to log on to a UNIX machine using their AD credentials as their user is automatically synchronized with a corresponding user in the Vault. Likewise, existing groups in AD directories are automatically synchronized with a corresponding group in the Vault. Users have immediate access to UNIX machines, based on their AD permissions and groups, facilitating an uninterrupted workflow and maintaining productivity.

This solution provides the following functionality:



User authentication through the Vault

Users and groups listed in an Active Directory can connect to a target UNIX machine as a local user through the Vault, which authenticates them. The Vault supports multiple authentication methods, such as LDAP, password, RADIUS, PKI, and more. For more information about authentication, see Authenticate to Privileged Access Manager - Self-Hosted .

Manage Users' Unix UID in the Active Directory

The Unix UID attribute is used to identify a user on a *NIX system and determine which system resources the user can access. Users' UID attributes can be centrally managed in the Active Directory and mapped to the target upon user connection.

First time log on

The first time that users try to log onto the target UNIX machine, this solution automatically provisions them, and enables them to connect without any manual intervention.

Provision users

Users are automatically given permissions on the target machine based on their permissions in the Active Directory. By default, they are created on the target machine with predefined default settings. The same provisioned user on all Unix/Linux systems is allocated the same UID. Each user can be assigned a single shell configuration file to customize the user when it is created, such as user profile attributes, environment variables, etc.

Provision groups

Users are automatically given permissions on the target machine based on the group they belong to in the Active Directory. Users will be assigned to local groups on the target machine with a name that corresponds to their groups in the Active Directory.

Record and monitor

All the activities in each session can be recorded in text format, and stored in the Vault, compressed, for future auditing. These recordings are transparent to users and cannot be bypassed. Auditors can see all the recordings archives, and can retrieve and view comprehensive recordings of these sessions. Search features enable auditors to locate specific recordings.

Auditing and Reports

The Vault provides comprehensive auditing for every user provisioning and session recording. Auditing information is displayed in a simple intuitive interface that includes the user’s name, the address of the target machine, the duration of the session, and more.

Automatic user deprovisioning

At regular intervals, PSM for SSH  compares provisioned users with their authorizations for the target machine account. If a user’s authorizations have been removed and the user is no longer authorized to access the target machine, PSM for SSH will automatically deprovision the user and they will no longer be able to access the target machine.

To configure AD bridging in your PAM - Self-Hosted environment, see Configure AD bridging.


Integration with ticketing systems is not supported.

How it works

The following diagram shows how the CyberArk Digital Vault retrieves information about users and groups from the Microsoft Active Directory and creates corresponding users and groups in the target UNIX machine.

The end user, called Mike in the above example, issues an SSH command that enables him to log on to a target UNIX machine (step 1). The CyberArk Vault intercepts Mike’s request and refers to the Microsoft Active Directory for his AD credentials (step 2). When the Vault receives this information, it passes it on to PSM for SSH which accesses the target machine and checks whether or not Mike has an account there. If he does, PSM for SSH initiates an ssh session and logs him on to the target machine. If Mike does not yet have an account on the target machine, PSM for SSH creates one for him, and then initiates an ssh session and logs him on to the target machine (step 3).

The logon process is audited by the Vault. In addition, subsequent tasks that the user performs on the target machine are recorded by PSM for SSH and can be viewed in real time or later by auditors.