Windows Domain Accounts via LDAP

This topic describes the Windows Domain Accounts via LDAP plugin.

Support

Target devices

This plugin can be used to connect to the following directories:

Windows 2022 Active Directory domain
Windows 2019 Active Directory domain
Windows 2016 Active Directory domain
Windows 2012 Active Directory domain

Accounts

The CPM supports account management for the following accounts:

  • Windows Domain users, including protected users

Platforms

In the Privilege Cloud Portal Platform Management page, make sure that the following target account platform is displayed:

  • Windows Domain Accounts via LDAP

Connection methods

This plugin supports the following connection methods to the remote machine:

  • LDAP 

Actions

The following table lists the supported password management actions for this platform:

Action

Supported

Permissions

Verify

Yes

  

Change

Yes

  

Reconcile

Yes

Administrator

Delete

No

 

Logon accounts

Action

Supported

Required

Platform

Permissions

Logon and change

Yes

No

Windows Domain Accounts via LDAP

Remote access

Reset passwords

Reconcile accounts

Action

Supported

Required

Platform

Permissions

Reconcile

Yes

No

Windows Domain Accounts via LDAP

Administrator/Delegate Reset user password and force password change at next logon task

If UnlockUserOnReconcile is set to Yes, you must also delegate read lockouttime and write lockouttime

Connection component

The Windows Session (PSM-RDP) PSM connector is used with accounts managed by this plugin.   

Configuration

Account parameters

Required

Parameter

Description
Username

The name of the user to manage.

Supported formats: 

  • Basic: UPN / Username

    The Username format is supported when the DisplayName and sAMAccountName values are the same in the target account.

  • KERBEROS/NTLM:UPN
Address The address of the directory.

Optional

Parameter

Description
User DN

The Distinguished Name of the user. When you specify this parameter, its value is used as the username when authenticating to the target environment/system.

  • This parameter is only valid when you use the Basic authentication type. If you use another authentication type, do not specify the User DN parameter.

  • A valid DN format does not have spaces between the commas.

    • Correct format: cn=a,cn=b,dc=c

    • Incorrect format: cn=a, cn=b, dc=c

AuthenticationType

The type of authentication used.

Valid values: Basic, KERBEROS, NTLM

Default value: Basic

Port

The port used to connect to the target machine.

Valid values: 0 - 65535

UseSSL

Whether or not to use LDAPS.

Valid values: Yes/No

  • When specifying the Basic authentication type, the value must be Yes.

  • When UseSSL=Yes, the address cannot be in IP format.
UnlockUserOnReconcile

Whether or not the CPM unlocks the target account during the reconcile operation.

Platform parameters

Parameter

Description

AuthenticationType

The type of authentication used.

Valid values: Basic, KERBEROS, NTLM

Default value: Basic

Port

The port used to connect to the target machine.

Valid values:: 0 - 65535

UseSSL

Whether or not to use LDAPS.

Valid values: Yes/No

  • When specifying the Basic authentication type, the value must be Yes.

  • When UseSSL=Yes, the address cannot be in IP format.
UnlockUserOnReconcile

Whether or not the CPM unlocks the target account during the reconcile operation.

This parameter is only supported for Active Directory.
ForbiddenCharacters

Validate parameters to prevent LDAP Injection.

Default value: &| !|<|>|"|'|(|)|*|/|:|?