User directory

Active Directory organizational units or containers are used as user directory. A service account is required to work with directory, in order to read directory users properties.

Creating an account to use with user directory

  1. Run the Active Directory Users and Computers snap-in
  2. Open the context menu of organizational unit or container
  3. Select Create - User item from the menu
  4. Specify the user name, say, IPAMManager
  5. Fill in the mandatory fields and complete the account creation

Alternatively, you can use an existing account. All Active Directory domain users have a right to read the properties of other users by default.

Video storage

Video storage is a network folder with configured access. A service account is required to access video storage. To access the video store you need a service account to perform read and write operations. It is recommended to use the existing IPAMManager account as the service one.

A domain account is required to work with video storage.

To create a network folder, follow these steps:

  1. Create a folder on the network store.
  2. Call the contextual menu of the folder you created, select the item Share with > Specific people.
  3. Enter the username (IPAMManager) and click Add.
  4. In the "Permission level" column, click the Read value next to the IPAMManager user and select Read/Write from the menu.
  5. Finish creating a network folder by clicking Share.

Shadow file storage

Files that the user transfers to the target resource are copied to the storage. It is a network folder similar to a video storage.

Data storage

Indeed PAM uses Microsoft SQL Server or PostgreSQL Pro to store data. The following components require databases:

  • Indeed PAM Core (DB IPAMCore, DB IPAMTasks)
  • Indeed PAM IdP (DB IPAMIdP)
  • Indeed Log Server (DB ILS)

The ILS database is required only for a configuration with event storage in the DBMS. When using Windows Event Log, creating a database is not necessary.

Table creation, data read and write operations are performed under service account to use with data storage. The account should have the following database rights:

  • db_owner - this is required to create tables upon the first request to database
  • db_datareader - for read operations from database
  • db_datawriter - for write operations to database

Database creation

Microsoft SQL Server

  1. Run Microsoft SQL Management Studio (SSMS) and connect to Microsoft SQL Server instance
  2. Open the context menu of Databases item
  3. Select the New Database item
  4. Specify a database name, for example IPAMCore, IPAMTasksIPAMIdPILS
  5. Click ОK

PostgreSQL Pro

  1. Launch pgAdmin and connect to the PostgreSQL Pro server
  2. Open the context menu of the Databases item 
  3. Select Create, Database
  4. Specify a database name, for example: IPAMCore, IPAMTasksIPAMIdPILS
  5. Click Save

Creating a service account to work with data storage

Microsoft SQL Server

  1. Start Microsoft SQL Management Studio (SSMS) and connect to the Microsoft SQL Server instance
  2. Expand the Security item
  3. Open the context menu of Logins item
  4. Select the Create login item
  5. Enter the name, for example IPAMSQLService
  6. Select SQL Server authentication item and fill in the required fields
  7. Switch to User Mapping item
  8. Check IPAMCoreIPAMTasksIPAMIdP and ILS databases
  9. Check database roles db_ownerdb_datareader and db_datawriter
  10. Click ОK

PostgreSQL Pro

  1. Launch pgAdmin and connect to the PostgreSQL Pro server
  2. Open the context menu of the Login/Group Roles item
  3. Select Create, Login/Group Role
  4. Specify a Name, for example IPAMSQLService, in the Definition tab, enter the new password, in the Privileges tab, in the Can login? item select Yes, click Save
  5. Go to the created databases, open the context menu, select Properties, specify the Owner as IPAMSQLService
  6. Go to the Security tab, in Privileges add a new row, in the Grantee column select IPAMSQLService from the list, click on the cell in the Privileges column and select All and With grant option 
  7. Click Save, repeat for the rest of the databases.

Service operations on Active Directory

Active Directory service operations are performed on behalf of the service account:

  • Checking the connection to the Domain
  • Domain accounts synchronization
  • Checking the domain account password
  • Changing the domain account password

Creating and configuring the service account to use with Active Directory

  1. Start the Active Directory Users and Computers snap-in
  2. Open the context menu of the Container or Organization Unit
  3. Select Create - User item
  4. Enter the name, for example IPAMService
  5. Fill in the required fields and complete the creation of the account
  6. Open the context menu of the Container or Organization Unit in which the access accounts are located
  7. Select Properties item
  8. Go to Security tab
  9. Click Add
  10. Select IPAMService account and click OK
  11. Click Advanced
  12. Select IPAMService account and click Edit
  13. For the field Applies to: set value Descendant User objects
  14. In the Permissions: section check Reset password
  15. Save the changes

Create a security group for Active Directory Privileged access accounts 

  1. Start the Active Directory Users and Computers snap-in.
  2. Open the context menu of the Domain, Container or Organization Unit
  3. Select Create - Group item
  4. Enter the name, for example IPAMPrivilegedAccounts
  5. Select Global in the Group scope section
  6. Select Security in the Group type section
  7. Save the changes

Service operations for Windows resources

The following service operations are performed at Windows resources on behalf of the domain or local service account:

  • Checking of connection to resources
  • Synchronization of local accounts
  • Checking of local account passwords
  • Changing of local account passwords

Configuring a domain account as service one

  1. Log in to resource
  2. Run the Computer management snap-in
  3. Switch to System tools - Local Users and Groups - Groups section
  4. Open the context menu of Administrators group
  5. Select Properties item
  6. Click Add
  7. Select the domain account to be used as service one for the resource and click OK

Configuring a local account as service one

If you plan to use local built-in administrator account as service account, then no additional configuration is required. Otherwise, proceed as follows:

  1. Log in to resource
  2. Run the Computer management snap-in
  3. Switch to System tools - Local Users and Groups - Groups section
  4. Open the context menu of Administrators group
  5. Select Properties item
  6. Click Add
  7. Select the local account to be used as service one for the resource and click Ок
  8. Run Windows registry editor (RegEdit)
  9. Expand the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ branch
  10. Open the context menu of System section
  11. Select Create - DWORD (32-bit) Value
  12. Specify the parameter name - LocalAccountTokenFilterPolicy
  13. Open the context menu of LocalAccountTokenFilterPolicy parameter
  14. Select Modify item and set the Value data:  equal to 1

Registry editing is required due to restrictions on remote WinRM management for all local accounts except for built-in administrator account.

Configuring a resource to use local accounts as service one

Synchronize accounts operation is performed using remote WinRM management. It is necessary to add the resource to the TrustedHosts list if local resource accounts are used as service ones.

Configuring the TrustedHosts list

  1. Log in to the server on which Indeed PAM Core will be installed
  2. Run Command line (CMD) as Administrator
  3. Execute the following command:
winrm s winrm/config/client @{TrustedHosts="Resource1.demo.local, Resource2.demo.local, Resource3.demo.local"}

The specified resources shall be added to the TrustedHosts list.

When adding new resources to the trusted list, you must specify previously added resources and new ones, since the new value overwrites the old one.

@{TrustedHosts="Resource1.demo.local, Resource2.demo.local, Resource3.demo.local, NewResource.demo.local"}

Service operations for *nix resources

The following service operations are performed at *nix resources on behalf of the local service account:

  • Checking of connection to resource
  • Searching for local accounts
  • Checking of local account passwords
  • Changing of local account passwords

Creating and configuring a service account

  1. Log in to resource.
  2. Run Terminal.

  3. Create a user, for example IPAMService:

    adduser IPAMService

  4. Add the user to SUDO group

    usermod -aG sudo IPAMService

Configuring a group of privileged accounts

Automatic searching and adding of Access accounts to Indeed PAM is performed based on their permission to execute a SUDO command. To grant the permission to execute SUDO command, you need to edit the /etc/sudoers file.

SSL Configuration for Indeed PAM components

Secure interaction will require certificates for servers that have Indeed PAM components installed. The certificates can be generated using the standard Machine template.

  • No labels