You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 92 Next »

User directory

Active Directory organizational units or containers are used as user directory. A service account is required to work with directory, in order to read directory users properties.

Creating an account to use with user directory

  1. Run the Active Directory Users and Computers snap-in
  2. Open the context menu of organizational unit or container
  3. Select Create - User item from the menu
  4. Specify the user name, say, IPAMManager
  5. Fill in the mandatory fields and complete the account creation

Alternatively, you can use an existing account. All Active Directory domain users have a right to read the properties of other users by default.

Video storage

A service account is required to access video storage. The account is used to perform read and write operations. It is recommended to use the existing IPAMManager account as the service one.

A domain account is required to work with video storage.

Data storage

Microsoft SQL Server database is used to store Indeed PAM data. The following components require databases:

  • Indeed PAM Core (DB IPAMCore и DB IPAMTasks)
  • Indeed PAM IdP (DB IPAMIdP)
  • Indeed Log Server (DB ILS)

Table creation, data read and write operations are performed under service account to use with data storage. The account should have the following database rights:

  • db_owner - this is required to create tables upon the first request to database
  • db_datareader - for read operations from database
  • db_datawriter - for write operations to database

Database creation

  1. Run Microsoft SQL Management Studio (SSMS) and connect to Microsoft SQL Server instance
  2. Open the context menu of Databases item
  3. Select the New Database item
  4. Specify a database name, for example IPAMCore, IPAMTasksIPAMIdPILS
  5. Click ОK

Creating a service account to work with data storage

  1. Start Microsoft SQL Management Studio (SSMS) and connect to the Microsoft SQL Server instance
  2. Expand the Security item
  3. Open the context menu of Logins item
  4. Select the Create login item
  5. Enter the name, for example IPAMSQLService
  6. Select SQL Server authentication item and fill in the required fields
  7. Switch to User Mapping item
  8. Check IPAMCoreIPAMTasksIPAMIdP and ILS databases
  9. Check database roles db_ownerdb_datareader and db_datawriter
  10. Click ОK

Service operations on Active Directory

Active Directory service operations are performed on behalf of the service account:

  • Checking the connection to the Domain
  • Domain accounts synchronization
  • Checking the domain account password
  • Changing the domain account password

Creating and configuring the service account to use with Active Directory

  1. Start the Active Directory Users and Computers snap-in
  2. Open the context menu of the Container or Organization Unit
  3. Select Create - User item
  4. Enter the name, for example IPAMService
  5. Fill in the required fields and complete the creation of the account
  6. Open the context menu of the Container or Organization Unit in which the access accounts are located
  7. Select Properties item
  8. Go to Security tab
  9. Click Add
  10. Select IPAMService account and click OK
  11. Click Advanced
  12. Select IPAMService account and click Edit
  13. For the field Applies to: set value Descendant User objects
  14. In the Permissions: section check Reset password
  15. Save the changes

Create a security group for Active Directory Privileged access accounts 

  1. Start the Active Directory Users and Computers snap-in.
  2. Open the context menu of the Domain, Container or Organization Unit
  3. Select Create - Group item
  4. Enter the name, for example IPAMPrivilegedAccounts
  5. Select Global in the Group scope section
  6. Select Security in the Group type section
  7. Save the changes

Service operations for Windows resources

The following service operations are performed at Windows resources on behalf of the domain or local service account:

  • Checking of connection to resources
  • Synchronization of local accounts
  • Checking of local account passwords
  • Changing of local account passwords

Configuring a domain account as service one

  1. Log in to resource
  2. Run the Computer management snap-in
  3. Switch to System tools - Local Users and Groups - Groups section
  4. Open the context menu of Administrators group
  5. Select Properties item
  6. Click Add
  7. Select the domain account to be used as service one for the resource and click OK

Configuring a local account as service one

If you plan to use local built-in administrator account as service account, then no additional configuration is required. Otherwise, proceed as follows:

  1. Log in to resource
  2. Run the Computer management snap-in
  3. Switch to System tools - Local Users and Groups - Groups section
  4. Open the context menu of Administrators group
  5. Select Properties item
  6. Click Add
  7. Select the local account to be used as service one for the resource and click Ок
  8. Run Windows registry editor (RegEdit)
  9. Expand the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ branch
  10. Open the context menu of System section
  11. Select Create - DWORD (32-bit) Value
  12. Specify the parameter name - LocalAccountTokenFilterPolicy
  13. Open the context menu of LocalAccountTokenFilterPolicy parameter
  14. Select Modify item and set the Value data:  equal to 1

Registry editing is required due to restrictions on remote WinRM management for all local accounts except for built-in administrator account.

Configuring a resource to use local accounts as service one

Synchronize accounts operation is performed using remote WinRM management. It is necessary to add the resource to the TrustedHosts list if local resource accounts are used as service ones.

Configuring the TrustedHosts list

  1. Log in to the server on which Indeed PAM Core will be installed
  2. Run Command line (CMD) as Administrator
  3. Execute the following command:
winrm s winrm/config/client @{TrustedHosts="Resource1.demo.local, Resource2.demo.local, Resource3.demo.local"}

The specified resources shall be added to the TrustedHosts list.

When adding new resources to the trusted list, you must specify previously added resources and new ones, since the new value overwrites the old one.

@{TrustedHosts="Resource1.demo.local, Resource2.demo.local, Resource3.demo.local, NewResource.demo.local"}

Service operations for *nix resources

The following service operations are performed at *nix resources on behalf of the local service account:

  • Checking of connection to resource
  • Searching for local accounts
  • Checking of local account passwords
  • Changing of local account passwords

Creating and configuring a service account

  1. Log in to resource.
  2. Run Terminal.

  3. Create a user, for example IPAMService:

    # adduser IPAMService

  4. Add the user to SUDO group

    # usermod -aG sudo IPAMService

Configuring a group of privileged accounts

Automatic searching and adding of Access accounts to Indeed PAM is performed based on their permission to execute a SUDO command. To grant the permission to execute SUDO command, you need to edit the /etc/sudoers file.

SSL Configuration for Indeed PAM components

Secure interaction will require certificates for servers that have Indeed PAM components installed. The certificates can be generated using the standard Machine template.

  • No labels