Local Administrator Password Solutions (LAPS)

Active Directory/LDAP configuration

The LDAP server should have specified attributes that fall within the computer objectClass:

  • dNSHostName - server name - must be identical with server’s unique name specified when creating the server (refer to section about servers creation, ex. Creating a TCP server),
  • sAMAccountName - login name in that server - must be identical with account’s Login from Credentials section (refer to Creating a regular account section),
  • ms-Mcs-AdmPwd - password in plain text,
  • ms-Mcs-AdmPwdExpirationTime - password expiration date (optional).

Adding a new passwords repository

Note

In order to add LAPS password repository in Fudo Enterprise you have to provide following AD/LDAP parameters:

  • URL to AD/LDAP server, e.g., ldaps://10.10.1.1:636/,
  • Base DN to AD/LDAP server, e.g., dc=company,dc=com,
  • Login and password to AD/LDAP server, e.g., cn=admin,dc=company,dc=com,
  • CA Certificate to validate SSL connection to AD/LDAP server.
  1. Select Settings > External passwords repositories.
  2. Click Add server.
  1. Select Local Administrator Password Solutions (LAPS) from the Type drop-down list.
  2. Specify object’s name.
  3. Provide the URL to the paswords server’s API.

Note

Supported URL formats:

  • ldap://<serer>[:<port>]/ - for connection using plain TCP (without encryption);
  • ldaps://<serer>[:<port>]/ - for connection over SSL.
  1. Enter user login allowed to access passwords repository.
  2. Provide user password in the Password and Repeat password fields.
  3. Provide Base DN to AD/LDAP server.
  4. Provide SSL certificate - if LDAPS URL was specified in URL field.

Warning

If the LDAPS protocol is used without providing an SSL Certificate, the SSL connection will not undergo verification and will be accepted.

  1. Click Save.

  2. Assign external password repository to an account.

    • Select Management > Accounts.
    • Browse objects and click an account to access the settings form.
    • In the Credentials section, select password from external repository from the Replace secret with drop-down list.
    • From the External passwords repository select one of the previously defined password repository.
    ../../_images/5-1-external-psswd-repository.png
    • Click Save.

Note

The search for a given server/account is performed based on the following attributes from the LAPS, which must be set up according to the rules below:

  • dNSHostName - server name - has to match exactly with Fudo server’s unique name specified when creating the server (refer to Creating a TCP server section),
  • sAMAccountName - login name in that server - has to match exactly with account’s Login from Credentials section (refer to Creating a regular account section).

Editing a passwords repository

To edit a passwords repository definition, proceed as follows.

  1. Select Settings > External passwords repositories.
  2. Find the repository definition and change its configuration as desired.
  3. Click Save.

Deleting a passwords repository

To delete a passwords repository definition, proceed as follows.

  1. Select Settings > External passwords repositories.
  2. Find desired repository definition and select the Delete option.
  3. Click Save.

Note

You cannot delete password repository definition if it is assigned to any account.

Related topics: