Local Administrator Password Solutions (LAPS)

Note

Only the Legacy version of Microsoft LAPS is currently supported. In some environments, LAPS functionality may be entirely unavailable.

Active Directory/LDAP configuration

The LDAP server should have specified attributes that fall within the computer objectClass:

  • dNSHostName - server name - must be identical with server’s unique name specified when creating the server (refer to section about servers creation, ex. Creating a TCP server),
  • sAMAccountName - login name in that server - must be identical with account’s Login from Credentials section (refer to Creating a regular account section),
  • ms-Mcs-AdmPwd - password in plain text,
  • ms-Mcs-AdmPwdExpirationTime - password expiration date (optional).

Adding a new passwords repository

Note

In order to add LAPS password repository in Fudo Enterprise you have to provide following AD/LDAP parameters:

  • URL to AD/LDAP server, e.g., ldaps://10.10.1.1:636/,
  • Base DN to AD/LDAP server, e.g., dc=company,dc=com,
  • Login and password to AD/LDAP server, e.g., cn=admin,dc=company,dc=com,
  • CA Certificate to validate SSL connection to AD/LDAP server.
  1. Select Settings > External passwords repositories.
  2. Click Add password repository.
  3. Specify object’s name.
  4. Provide the URL to the passwords server’s API.

Note

Supported URL format is ldaps://<server>[:<port>]/ for connection over SSL.

  1. In the Server certificate field, click the Get certificate button to obtain it from the provider’s server.

Warning

If the LDAPS protocol is used without providing an SSL Certificate, the SSL connection will not undergo verification and will be accepted.

../../_images/5-5-external-psswd-repository-cyber-laps.png
  1. Select LAPS button in the Type section.
  1. Enter user login allowed to access passwords repository.
  2. Provide user password in the Password field.
  3. Provide Base DN to AD/LDAP server.

  1. Click Save.

  2. Assign external password repository to an account.

    • Select Management > Accounts.
    • Browse objects and click an account to access the settings form.
    • In the Credentials section, on the Replace secret with field, select Repository button.
    • From the Passwords repository drop-down list select one of the previously defined password repositories.
    ../../_images/5-5-external-psswd-repository.png
    • Click Save.

Note

The search for a given server/account is performed based on the following attributes from the LAPS, which must be set up according to the rules below:

  • dNSHostName - server name - has to match exactly with Fudo server’s unique name specified when creating the server (refer to Creating a TCP server section),
  • sAMAccountName - login name in that server - has to match exactly with account’s Login from Credentials section (refer to Creating a regular account section).

Editing a passwords repository

To edit a passwords repository definition, proceed as follows.

  1. Select Settings > External passwords repositories.
  2. Locate the repository definition and click on its name to edit its configuration as needed.
  3. Click Save.

Deleting a passwords repository

To delete a passwords repository definition, proceed as follows.

  1. Select Settings > External passwords repositories.
  2. Find desired repository definition, select it, and click the Delete selected button.
  3. Click Save.

Note

You cannot delete password repository definition if it is assigned to any account.

Related topics: