Password Auto Changer

(Requires Enterprise+)

This feature allows a user to configure Password Server to automatically log in and change the credentials in a third party system (called a Credential Host). 

Overview

After providing the initial credentials for the Host in a Password Server entry, a user can then:

  • Define a Credential Host
  • Connect to it with Password Server
  • Set a Schedule on which the credentials should be changed

At scheduled times, Password Server will:

  • Connect to the host,
  • Create a new randomized password based on the Password Profile set by the user, and finally,
  • Update the password stored in the server.

Supported Host Types

Auto Changer currently supports:

  • Active Directory
  • OpenLDAP
  • Linux, Unix, etc. (any *nix with passwd command available)

Setup a Credential Host

A Credential Host must first be defined on a folder by going to 'Folder/Folder Actions/Password Auto Change'

The dialog will show all the Credential Hosts currently configured for that folder and any parent folder up to the root.  Clicking Add Credential Host will show a list of fields to define a new Credential host.

 

Fields in Credential Host Configuration

  • Name: A name for the host. It can be anything.
  • Password Profile: A profile that is used to generate new passwords. Default profile always is available. New profiles can be defined on the Password Profiles page.
  • Schedule: Specifies the interval at which the passwords must be changed.
  • Address: The host server address (URL or IP)
  • Host Type: The type of host server that Password Server will log in to. Changing the Host Type will determine the remaining fields in the form.

Active Directory / OpenLDAP Fields

  • Alias: The directory identifying portion of a fully-qualified username (user@alias). This is used to resolve conflicts with local users or users from multiple directories. The Kerberos authentication method also uses the alias to create fully qualified names for authentication.
  • Port: The port number to use when connecting to the server. Port 389 is commonly used (636 for when SSL is selected).
  • UseSSL: Whether or not the connection uses SSL. Connecting using SSL requires a valid SSL certificate.
  • Authentication Type: The authentication method used when connecting to a server. Active directory normally uses Microsoft Negotiate. Other LDAP servers may use Basic or Kerberos, depending on how they are configured.
  • Unix Fields

  • Port: The port number to use when connecting to the Unix server. Communication with a Unix Host occurs over SSH which use port 22 by default.

 

Note: After a Credential Host is defined, it cannot be modified for security reasons. It can however, be removed and recreated by a permitted user.  Credential Hosts can also be added from 'Entry/Actions/Password Auto Change' (see below).  Adding a Credential Host there will add it to the Folder containing the Entry instead.

Assigning a Credential Host to an Entry

In order for Password Auto Changer to update a credential on a Credential Host, that credential username and password must first be saved in an Entry on Password Server.  The Entry must be in the Folder which has the Credential Host defined or one of its subfolders.  Additionally, if the credential is from an Active Directory or OpenLDAP Host, its distinguished name must be specified in the Distinguished Name (AD/LDAP) field (click Advanced Fields to reveal it):

 

Once the Entry and the Credential Host are configured the Credential Host must be selected in the Entry from Actions/Password Auto Change

From there all the Credential Hosts inherited by the Entry will available for selection.  Selecting the Host that the credential in the Entry belongs to do will schedule it to be changed when the Password Auto Change runs for that Host.

Each Folder or Entry can only have one Credential Host selected at a time. Credential Hosts can also be selected from 'Folder Actions/Password Auto Change'.

Note: Selecting a Host from 'Folder Actions/Password Auto Change' will select it for all Entries in the Folder and its Subfolders.  This may result in previously selected Credential Hosts being changed.

Tag page
You must login to post a comment.