Resource Discovery

Akeyless Resource Discovery enables importing and managing all domain and local Users into Rotated Secrets in Akeyless Platform, while domain Servers will be imported as SSH Targets in Akeyless.

The discovery process will search for domain Users and migrate them as LDAP Rotated Secret, from the given LDAP Target, i.e., Active Directory, based on the User Base DN, Domain Name, and Privileged Users Groups.

The LDAP Target should contain a Privilege Domain User that has permission to perform the following:

  • Run LDAP search query

  • Change domain user's password

  • Connecting to Windows and Linux domain servers (through NTLM, SSH)

  • Installing OpenSSH.Server via Windows features

  • Search for local users and change their password

The migration will try to install the OpenSSH.Server windows feature on windows servers where SSH is not installed through NTLM protocol with SSL.

πŸ“˜

Active Directory migration compatibility

The OpenSSH server is available as a supported Feature-on-Demand in Windows Server 2022, Windows Server 2019, and Windows 10 (build 1809 and later)

Set Up Automatic Migration for Active Directory

To create the migration from your Active Directory, login to your Gateway on port 8000, navigate to the Automatic Migration -> Active Directory, and set the following:

  • Name - A unique name for the migration object.

  • Target - Select an existing LDAP Target in Akeyless, where the Server type should be Active Directory.

  • Destination Folder - Destination folder path inside the Akeyless Platform for the migrated items. Make sure your Gateway has enough permissions to create items under this location. All migrated items, both [Targets] and Rotated Secrets (doc:targets) of your Domain Servers and domain\local Users will be saved under this folder.

  • Domain Name - Active Directory Domain Name.

  • User Base DN - Distinguished Name of User objects to search in Active Directory (e.g:CN=Users,DC=example,DC=com).

  • Domain User Name Template - A template for the created items, where the imported Domain Users will be saved as Rotated Secrets inside the Akeyless Platform, e.g: /DomainUsers/{{USERNAME}}. This path includes the prefix of the Destination Folder.

  • Search in Privileged Users Groups  - Comma-separated list of domain groups from which privileged domain users will be migrated.

  • Discover Local Users - Enable/Disable discover local users from each domain server and migrate them as SSH Rotated Secrets. Default is false - Only domain users will be migrated.

🚧

Note:

Discover Local Users might require further installations of SSH on the servers, based on the supplied Computer Base DN. This will be done automatically by the migration process

  • Computer Base DN - Distinguished Name of Computer (server) objects to search in Active Directory, i.e: CN=Computers,DC=example,DC=com.

  • Target Name Template - A template for the created items, where the imported Domain Servers will be saved as SSH Targets inside the Akeyless Platform, i.e: /Servers/{{COMPUTER_NAME}}. This path includes the prefix of the Destination Folder.

  • Local User Name Template - A template for the created items, where the imported Local Users will be saved as Rotated Secrets ) inside the Akeyless Platform, i.e: /LocalUsers/{{COMPUTER_NAME}}/{{USERNAME}}, This path includes the prefix of the Destination Folder.

  • Ignore the Following Local Users - Comma-separated list of Local Usernames to exclude while migrating.

  • SSH Port - Set the default SSH Port for connecting to the Domain Servers, default 22.

  • Enable SRA - Enable/Disable RDP Secure Remote Access setup for the migrated local users via the Rotated Secrets. Default is Disabled, the Rotated Secrets will not be created with SRA configuration. Available only for accounts with the SRA package .

  • Auto Rotate - Enable/Disable automatic/recurrent rotation for the migrated secrets. Default is Disabled. Only manual rotation is allowed for migrated secrets. If Enabled, this should be set with rotation-interval and rotation-hour settings.