Chat now with support
Chat with Support

We are currently experiencing a OneLogin Outage within the US region, please consult https://www.onelogin.com/status for further details.

Password Manager 5.11.3 - Administration Guide (AD LDS Edition)

About Password Manager Getting Started Upgrading Password Manager Password Manager Architecture
Password Manager Components and Third-Party Solutions Typical Deployment Scenarios Password Manager in Perimeter Network Management Policy Overview Password Policy Overview reCAPTCHA Overview User Enrollment Process Overview Questions and Answers Policy Overview Data Replication Phone-Based Authentication Service Overview Configuring Management Policy
Management Policies
Checklist: Configuring Password Manager Understanding Management Policies Configuring Access to the Administration Site Configuring Access to the Self-Service Site Configuring Access to the Helpdesk Site Configuring Questions and Answers Policy Workflow overview Custom workflows Custom Activities Self-Service Workflows Helpdesk Workflows User Enforcement Rules
General Settings
General Settings Overview Search and Logon Options Import/Export Configuration Settings Outgoing Mail Servers Diagnostic Logging Scheduled Tasks Web Interface Customization Instance Reinitialization Realm Instances AD LDS Instance Connections Extensibility Features RADIUS Two-Factor Authentication Password Manager components and third-party applications Unregistering users from Password Manager Bulk Force Password Reset Working with Redistributable Secret Management account Email Templates
Password Policies Enable S2FA for Administrators and Enable S2FA for HelpDesk Users Reporting Appendix A: Accounts Used in Password Manager for AD LDS Appendix B: Open Communication Ports for Password Manager for AD LDS Appendix C: Customization Options Overview Appendix D: Feature imparities between the legacy and the new Self-Service Sites Glossary

AD LDS Instance Connections

This section provides information on creating, modifying, and using connections to AD LDS instances.

Using Connections to AD LDS Instances

On the General Settings|AD LDS Instance Connections tab of the Administration site, you can view a list of available connections.

To manage AD LDS instance with Password Manager you need to create a connection to the required AD LDS instance. When adding a connection you can select an existing connection or create a new one. It is possible to use the same connection in different sections: user and helpdesk scopes, and password policies.

You can add a connection to an AD LDS instance either on the AD LDS Instance Connections tab or from the User scope, Helpdesk scope, and Password Policies pages.

Note, that when you modify the connection on the User scope, Helpdesk scope or Password Policies pages, you can select how you want to apply the updated connection settings: either for the specified section only or everywhere where this connection is used. If you choose to update settings for the specified section only, a copy of the connection will be created with these settings and will be added to the list of available connections to AD LDS instances.

IMPORTANT: When you modify the connection on the AD LDS Instance Connections tab, the updated settings will be automatically applied everywhere where this connection is used.

If you want to remove the connection from the list on the AD LDS Instance Connections tab, you should first remove it from all sections where it is used, and only then remove the connection from the list.

Specifying Access Account for AD LDS Instance Connections

When creating a connection, you must specify an access account - an account under which Password Manager will access an AD LDS instance and a specified application directory partition. You can use the Password Manager Service account, an Active Directory account or an AD LDS account. These accounts must have the following minimum set of permissions:

  • Membership in the Domain Users group (for the Password Manager Service account and the Active Directory account only)
  • Membership in the Readers group in the application directory partition (for the AD LDS account only)
  • Membership in the Administrators group in the configuration directory partition
  • The Read permission for all attributes of user objects
  • The Write permission for the following attributes of user objects: pwdLastSet, comment, unicodePwd, lockoutTime, msDS-UserAccountDisabled
  • The right to reset user passwords
  • The permission to create user accounts and containers in the Users container
  • The Read permission for attributes of the organizationalUnit object and container objects
  • The Write permission for the gpLink attribute of the organizationalUnit objects and container objects
  • The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers
  • The permission to create container objects in the System container
  • The permission to create the serviceConnectionPoint objects in the System container
  • The permission to delete the serviceConnectionPoint objects in the System container
  • The Write permission for the keywords attribute of the serviceConnectionPoint objects in the System container

If you want to use the same connection in password policies as well, make sure the account has the following permissions:

  • The Read permission for attributes of the groupPolicyContainer objects.
  • The Write permission to create and delete the groupPolicyContainer objects in the System Policies container.
  • The permission to create and delete container and the serviceConnectionPoint objects in Group Policy containers.
  • The Read permission for the attributes of the container and serviceConnectionPoint objects in Group Policy containers.
  • The Write permission for the serviceBindingInformation and displayName attributes of the serviceConnectionPoint objects in Group Policy containers.

To add connection

  1. On the home page of the Administration site, click the General Settings|AD LDS Instance Connections tab.
  2. Click Connect to AD LDS instance to add a connection.
  3. In the Connect to AD LDS Instance dialog, configure the following options:
    • In the Server name on which AD LDS instance is installed text box, type the name of the server to which you want to connect.
    • In the Port number (LDAP or SSL) text box, enter the port number that you specified when installing the AD LDS instance. If you select the Use SSL check box, enter the SSL port number; otherwise, LDAP port number. It is recommended to use SSL in your production environment.
    • In the Application directory partition text box, enter the name of the application directory partition from the AD LDS instance to which you want to connect.
    • In the Application directory partition alias text box, type the alias for the application directory partition which will be used to address the partition on the Self-Service site.
    • In the Access account section, select Password Manager Service account to have Password Manager access the AD LDS instance using the Password Manager Service account, otherwise, select The following Active Directory account or The following AD LDS account radio button and enter the required user name and password.
  4. Click Save.

    IMPORTANT: After you create a connection on the General Settings|AD LDS Instance Connections tab, you can use it in the user scope, helpdesk scope and password policies by selecting the connection in the Connect to AD LDS Instance dialog on the corresponding page of the Administration site. For example, to use the connection in the user scope of your Management Policy, open the user scope of this Management Policy, click Connect to AD LDS instance, and select the corresponding connection from the list.

Changing Access Account for AD LDS Instance Connections

To change access account

  1. On the home page of the Administration site, click the General Settings|AD LDS Instance Connections tab.
  2. Select the connection you want to modify and click Edit.
  3. In the Edit AD LDS Instance Connection dialog, select Password Manager Service account to have Password Manager access the managed instance using the Password Manager Service account. Otherwise, select The following Active Directory account or The following AD LDS account and then enter the required user name and password. Note, that the selected account should have the required permissions.
  4. Click Save. Note, that the updated settings will be applied everywhere where this connection is used.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating