Option to bypass or disable password verification on reset/heartbeat
Option to bypass or disable password verification on reset/heartbeat
0 vote
Hello,
Would it be possible to have an option for individual PAM credentials that prevents password verification being performed after a password reset or during hearbeat checks? While it is possible to set an account to unmanaged, this subsequently prevents automated resets which may be undesirable.
The use case scenario is for disabled accounts (i.e a SQL sa account) that are occasionaly enabled temporarily for a specific use, but also need regular password rotation. Currently if an account is disabled and the password is reset using DVLS PAM, the credential shows a red icon indicating syncronization failed, which leads to confusion as to whether DVLS has the correct password.
Pls let me know if you would like any additional info.
Thanks
Joe
All Comments (2)
Hi,
We’ve often been asked to become the single source of truth for privileged accounts, to go as far as creating them in the directory on request by our Pam. This could also mean to disable accounts while they are not in use.
That being said, we could look into better handling of that failure, for SQL specifically I think that we are logging in to validate the password because there is no API for that specific purpose.
I will discuss this with the team and get back to you
Maurice
I have the same kind of a request .
We have 2 AD user types we want to manage with PAM .
-Remote support users with password rotation : these accounts always have to be expired or disabled . When disabled we get a constant heartbeat failure alert . Password rotation does keep working (luckily) . Pam could enable these accounts on rotation or check out . Disable them on check in .
-Internal temporary server admin accounts : we only want to do temporary elevation on them . The password on these accounts are private and not to be set/reset by PAM . So the password is unknow , heartbeat check failures as a result .
Kind regards,
Carlo.
