AWS Simple AD

[blake....@evereve.com]

Is it possible to get PWM running on AWS Simple AD over port 389?

It seems to be returning an error requiring ldaps over port 636. Is it possible to bypass this step?

[jason.e...@gmail.com]

ldaps is needed to change passwords, that is not a pwm issue but a AD/Samaba mandate. Shouldn't be performing changes over an insecure protocol anyways, especially one over the net.

[blake....@evereve.com]

On Wednesday, May 15, 2019 at 7:21:27 PM UTC-5, jason....@gmail.com wrote:
> ldaps is needed to change passwords, that is not a pwm issue but a AD/Samaba mandate. Shouldn't be performing changes over an insecure protocol anyways, especially one over the net.

We're currently running Thycotic Password Reset Server in a private VPC, so we're not worried about access from the outside world. I'm just trying to figure out how that platform is allowing the changes over 389 and PWM throws up a hard "nope!"...

[jason.e...@gmail.com]

What profile did you choose in PWM? Simple AD is not Microsoft AD, it is samba4, you can try to use maybe openldap profile or any other which does allow insecure password changes and is why Thycotic works. If it only works on the AD profile then that is the reason, AD requires ldaps and pwm checks.

I am not too familiar with samba when it is working like an AD domain and its configuration but maybe it also allows insecure password changes. You can setup ldaps on simple ad pretty easily though, https://aws.amazon.com/blogs/security/how-to-configure-an-ldaps-endpoint-for-simple-ad/

[Jason Rivard]

PWM will work with Azure AD.   When working with AD on Windows Server or Azure AD, port 636 is required.  AD servers refuse to do password operations over non-secure ports.

[jason.e...@gmail.com]

He is using Amazon's Simple AD, it's not really Active Directory but a port/fork of Samba4's domain functionality.