Provisioning Reference Guide › Pluggable Authentication Module (PAM) › Use PAM with Multiple ADS Domains

Use PAM with Multiple ADS Domains

PAM must be configured on each Provisioning Server individually. Each PAM module only handles the authentication for the Provisioning Server where it is installed.

PAM allows a comma-delimited list of ADS domains to be added to the etapam_id.conf file.

To use PAM with multiple ADS domains

1. Ensure that the user account, specified as the user the Provisioning Server service logs on with, has the Act as Part of the Operating System privilege. If you need to add this privilege to the user, you must restart this service.
2. Ensure that enable=yes appears in the etapam_id.conf file.
3. Add a comma-delimited list of ADS domains to be added to the domain= setting in the etapam_id.conf file. These domains must be trusted by the domain in which Provisioning Server is installed, or be its own local domain. The following is an example:

   domain=LocalDomain,Trusted1,Trusted2
   

   CA IdentityMinder attempts to authenticate to each listed domain until it is successful.

   Copy etapam_id.conf from the PSHOME\PAM\ADSMultiDomain directory to PSHOME\PAM.

4. Copy etapam.dll from the PSHOME\PAM\ADSMultiDomain directory to PSHOME\bin.
5. Restart the Provisioning Server service to make the Provisioning Server aware of any changes that were made to etapam_id.conf.
6. Log in with a user name that is both a CA IdentityMinder Global User name and an ADS account name in one of the ADS domains specified in etapam_id.conf. Use the account's ADS password, not its Global User password. The Global User must have the Provisioning Server administrative privileges that are necessary for the user's purpose.