A PAM remote worker node is a PAM node with the Job Engine application installed, but not the main PAM GUI/API application.
In the context of this Ansible project, the following terms are used:
The main reason to deploy PAM remote worker nodes is to align the deployment of PAM with the topology and security boundaries of the network, as in the following scenario. Installing a PAM remote worker node in each remote network provides these advantages:
PAM remote worker nodes integrate to a PAM farm through the PAM API. User account configuration for remote worker integration is an important design consideration when deploying a PAM farm.
The default behavior of this Ansible project is to create a single local user remote.user on all PAM master nodes, and use that to integrate all remote worker nodes into the farm.
This is only suitable for simple PAM deployments with a single remote worker, or when trust boundaries between remote workers is not a concern.
A more advanced PAM remote worker deployment strategy is as follows:
ldap_user_worker attribute like this:[pam_master] pam-master1.corp.net pam-master2.corp.net [pam_remote] pam-remote1.corp.net ldap_user_worker=pam-remote1 pam-remote2.corp.net ldap_user_worker=pam-remote2 [pam_worker] pam-worker1.corp.net ldap_user_worker=pam-worker1 pam-worker2.corp.net ldap_user_worker=pam-worker2
The ldap_user_worker may also be set in Ansible host_vars files.
This must be done before deploying the PAM farm with Ansible. With this configuration in place, each remote worker will use a unique AD account for API integration. Permissions can be set on PAM records or vaults to restrict which jobs can be run by which workers.