CyberArk Sentry – PAM — Question 19

To enable LDAP over SSL for a Vault when DNS lookups are blocked, which step must be completed?

Answer options

• A. Add the FQDN & IP details for each LDAP host into the local hosts file of the Vault server.
• B. Configure an AllowNonStandardFWAddresses rule in DBParm.ini on the Vault to allow outbound TCP 53 to the organization’s DNS servers.
• C. Ensure LDAP hosts added to the directory mapping configuration are defined using only IP addresses.
• D. Set the ReferralsDNSLookup parameter value to “No” in the directory configuration.

Correct answer: A

Explanation

The correct answer is A because adding FQDN and IP details to the local hosts file allows the Vault server to resolve LDAP hostnames without DNS. Option B is irrelevant since the question specifies that DNS lookups are blocked, so configuring outbound TCP 53 won't help. Option C does not address the requirement for SSL, and option D relates to referral handling, not hostname resolution.