feat(pam): ad server resource & account

[x032205]

Context

AD server resource & account

Screenshots

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds support for Active Directory (AD) server resources and accounts to the PAM system. The implementation includes:

• New AD resource type with LDAP connection validation and credential verification
• Ability to associate Windows Server resources with an AD domain via adServerResourceId
• New endpoint to list related resources belonging to an AD domain
• Frontend forms for creating/managing AD resources and accounts
• Proper permission checks and schema validation throughout

The code follows existing patterns in the PAM module and implements proper security measures including:

• Input validation through zod schemas
• Host input validation to prevent SSRF
• Proper OR query grouping in database queries
• Permission checks on all endpoints

Note that direct access to AD resources is currently disabled (only configuration is allowed).

Confidence Score: 4/5

• This PR is safe to merge with minor considerations for documentation and testing
• The implementation follows established patterns, includes proper security measures (input validation, permission checks, SQL injection prevention), and the LDAP integration is well-structured. The score is 4/5 due to recommendations around audit logging and verification of host validation logic for SSRF prevention.
• Pay special attention to active-directory-resource-factory.ts for SSRF prevention verification

Important Files Changed

Filename	Overview
backend/src/ee/services/pam-resource/active-directory/active-directory-resource-factory.ts	Implements Active Directory resource factory with LDAP connection validation and credential verification
backend/src/ee/services/pam-resource/pam-resource-service.ts	Added support for AD server resource relationships and listRelatedResources endpoint with proper permission checks
backend/src/ee/services/pam-resource/pam-resource-dal.ts	Added findByAdServerResourceId query method with proper SQL escaping
backend/src/ee/routes/v1/pam-resource-routers/pam-resource-endpoints.ts	Added endpoint for listing related resources for Active Directory domains
frontend/src/pages/pam/PamAccountsPage/components/PamAccountForm/ActiveDirectoryAccountForm.tsx	Added form for creating/editing Active Directory accounts with username/password credentials
frontend/src/pages/pam/PamResourcesPage/components/PamResourceForm/ActiveDirectoryResourceForm.tsx	Added form for creating/editing Active Directory resources with domain and DC address configuration
frontend/src/pages/pam/PamResourcesPage/components/PamResourceForm/WindowsResourceForm.tsx	Enhanced Windows resource form to optionally associate with an Active Directory domain
frontend/src/pages/pam/PamResourceByIDPage/components/PamResourceRelatedResourcesSection.tsx	Added UI section to display resources belonging to an Active Directory domain