Specifying an OpenLDAP Authentication Server

You can now use OpenLDAP for KeyControl-managed user accounts.

For Microsoft AD services, see Specifying an LDAP/AD Authentication Server.

Log into the KeyControl webGUI using an account with Security Admin privileges.
In the top menu bar, click Settings.
In the General Settings section, click Authentication.
In the Type drop-down, select LDAP.

On the Domain tab, specify the options you want to use. When you are done, click Apply.

Field	Description
Domain Name	The Domain name to use for account authentication. You cannot specify multiple domain names.
Directory Service Type	Select OpenLDAP.
Service Account	The service account that KeyControl should use when logging into the OpenLDAP server. We recommend that you specify the account using the following format: `<CN>@<DOMAIN NAME>` Important: OpenLDAP does not support the UPN parameter. Using the `<CN>@<DOMAIN NAME>` format allows you to import OpenLDAP users correctly into the provider's database. The users can then authenticate with the provider in KeyControl.
Service Account Password	The password for the Service Account.
UID Attribute	The Security Manager Account Name (sAMAccountName) for the user.

If you want to add or change a Domain Controller, go to the Domain Controllers tab. To add a controller, click the blue + (Plus) sign. You can add up to two domain controllers per KeyControl cluster.

If you specify two domain controllers, make sure your primary controller appears first in this list.

To edit an existing domain controller, select that controller and then click the edit button. You can specify the following basic options:

Field	Description
Server URL	The LDAP server IP address or hostname. Select `ldap://` or `ldaps://` from the drop-down list and enter the URL in the text field. To include a port number, specify `:port` after the name. For example, `ldaps://10.238.66.33:389`.
STARTTLS	Enable this option if you want KeyControl to use Transport Layer Security (TLS) protocol when communicating with the LDAP server. Note: This option is only available if the Server URL starts with `ldap://`.
CA Certificate	The certificate chain of all the Trusted Certificate Authorities that can verify the SSL certificate used by the domain controller. The CA certificate must be in Base64-encoded pem format. KeyControl uses the CA certificate to verify the SSL certificate used by the LDAP server/Active Directory. If the CA certificate file you are uploading contains just the certificate of the root certificate authority, make sure that the SSL certificate used by the Domain Controller contains the entire chain of intermediate CA certificates. If you are using `ldaps://` or have selected the STARTTLS option for `ldap://`, click Load File and select the CA (Certificate Authority) certificate for the LDAP server.

Field

Description

Server URL

The LDAP server IP address or hostname. Select ldap:// or ldaps:// from the drop-down list and enter the URL in the text field. To include a port number, specify :port after the name. For example, ldaps://10.238.66.33:389.

STARTTLS

Enable this option if you want KeyControl to use Transport Layer Security (TLS) protocol when communicating with the LDAP server.

Note: This option is only available if the Server URL starts with ldap://.

CA Certificate

The certificate chain of all the Trusted Certificate Authorities that can verify the SSL certificate used by the domain controller. The CA certificate must be in Base64-encoded pem format.

KeyControl uses the CA certificate to verify the SSL certificate used by the LDAP server/Active Directory.

If the CA certificate file you are uploading contains just the certificate of the root certificate authority, make sure that the SSL certificate used by the Domain Controller contains the entire chain of intermediate CA certificates.

If you are using ldaps:// or have selected the STARTTLS option for ldap://, click Load File and select the CA (Certificate Authority) certificate for the LDAP server.

If you want to specify advanced domain controller options, click Show Advanced Settings and specify the options you want to use.

Field	Description
User Search Context	The Distinguished Name (DN) of the node where the search for users should start. This option applies to KeyControl-managed account names that are authenticated through OpenLDAP. For performance reasons, the base DN should be as specific as possible. For example, `dc=ldapserver,dc=com`.
Group Search Context	The Distinguished Name (DN) of the node where the search for Security groups should start. This option applies to AD Security groups being associated with a Cloud Admin Group.
Timeout	If multiple domain controllers have been specified, this is the amount of time KeyControl should wait for a response before it re-sends the request to another domain controller. This option only applies to the TCP/LDAP request. It does not apply to the DNS request before the LDAP server has been successfully contacted. If the DNS server is down, KeyControl may take longer than the length of time specified here before it fails over to the next domain controller in the list or it considers the authentication request to have failed.

Field

Description

User Search Context

The Distinguished Name (DN) of the node where the search for users should start. This option applies to KeyControl-managed account names that are authenticated through OpenLDAP.

For performance reasons, the base DN should be as specific as possible.

For example, dc=ldapserver,dc=com.

Group Search Context

The Distinguished Name (DN) of the node where the search for Security groups should start. This option applies to AD Security groups being associated with a Cloud Admin Group.

Timeout

If multiple domain controllers have been specified, this is the amount of time KeyControl should wait for a response before it re-sends the request to another domain controller.

This option only applies to the TCP/LDAP request. It does not apply to the DNS request before the LDAP server has been successfully contacted. If the DNS server is down, KeyControl may take longer than the length of time specified here before it fails over to the next domain controller in the list or it considers the authentication request to have failed.

When you are finished, click Save & Close. KeyControl automatically verifies that it can reach the specified domain controller using the service account credentials you specified on the Domain tab.

What to Do Next

You can now create a secrets vault or KMIP tenant using OpenLDAP. For more information, see: