Configuring Active Directory Vault Authentication

By default the vault is configured for local authentication. You can change the authentication method as required.

This topic explains how to configure Active Directory authentication.

To configure Active Directory vault authentication

  1. Sign in to the vault.

  2. Select the Settings icon at the top right of the vault page.

  3. From General Settings, select Authentication.

  4. From the Authentication Type menu, select LDAP.

  5. On the Domain tab, enter:

    Field

    Description

    Domain Name

    Enter the domain name for the service account.

    Directory Service Type

    If you plan to use Microsoft AD directory services, select Microsoft AD.

    Select OpenLDAP for all non-Microsoft AD directory services.

    Service Account Name

    Enter the name Name of the service account for given domain. For example: Administrator.

    Service Account Password

    Enter the password for the service account.
    UID Attribute Enter the Security Manager Account Name (sAMAccountName) for the user. This is the attribute of the user or group object that would be queried during search.

  6. Click Apply to save the changes.

  7. Continue to the Domain Controllers tab. Continue. The Domain Controllers tab appears.

    To add a controller, select +. The Add Domain Controller window appears.

    Add following details:

    Field

    Description

    Server URL

    Enter the LDAP server IP address or hostname.

    From the menu, select the LDAP:// or LDAPS://.

    In the text field, enter the and enter domain name or IP address.

    To include a port number, enter <ip-address>:<port>.

    CA Certificate

    The certificate chain of all the Trusted Certificate Authorities that can verify the SSL certificate used by the domain controller. The CA certificate must be in Base64-encoded pem format.

    KeyControl Vault uses the CA certificate to verify the SSL certificate used by the LDAP server/Active Directory.

    If the CA certificate file you are uploading contains just the certificate of the root certificate authority, make sure that the SSL certificate used by the Domain Controller contains the entire chain of intermediate CA certificates.

    If you are using LDAPS:// or selected STARTTLS for LDAP://, select Browse. Navigate to and select the CA (Certificate Authority) certificate for the LDAP server.

    User Search Context (Base DN)

    Enter the Distinguished Name (DN) of the node where the search for users should start. This option applies to KeyControl Vault-managed account names that are authenticated through LDAP.

    For performance reasons, the base DN should be as specific as possible.

    For example, dc=ldapserver,dc=com.

    Group Search Context (Base DN)

    Enter the Distinguished Name (DN) of the node where the search for Security groups should start. This option applies to AD Security groups being associated with a Cloud Admin Group.

    Timeout

    Set the timeout in seconds before connecting to an alternate domain controller.

    If multiple domain controllers are specified, this is the amount of time KeyControl Vault waits for a response before it re-sends the request to another domain controller.

    This option only applies to the TCP/LDAP request. It does not apply to the DNS request before the LDAP server has been successfully contacted. If the DNS server is down, KeyControl Vault may take longer than the length of time specified here before it fails over to the next domain controller in the list or it considers the authentication request to have failed.

  8. Select Save and Close. Close the General Settings windows.

  9. To Add the Active Directory Group, progress to the Security tab and select the Groups tab.

  10. On the Members tab, select Active Directory Group. Type first three letters of the group to fetch the group name from the AD server. Select the group.

  11. Sign out from the vault and sign in as an Active Directory user.

  12. To add a single active directory user, go to Security tab and select Key Control Managed Users.

  13. From Actions, select Create user and enter following details:

    Field

    Description

    Full Name

    A full name may only contain alphanumeric characters, hyphens(-), underscore(_), periods(.), apostrophe('), space and must be less than 256 characters.

    Email

    An active directory email address.

    Account Decay Time

    Account decay time is the amount of time it will take from last login to state this account. Maxi maximum time is 10 years

    Account Enabled

    To enable this user account, tick mark on this. If you do not want to enable this account, untick this.

  14. Select Next and change the authentication type to LDAP.

  15. Select Next. From the list of groups, select the group to which you want to add the user and select . The user will be granted privileges according to selected group. The selected group is displayed in Available Groups. If you want to add the user to more than one group, you can select and add multiple groups.

    To add the user to the selected group(s), select .

  16. Select Create.

  17. Sign out from the vault and sign in using the user email address.