Specifying an LDAP/AD Authentication Server

For KeyControl-managed user accounts, you can use any LDAP server. If you want to specify AD-managed Security groups whose members will have Cloud Admin access to the VMs registered with KeyControl, you must specify a Windows Active Directory (AD) server.

KeyControl uses the same settings for both local account authentication and AD Security group authentication. You can specify up to two AD domain controllers for failover, but both controllers must manage the same AD domain.

Log into the KeyControl webGUI using an account with Security Admin privileges.
In the top menu bar, click Settings.
In the General Settings section, click Authentication.
In the Type drop-down, select LDAP.

On the Domain tab, specify the options you want to use. When you are done, click Apply.

Field	Description
Domain Name	The Domain name to use for account authentication. You cannot specify multiple domain names.
Service Account	The AD account that KeyControl should use when logging into the AD server. Specify the account using one of the following formats: Distinguished Name (DN). For example, `CN=Administrator,CN=users,DC=hytrust,DC=com` User Principal Name (UPN). For example, `administrator@hytrust.com`. Account username. For example, `administrator`. The AD account is usually an administrative user and it can have read only permissions on the AD server.
Service Account Password	The password for the Service Account.
UID Attribute	The Security Manager Account Name (sAMAccountName) for the user.

If you want to add or change a Domain Controller, go to the Domain Controllers tab. To add a controller, click the blue + (Plus) sign. You can add up to two domain controllers per KeyControl cluster.

If you specify two domain controllers, make sure your primary controller appears first in this list. KeyControl always tries to authenticate an AD user through the first domain controller listed.

To edit an existing domain controller, select that controller and then click the edit button. You can specify the following basic options:

Field

Description

Server URL

The LDAP server IP address or hostname. Select ldap:// or ldaps:// from the drop-down list and enter the URL in the text field. To include a port number, specify :port after the name. For example, ldaps://10.238.66.33:389.

STARTTLS

Enable this option if you want KeyControl to use Transport Layer Security (TLS) protocol when communicating with the LDAP server.

Note: This option is only available if the Server URL starts with ldap://.

CA Certificate

If you are using ldaps:// or have selected the STARTTLS option for ldap://, click Load File and select the CA (Certificate Authority) certificate for the LDAP server.

The certificate must be in Base64 encoded pem format.

If you want to specify advanced domain controller options, click Show Advanced Settings and specify the options you want to use.

Field	Description
User Search Context	The Distinguished Name (DN) of the node where the search for users should start. This option applies to KeyControl-managed account names that are authenticated through LDAP. For performance reasons, the base DN should be as specific as possible. For example, `dc=ldapserver,dc=com`.
Group Search Context	The Distinguished Name (DN) of the node where the search for Security groups should start. This option applies to AD Security groups being associated with a Cloud Admin Group.
Timeout	If multiple domain controllers have been specified, this is the amount of time KeyControl should wait for a response before it re-sends the request to another domain controller. This option only applies to the TCP/LDAP request. It does not apply to the DNS request before the LDAP server has been successfully contacted. If the DNS server is down, KeyControl may take longer than the length of time specified here before it fails over to the next domain controller in the list or it considers the authentication request to have failed.

Field

Description

User Search Context

The Distinguished Name (DN) of the node where the search for users should start. This option applies to KeyControl-managed account names that are authenticated through LDAP.

For performance reasons, the base DN should be as specific as possible.

For example, dc=ldapserver,dc=com.

Group Search Context

The Distinguished Name (DN) of the node where the search for Security groups should start. This option applies to AD Security groups being associated with a Cloud Admin Group.

Timeout

If multiple domain controllers have been specified, this is the amount of time KeyControl should wait for a response before it re-sends the request to another domain controller.

This option only applies to the TCP/LDAP request. It does not apply to the DNS request before the LDAP server has been successfully contacted. If the DNS server is down, KeyControl may take longer than the length of time specified here before it fails over to the next domain controller in the list or it considers the authentication request to have failed.

When you are finished, click Save & Close. KeyControl automatically verifies that it can reach the specified domain controller using the service account credentials you specified on the Domain tab.