Changing the AD Server Configuration

You can change all AD server properties except for the associated Cloud Admin group. Once an AD server has been associated with a group, it cannot be re-associated with a different group. If you are using LDAPS or LDAP with the STARTTLS option, you do not need to re-upload the AD server's CA certificate unless you change the server URL or you enable STARTTLS for an LDAP server connection.

1. Log into the KeyControl webGUI using an account with Cloud Admin privileges.
2. In the top menu bar, click Cloud.
3. Navigate to the Active Directory tab.
4. Click on the AD server you want to edit and select Actions > Edit Active Directory.

5. In Edit Add Active Directory Server dialog box, specify the options you want to use.

   Field	Description
   Cloud Admin Group	The Cloud Administration group with which this AD server is associated. You cannot change the group association.
   Server URL	The AD domain controller IP address or hostname. Select LDAP:// or LDAPS:// from the drop-down list and enter the controller's URL in the text field. To include a port number, specify :port after the name. For example, 10.238.66.33:389. KeyControl does not support multiple AD domain controllers defined in the same Server URL field. If you want to use multiple domain controllers, you need to add a separate entry for each controller. Important: Enter the URL of your AD domain controller, not the URL of a specific AD domain. If you use a specific AD domain, you may encounter authorization issues the next time you upgrade KeyControl.
   STARTTLS	Enable this option if you want KeyControl to use Transport Layer Security (TLS) protocol when communicating with the AD server. If you select this option, you must upload a CA certificate for the AD server. Note: This option is only available if the Server URL starts with LDAP://.
   Service Account	The AD account that KeyControl should use when logging into the AD server. Specify the account using one of the following formats: Distinguished Name (DN). For example, CN=Administrator,CN=users,DC=hytrust,DC=com User Principal Name (UPN). For example, administrator@hytrust.com. Account username. For example, administrator. The AD account is usually an administrative user and it can have read only permissions on the AD server.
   Service Account Password	The password for the Service Account.
   CA Certificate	If you changed the Server URL and you are using LDAPS:// or have selected the STARTTLS option for LDAP://, click Load File and select the CA certificate for the AD server.

6. When you are done, click Save.