Configuring Active Directory for the KeyControl Vault for Databases

By default the vault is configured for local authentication. You can change the authentication method as required.

1. Log into the KeyControl Vault for Databases webGUI.
2. In the top menu bar, click Settings.
3. In the General Settings section, click Authentication.

4. On the Authentication page, select LDAP as the Authentication Type.

5. On the Domain tab, enter:

   Field	Description
   Domain Name	Enter the domain name for the service account.
   Directory Service Type	If you plan to use Microsoft AD directory services, select Microsoft AD. Select OpenLDAP for all non-Microsoft AD directory services.
   Service Account Name	Enter the name of the service account for given domain. For example: Administrator. The service account needs read-only access for users and groups on the domain and any subdomain that is used. Note: The service account name and password is required.
   Service Account Password	Enter the password for the service account.
   UID Attribute	Enter the Security Manager Account Name (sAMAccountName) for the user. This is the attribute of the user or group object that would be queried during search.

6. Click Apply to save the changes.

7. Click the Domain Controllers tab.

   To add a controller, select +. The Add Domain Controller window appears.

   Add the following details:

   Field	Description
   Server URL	Select LDAP:// or LDAPS://, then enter the domain name or IP address. To include a port number, enter <ip-address>:<port>.
   STARTTLS	If you selected LDAP, check the checkbox if you want to use LDAP over TLS. Note: This is not available if you selected LDAPS.
   CA Certificate	The certificate chain of all the Trusted Certificate Authorities that can verify the SSL certificate used by the domain controller. The CA certificate must be in Base64-encoded pem format. If the CA certificate file you are uploading contains just the certificate of the root certificate authority, make sure that the SSL certificate used by the Domain Controller contains the entire chain of intermediate CA certificates. Click Load File to select the CA certificate that you want to use.
   User Search Context (Base DN)	Enter the Distinguished Name (DN) of the node where the search for users should start. This option applies to KeyControl-managed account names that are authenticated through LDAP. For performance reasons, the base DN should be as specific as possible. For example, dc=ldapserver,dc=com.
   Group Search Context (Base DN)	Enter the Distinguished Name (DN) of the node where the search for Security groups should start. This option applies to AD Security groups being associated with a Cloud Admin Group.
   Timeout	Set the timeout in seconds before connecting to an alternate domain controller. If multiple domain controllers are specified, this is the amount of time KeyControl waits for a response before it re-sends the request to another domain controller. This option only applies to the TCP/LDAP request. It does not apply to the DNS request before the LDAP server has been successfully contacted. If the DNS server is down, KeyControl may take longer than the length of time specified here before it fails over to the next domain controller in the list or it considers the authentication request to have failed.

8. Click Save and Close.

If you want to add an Active Directory Group, complete the following: 

1. From the KeyControl Vault for Databases webGUI, in the top menu bar, click Security.

2. Click the Groups tab.

3. Select Actions > Create Group.

4. On the Group tab, enter the name of the group and click Next.

5. On the Active Directory Groups tab, type the first three letters of the group to fetch the group name from the AD server.

6. Click Next.

7. On the KeyControl Managed User Members tab, select the managed users that you want to assign and click the right arrow icon.

8. Click Create.