Configuring Active Directory for the KeyControl Vault for Secrets

By default the vault is configured for local authentication. You can change the authentication method as required.

  1. Log into the KeyControl Vault for Secrets webGUI.

  2. Select the Settings icon at the top right of the vault page.

  3. On the Authentication tab, select LDAP as the authentication type.

  4. To configure Active Directory or LDAP, click Setup.

    You are asked to confirm that you want to continue configuring Active Directory authentication. Once configured, local authentication cannot be reinstated unless the vault is rescued (see Rescuing a Vault).

  5. Click OK.

    The Configure AD Authentication dialog box appears.

  6. On the Domain tab, enter the following:

    Field

    Description

    Domain Name

    Enter the domain name for the service account.
    Domain Netbios Name Enter the netbios or subdomain of the DNS domain.

    Directory Service Type

    If you plan to use Microsoft AD directory services, select Microsoft AD.

    Select OpenLDAP for all non-Microsoft AD directory services.

    UID attribute

    Enter the UID attribute. The 'uid' attribute type that contains computer system login names associated with the object. For example: sAMAccountName.

    note: The 'uid' attribute is not used when LDAP connection is tested. If the test passes but the authentication fails, please make sure this attribute is correct.

    Click Configure Service Account and enter the following

    Service Account Name

    Enter the name of the service account for the given domain. For example: Administrator.

    The service account needs read-only access for users and groups on the domain and any subdomain that is used.

    Note: The service account name and password is optional, however, if you do not enter them, you cannot use autocomplete and must manually enter all AD names.

    Service Account Password

    Enter the password for the service account.
    UID Attribute Enter the Security Manager Account Name (sAMAccountName) for the user. This is the attribute of the user or group object that would be queried during search.

  7. Click Continue.

  8. On the Domain Controllers tab, click the + icon to add a controller.

    You can add up to two domain controllers per KeyControl cluster. If you specify two domain controllers, make sure your primary controller appears first in this list. KeyControl always tries to authenticate an AD user through the first domain controller listed.

    To edit an existing domain controller, select that controller and select the edit button.

    For each domain controller, specify the following:

    Field

    Description

    Server URL

    Select LDAP:// or LDAPS://, then enter the domain name or IP address.

    To include a port number, enter <ip-address>:<port>.

    STARTTLS

    If you selected LDAP, check the checkbox if you want to use LDAP over TLS.

    Note: This is not available if you selected LDAPS.

    CA Certificate

    The certificate chain of all the Trusted Certificate Authorities that can verify the SSL certificate used by the domain controller. The CA certificate must be in Base64-encoded pem format. If the CA certificate file you are uploading contains just the certificate of the root certificate authority, make sure that the SSL certificate used by the Domain Controller contains the entire chain of intermediate CA certificates.

    Click Browse to select the CA certificate that you want to use.

    User Search Context (Base DN)

    Enter the Distinguished Name (DN) of the node where the search for users should start. This option applies to KeyControl-managed account names that are authenticated through LDAP.

    For performance reasons, the base DN should be as specific as possible.

    For example, dc=ldapserver,dc=com.

    Group Search Context (Base DN)

    Enter the Distinguished Name (DN) of the node where the search for Security groups should start. This option applies to AD Security groups being associated with a Cloud Admin Group.

    Timeout

    Set the timeout in seconds before connecting to an alternate domain controller.

    If multiple domain controllers are specified, this is the amount of time KeyControl waits for a response before it re-sends the request to another domain controller.

    This option only applies to the TCP/LDAP request. It does not apply to the DNS request before the LDAP server has been successfully contacted. If the DNS server is down, KeyControl may take longer than the length of time specified here before it fails over to the next domain controller in the list or it considers the authentication request to have failed.

  9. Click Add. The Domain Controller is added to the list.

  10. Click the + icon to add an additional controller, otherwise click Continue.

  11. On the Admin tab, select a User or a Group and enter the details: 

    User

    User Name (UPN): Enter the user's Active Directory User Principle Name.

    Email: Enter an email address for the user.
    Group

    Group Name: Enter the group's Active Directory name.

    Rescue User (for Group only)

    User Name (UPN): Enter the Active Directory User Principle Name for the rescue user.

    Email: Enter an email address for the user.

  12. Select Apply.

    You are logged out and need to sign in with the Active Directory credentials to set up the vault.