To create a new LDAP connection to Active Directory:
Open the Settings → LDAP section in the KUMA web interface.
Select the tenant for which you want to create a connection to LDAP.
The LDAP connections window opens.
Click the Add LDAP connection button.
The LDAP connection window opens.
Add a secret containing the account credentials for connecting to the Active Directory server. To do so:
If you previously added a secret, use the Secret drop-down list to select the existing secret resource (with the credentials type).
The selected secret can be changed by clicking on the button.
If you want to create a new secret, click the button.
The Secret window opens.
In the Name (required) field, enter the name of the resource. This name can contain from 1 to 128 Unicode characters.
In the User and Password (required) fields, enter the account credentials for connecting to the Active Directory server.
You can enter the user name in one of the following formats: <user name>@<domain> or <domain><user name>.
In the Description field, you can enter up to 256 Unicode characters to describe the resource.
Click the Save button.
In the Name (required) field, enter the unique name of the LDAP connection.
Must contain from 1 to 128 Unicode characters.
In the URL (required) field, enter the address of the domain controller in the format <hostname or IP address of server>:<port>.
In case of server availability issues, you can specify multiple servers with domain controllers by separating them with commas. All of the specified servers must reside in the same domain.
In the TLS mode select whether you want to use TLS encryption for domain controllers connection. When using an encrypted connection, it is impossible to specify an IP address as a URL.
If you enabled TLS encryption at the previous step, add a TLS certificate. To do so:
If you previously uploaded a certificate, select it from the Certificate drop-down list.
If you want to upload a new certificate, click the button on the right of the Certificate list.
The Secret window opens.
In the Name field, enter the name that will be displayed in the list of certificates after the certificate is added.
Click the Upload certificate file button to add the file containing the Active Directory certificate. X.509 certificate public keys in Base64 are supported.
If necessary, provide any relevant information about the certificate in the Description field.
Click the Save button.
The certificate will be uploaded and displayed in the Certificate list.
In the Timeout in seconds field, indicate the amount of time to wait for a response from the domain controller server.
If multiple addresses are indicated in the URL field, KUMA will wait the specified amount of seconds for a response from the first server. If no response is received during that time, the program will contact the next server, and so on. If none of the indicated servers responds during the specified amount of time, the connection will be terminated with an error.
If necessary in the RPS field, enter the number of requests per second in cron format. By default, the information is requested once per day.
If necessary in the Filter field, specify an LDAP filter. For example, “(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))”.
sAMAccountType = 805306368 filter is required. If it is missing in the user filter expression, it will be added to the Active Directory request automatically.
In the Base DN field, enter the base distinguished name of the directory where the search request should be performed.
If necessary in the Size limit per request field, enter the maximum size of the request.
Select the Disabled check box if you do not want to use this LDAP connection.
This check box is cleared by default.
Click the Save button.
The LDAP connection to Active Directory will be created and displayed in the LDAP connection window.
Account information from Active Directory will be requested in 12 hours. To make the data available right away, restart the KUMA Core server. Account information is updated every 12 hours.
If you want to use multiple LDAP connections simultaneously for one tenant, you need to make sure that the domain controller address indicated in each of these connections is unique. Otherwise KUMA lets you enable only one of these connections. When checking the domain controller address, the program does not check whether the port is unique.