Configuring a connection to the domain controller

You can connect only to one Active Directory domain. To do so, you must configure a connection to the domain controller.

To configure a connection to an Active Directory domain controller.

  1. In the program web interface, select SettingsDomain authorization.
  2. In the Connection settings block, in the Base DN field, enter the DistinguishedName of the root record to search for access groups in the Active Directory catalog service.
  3. In the URL field, indicate the address of the domain controller in the format <hostname or IP address of server>:<port>.

    In case of server availability issues, you can specify multiple servers with domain controllers by separating them with commas. All of the specified servers must reside in the same domain.

  4. If you want to use TLS encryption for the connection with the domain controller, select one of the following options from the TLS mode drop-down list:
    • startTLS.

      When the startTLS method is used, first it establishes an unencrypted connection over port 389, then it sends an encryption request. If the STARTTLS command ends with an error, the connection is terminated.

      Make sure that port 389 is open. Otherwise, a connection with the domain controller will be impossible.

    • ssl.

      When using SSL, an encrypted connection is immediately established over port 636.

    • insecure.

    When using an encrypted connection, it is impossible to specify an IP address as a URL.

  5. If you enabled TLS encryption at the previous step, add a TLS certificate:
    • If you previously uploaded a certificate, select it from the Secret drop-down list.

      If no certificate was previously added, the drop-down list shows No data.

    • If you want to upload a new certificate, click the AD_plus button on the right of the Secret list. In the opened window, in the Name field, enter the name that will be displayed in the list of certificates after the certificate is added. Add the file containing the Active Directory certificate (X.509 certificate public keys in Base64 are supported) by clicking the Upload certificate file button. Click the Save button.

      The certificate will be uploaded and displayed in the Secret list.

  6. In the Timeout in seconds field, indicate the amount of time to wait for a response from the domain controller server.

    If multiple addresses are indicated in the URL field, KUMA will wait the specified number of seconds for a response from the first server. If no response is received during that time, the program will contact the next server, and so on. If none of the indicated servers responds during the specified amount of time, the connection will be terminated with an error.

  7. If you want to configure domain authorization for a user with the KUMA general administrator role, specify the DistinguishedName of the Active Directory group containing the user in the General administrators group field.

    If a user matches two groups in the same tenant, the role with the least privileges will be used.

    Filter input example: CN=KUMA team,OU=Groups,OU=Clients,DC=test,DC=domain.

  8. Click the Save button.

A connection with the Active Directory domain controller is now configured. For domain authorization to work, you must also add group of KUMA user roles.

You can also check the connection for the previously entered domain controller connection settings.

To check the connection to the domain controller:

  1. In the program web interface, select SettingsDomain authorization.
  2. In the Test connection settings block, select the relevant secret in the User credentials field.

    If necessary, you can create a new secret by clicking the AddSecret button or change the settings of an existing secret by clicking the ChangeSecret button.

  3. Click Test.

A pop-up notification is displayed with the test results. The pop-up notification shows the following message: Connection established. If a connection could not be established, the reason for the lack of connection is displayed.

Page top