The manual is way too confusing about this:
It works like this:
LDAP Overview:
LDAPS works fine with Server 2003 R2 AD, and is preferred (leave it on port 636). If you're using fqdn's, make sure you have DNS servers set in the network section.
On the Search page:
'Search DN/Password' is the Bind DN/Password.
'Search Base' is similarly the 'Base DN'.
'UID Mask' should be 'attribute=%1', replace attribute with the name of the attribute storing the username, so generally with AD this is 'sAMAccountName=%1'
Query page:
If 'Group Container Mask' = 'ou=%1' and Group Container = 'KVM' then we're looking for ou=KVM in the above configured BaseDN. This is where we'll set everything up. I recommend staying at the top of the tree for simplicity.
Target mask should be 'cn=%1' because we're looking for objects and * Access Control Attribute will be 'info' because that corressponds to 'notes' in the ADUC UI.
In this OU container:
1) Create a computer object with the same name as the KVM name under 'Appliance -> Overview'. I renamed this to KVM01. I had to do this on a DC as MMC was crashing on my terminal server when creating a computer object, probably unrelated.
2) Now create a group, call it whatever. In the notes section put 'KVM Appliance Admin'. This is how we define what you can do. Add the KVM computer object to this group, and any users (or groups, ie domain admins) you want.
3) These people will have full access to the kvm and all objects. It sounds like adding access into individual objects requires being in a group with info of 'KVM User' and the computer objects for the actual server names in the group as well. Bah.
