Cisco's lightweight Access Points (AP) support discovering the Wireless LAN Controller (WLC) management IP address via several methods, including:
The AP tries to resolve CISCO-LWAPP-CONTROLLER or CISCO-CAPWAP-CONTROLLER using the DNS server configured by DHCP. However you may not have DNS A records for these, especially in small deployments with no DNS server onsite.
DHCP Option 43
The AP uses IP addresses provisioned via DHCP option 43. This consists of a hexadecimal string starting with F1, the number of WLCs multiplied by 4 & the IP addresses of these WLCs in hex. For example one WLC with IP address 10.35.128.5:
1 x 4 = 04 (must be padded to 2 hex digits if less)
10.35.128.5 = 0A238005 (must be padded to 8 hex digits if less)
Resultant hex: F1040A238005
Adding a 2nd WLC with IP address 10.35.128.6 would result in F1080A2380050A238006.
If the WLC is in the same broadcast domain & has Master Controller Mode enabled the AP can discover it by sending out broadcasts. This won't work in large deployments where APs are spread across multiple networks & is considered bad practice.
Over The Air Provisioning
The AP listens to Radio Resource Management (RRM) messages transmitted by neighbouring APs & learns the WLC IP address from these. However this is considered insecure & usually disabled.
You can connect a console cable to the AP & manually configure with the WLC's IP address using the lwapp ap controller ip address command. This only works on APs that haven't yet associated with a WLC, but is useful if you have an AP that's refusing to associate via the other methods.