LDAP Configuration

  Previous topic Next topic JavaScript is required for the print function Mail us feedback on this topic! Mail us feedback on this topic!  

To configure LDAP authentication for your institution, perform the following:

 

1.Click the LDAP Configuration option from the Setup tab.

 

2.Click Edit to edit the options on the form.

 

3.Authenticate via LDAP

 

Check the box next to Authenticate via LDAP to enable LDAP authentication for your institution.

 

4.Update Roles From LDAP Groups

 

If LDAP authentication is enabled, select the Update Roles From LDAP Groups option to update users’ role information based on their LDAP group membership and mapping rules.

 

NoteNOTE: If this option is not selected, the user will still be assigned a role when initially created but no role updates will occur in the future should their group membership change. If this option is selected and the user is removed from a group that is mapped to Astra Schedule roles, then the user role will revert to the “Guest” role.

 

5.Fully Qualified Paths

 

Enter a fully qualified path to the LDAP/Active Directory server and root directory that should be searched during authentication.
 
Multiple paths may be entered to reflect multiple servers or OU’s. Specifying multiple servers may decrease authentication performance. The servers are checked in top-down order, so it is recommended that the server with the most potential active users be specified first.
 
The path is composed of the following elements. Use the following format information and examples to create your path. This format is used anywhere an LDAP path is entered on the LDAP configuration page. (Items in [] are optional.)
 
LDAP[S]://Host[:Port]/Search DN[/User ID Format]

 

Protocol - LDAP or LDAPS (SSL certificate must be installed on server for LDAPS)

 

Host - Hostname or IP address of LDAP server

 

Port - Defaults are 389 for LDAP and 636 for LDAPS

 

Search DN - Distinguished name of the directory entry from which to begin the search. To improve performance, this should NOT be the root.

 

User ID Format - This is the string used to format the user id used to perform the LDAP bind. Most LDAP systems will use the distinguished name (DN) of the user.

 

Because Active Directory does not always use the user id in the CN/DN, the DN may not be able to be constructed from the user id. The user id can be formatted as domain\user id (aais\jsmith) or user id@domain (jsmith@aais.com). There are two variables that can be used to construct the user id used for the LDAP bind.

 

{0} is replaced by the user id entered by the user

 

{1} is replaced by the Search DN in this path
 
(The default value is the user id entered by the user on the login or LDAP configuration page.)

 

Active Directory Examples:
LDAP://192.168.0.44:389/ou=maincampus,dc=aais,dc=com/{0}@aais.com
LDAP://myldapserver:389/cn=users,dc=aais,dc=com/aais\{0}

 

Novell E-Directory Examples:
LDAPS://192.168.0.84:636/ou=maincampus,o=aais.com/cn={0},{1}
LDAPS://myldapserver:636/ou=maincampus,o=aais.com/cn={0}, ou=maincampus,o=aais.com

 

6.Max. Query Time (seconds)

 

Enter the maximum amount of time the system should wait on a response to a query of the LDAP server during authentication. This setting is only applicable if Astra Schedule is able to bind to and query the server. If the timeout is activated, then the system responds as if the username or password were incorrect.

 

7.Test LDAP button

 

Use the Test LDAP button at any time to test your fully qualified path. To test your information, perform the following:

 

1.Enter the fully qualified path. The path will be auto-populated if you have already entered it on the LDAP Configuration Info screen.

 

NoteNOTE: You must remove the user variable portion of the fully qualified path before executing the test.  (/{0}@aais.com)

 

2.Enter the LDAP administrator user name and password.

 

NoteNOTE: The admin user specified here should have permission to search the entire LDAP or Active Directory structure or results may be inconsistent.

 

3.Enter the Search On attribute (directory service attribute that the filtering is performed on (example: sAMAccountName))

 

4.Enter the Search For attribute (value to be searched for). This field supports wildcards. (examples: student, stud*)

 

5.Click the Run Test button.

 

The test will provide a list of all attributes found for that object

 

If the test process can bind to the LDAP server but no matches are found, then the results window will read “No results were found in...”

 

If the test process is not able to bind to the LDAP server, and error message will appear

 

8.User Object Class Name

 

Enter the name of the container that should be searched for users. (defaults to “user”)

 

9.Search User On

 

Enter the attribute that will contain the value that will be matched to the user login. (defaults to “sAMAccountName”) (Sun One is typically UID)

 

10.First Name Attribute

 

Enter the attribute that will contain the user’s first name. (defaults to “givenName”)

 

11.Last Name Attribute

 

Enter the attribute that will contain the user’s last name. (defaults to “sn”)

 

12.Email Attribute

 

Enter the attribute that will contain the user’s email address. (defaults to “mail”)

 

13.MemberOf Attribute

 

Enter the attribute that will contain the list of LDAP groups to which the user is a member. (defaults to “memberOf”)

 

14.Group Object Class Name

 

Enter the name of the container that should be searched for groups. (defaults to “group”)

 

15.Group Common Name Attribute

 

Enter the attribute that will contain the group common name. (defaults to “cn”)

 

16.Group Mapping

 

The Group Mapping feature is used to map LDAP/Active Directory groups to Astra Schedule roles. When a user is authenticated, their group membership information is used to determine appropriate permissions. To map groups to roles, perform the following:

 

1.Click the Add LDAP Group button.

 

2.Provide the LDAP administrator user name and password.

 

NoteNOTE: The admin user specified here should have permission to search the entire LDAP or Active Directory structure or results may be inconsistent.

 

3.Enter fully qualified path for the search.

 

4.Enter the name filter for the search.

 

5.This field automatically adds wild cards for a partial name search.

 

6.Click the Find LDAP Groups button.

 

7.A list of matching groups is returned.

 

8.Select a group from the list.

 

9.Click the Save LDAP Group button.

 

10.A list of all Astra Schedule roles is returned.

 

11.Place a check in the boxes next to role(s) to which the LDAP group should be mapped.

 

12.Click the Save button to add the group-to-role association to the list.

 

13.Repeat as needed.

 

17.You may expand individual groups on list page to review the association.

 

18.Default Guest Role

 

The Astra Schedule role that will be granted to a user that is authenticated by LDAP but does not have a role mapped to their group.

 

19.Click Save to save your configuration changes.

Page url: ?usersecurity_ldapconfiguration.htm