LDAP/Active Directory Authentication Overview

Ad Astra can be configured to authenticate and manage permissions for users using your institution’s LDAP or Active Directory information. Two options are provided for LDAP/Active Directory authentication: One-step authentication and two-step authentication. When enabled, this feature performs the following tasks:

1. Authenticates login using credentials maintained in your system: eliminates the need to maintain user names and passwords within Ad Astra.
   
   User names and passwords are not maintained by Ad Astra in this case, the user will not have the ability to change their password within Ad Astra.
2. Automatically adds new authenticated users to the Ad Astra system: eliminates the need to manually create new Ad Astra users. First-time users of the system are added automatically upon successful authentication.
   
   Users in the LDAP directory must have a first name, last name and email address in order to be created in Ad Astra. If any of these are missing, the user will not be added and the authentication will fail.
3. Grants Ad Astra roles based on group membership: eliminates the need to manually assign roles per user. Role-to-group mapping rules define the permissions that are applied to user records. When authenticated, the user will be automatically associated to any and all Ad Astra roles that are mapped to their LDAP/AD group(s).

User-Specific LDAP/Active Directory Information

If and when LDAP/Active Directory authentication is enabled, two additional options become available on the individual user record to provide overrides to how individual records are managed.

The Authenticate via LDAP option is checked by default for those user records that were automatically created during authentication. Uncheck this option if you want to disable LDAP/Active Directory authentication for the user. User name, password and role assignment must be edited manually and authentication is managed by Ad Astra. Because Ad Astra only stores a system-generated password when LDAP authentication is in effect, unchecking the box for this option triggers a prompt to change the user’s password.

The Sync Roles with LDAP Groups option is only enabled if LDAP authentication is enabled for both the institution and the user, and is checked by default for those user records that were automatically created during authentication. Uncheck this option if you want the user to still be authenticated via the LDAP server but for their role assignment to be manually managed. Checking this option for an existing user disables the manual security role configuration for the user. When this option is enabled, a message appears just beneath that reads “Last Sync’d On:” and displays the date and time of the user’s last login.