One Step LDAP Authentication

One-step authentication uses the user credentials entered on the application sign in form to authenticate the user and look up the required user information in the LDAP/AD directory.  This option assumes that the user signing in has permission to query the directory structure on their own behalf to authenticate their sign in.

Microsoft has indicated that at some point they will no longer support LDAP (insecure). Ad Astra strongly recommends implementing LDAPS (secure) to avoid future issues authenticating users.

Configure One-step Authentication

  1. Click the Settings tab.
  1. Select LDAP Configuration.
  1. Check the box next to "Authenticate via LDAP" to enable LDAP authentication for your institution.
  1. If LDAP authentication is enabled, check the box next to "Update Roles From LDAP Groups" to update users’ roles based on their LDAP group membership and mapping rules.
If this option is not selected, the user will still be assigned a role when initially created but no role updates will occur in the future should their group membership change. If this option is selected and the user is removed from a group that is mapped to Ad Astra roles, then the user role will revert to the “Guest” role.
  1. Enter a fully qualified path to the LDAP/Active Directory server and root directory that should be searched during authentication.
    • Multiple paths may be entered to reflect multiple servers or OU’s. Note that specifying multiple servers may decrease authentication performance. The servers are checked in top-down order, so it is recommended that the server with the most potential active users be specified first.
    • The path is composed of the following elements. Use the following format information and examples to create your path. This format is used anywhere an LDAP path is entered on the LDAP configuration page. (Items in [] are optional.)

      LDAP[S]://Host[:Port]/Search DN[/User ID Format]
    • Protocol: LDAP or LDAPS (SSL certificate must be installed on the server for LDAPS. Self-signed certificates are supported, so a certificate from one of the trusted certificate authorities is not required for LDAP authentication.)
    • Host: Hostname or IP address of LDAP server
    • Port: Defaults are 389 for LDAP and 636 for LDAPS
    • Search DN: Distinguished name of the directory entry from which to begin the search. To improve performance, this should NOT be the root.
    • User ID Format: This is the string used to format the user id used to perform the LDAP bind. Most LDAP systems will use the distinguished name (DN) of the user.
    • Because Active Directory does not always use the user id in the CN/DN, the DN may not be able to be constructed from the user id. The user id can be formatted as domain\user id (aais\jsmith) or user id@domain (jsmith@aais.com). There are two variables that can be used to construct the user id used for the LDAP bind.
    • {0} is replaced by the user id entered by the user
    • {1} is replaced by the Search DN in this path

      (The default value is the user id entered by the user on the sign in or LDAP configuration page.)
    • Active Directory Examples:
      LDAP://192.168.0.44:389/ou=maincampus,dc=aais,dc=com/{0}@aais.com
      LDAP://myldapserver:389/cn=users,dc=aais,dc=com/aais\{0}
    • Novell E-Directory Examples:
      LDAPS://192.168.0.84:636/ou=maincampus,o=aais.com/cn={0},{1}
      LDAPS://myldapserver:636/ou=maincampus,o=aais.com/cn={0}, ou=maincampus,o=aais.com

          mceclip1.png

  1. Use the Test LDAP button at any time to test your fully qualified path.
  1. Maximum Query Time (seconds) - Enter the maximum amount of time the system should wait on a response to a query of the LDAP server during authentication. This setting is only applicable if Ad Astra is able to bind to and query the server. If the timeout is activated, then the system responds as if the username or password were incorrect.
  1. User Object Class Name - Enter the name of the container that should be searched for users. (defaults to “user”). This is a required field on the form, but is not used for two-step authentication. You may leave this at the default value if using two-step authentication.
  1. Search User On - Enter the attribute that will contain the value that will be matched to the user sign in. (defaults to “sAMAccountName”) (Sun One is typically UID). This is a required field on the form, but is not used for two-step authentication. You may leave this at the default value if using two-step authentication.
  1. First Name Attribute - Enter the attribute that will contain the user’s first name. (defaults to “givenName”)
  1. Last Name Attribute - Enter the attribute that will contain the user’s last name. (defaults to “sn”)
  1. Email Attribute - Enter the attribute that will contain the user’s email address. (defaults to “mail”)
  1. MemberOf Attribute - Enter the attribute that will contain the list of LDAP groups to which the user is a member. (defaults to “memberOf”)
  1. Group Object Class Name - Enter the name of the container that should be searched for groups. (defaults to “group”)

    This value is only used if you are mapping LDAP groups to Ad Astra roles and opting to update roles from LDAP Groups thereafter. This can be ignored if not utilizing those features.
  1. Group Common Name Attribute - Enter the attribute that will contain the group common name. (defaults to “cn”). This value is only used if you are mapping LDAP groups to Ad Astra roles and opting to update roles from LDAP Groups thereafter. This can be ignored if not utilizing those features.

          mceclip0.png

  1. Default Guest Role: the Ad Astra role that will be granted to a user that is authenticated by LDAP but does not have a role mapped to their group.
  1. Group Mapping: used to map LDAP/Active Directory groups to Ad Astra roles. When a user is authenticated, their group membership information is used to determine appropriate permissions. To map groups to roles see LDAP Groups
  1. Click Save to save your configuration changes.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.