In two-step authentication the system binds using the system account credentials. System account credentials are stored and used to look up the required user information (including the distinguished name) in the LDAP/AD directory for the username entered on the Astra login form. The distinguished name is then used with the password entered on the login form to authenticate the user. (The token for this is in the user lookup filter (%UserName%)).
To configure two-step authentication for your institution:
- Click the LDAP Configuration option from the Settings tab.
- Check the box next to "Authenticate via LDAP" to enable LDAP authentication for your institution.
- If LDAP authentication is enabled, check the box next to "Update Roles From LDAP Groups" to update users’ roles based on their LDAP group membership and mapping rules.
Note: If this option is not selected, the user will still be assigned a role when initially created but no role updates will occur in the future should their group membership change. If this option is selected and the user is removed from a group that is mapped to Ad Astra roles, then the user role will revert to the “Guest” role.
- Check the box next to “Use Two Step LDAP Authentication”.
- The form section “Two Step Authentication Settings” will appear.
- Search Base: the distinguished name of the directory entry from which to begin the search.
Format Example: ou=Org Unit Users,dc=dev,dc=local
- User Lookup Filter: specifies the filter parameters to be applied during LDAP directory search.
Example: (&(objectClass=user)(sAMAccountName=%UserName%)), or uid=%UserName%
- Authorization Failure Message: Optionally, enter text that is displayed if the user is not found in the LDAP search.
If no message is entered here, the Ad Astra standard incorrect user name or password message is displayed.
- User Key Attribute (optional): Ad Astra use this LDAP attribute as the key value against which to match LDAP users to Ad Astra users to determine if they exist already.
When users are created this value is stored as part of the Ad Astra user record and used during lookup going forward.
A typical example might be “sAMAccountName” for Active Directory.
The user key attribute is displayed on the user form in Ad Astra.
- Host: Hostname or IP address of LDAP server.
- Port: port on which to communicate on LDAP server.
Standard ports are 389 for LDAP and 636 for LDAPS.
- System Account: distinguished name of the account used to look up the user. It is not assumed that this account is in the search base.
- System Password: password for system account. This value is stored encrypted in the database.
- SSL: check this box if using a secure connection. To use this option, you must have an SSL certificate installed on the LDAP server.
- Use the Test LDAP button at any time to test the configuration.
- Query Time (seconds) - Enter the maximum amount of time the system should wait on a response to a query of the LDAP server during authentication. This setting is only applicable if Ad Astra is able to bind to and query the server. If the timeout is activated, then the system responds as if the username or password were incorrect.
- User Object Class Name - Enter the name of the container that should be searched for users. (defaults to “user”). This is a required field on the form, but is not used for two step authentication. You may leave this at the default value if using two step authentication.
- Search User On - Enter the attribute that will contain the value that will be matched to the user login. (defaults to “sAMAccountName”) (Sun One is typically UID). This is a required field on the form, but is not used for two step authentication. You may leave this at the default value if using two step authentication.
- First Name Attribute - Enter the attribute that will contain the user’s first name. (defaults to “givenName”)
- Last Name Attribute - Enter the attribute that will contain the user’s last name. (defaults to “sn”)
- Email Attribute - Enter the attribute that will contain the user’s email address. (defaults to “mail”)
- MemberOf Attribute - Enter the attribute that will contain the list of LDAP groups to which the user is a member. (defaults to “memberOf”)
- Group Object Class Name - Enter the name of the container that should be searched for groups. (defaults to “group”)
This value is only used if you are mapping LDAP groups to Ad Astra roles and opting to update roles from LDAP Groups thereafter. This can be ignored if not utilizing those features.
- Group Common Name Attribute - Enter the attribute that will contain the group common name. (defaults to “cn”). This value is only used if you are mapping LDAP groups to Ad Astra roles and opting to update roles from LDAP Groups thereafter. This can be ignored if not utilizing those features.
- Default Guest Role: the Ad Astra role that will be granted to a user that is authenticated by LDAP but does not have a role mapped to their group.
- Group Mapping: used to map LDAP/Active Directory groups to Ad Astra roles. When a user is authenticated, their group membership information is used to determine appropriate permissions. To map groups to roles see LDAP Groups.
- Select a Default Guest Role from the drop-down list. This is the Ad Astra role that will be granted to a user that is authenticated by LDAP but does not have a role mapped to their group.
- Click Save to save your configuration changes.