LDAP supports user-authentication for open or active directories
Lightweight Directory Access Protocol (i.e. LDAP) is an application protocol for querying and modifying directory services running over TCP/IP. At this time, Alexandria supports user-authentication using existing log-on credentials maintained on a separate directory server.
With this capability enabled, administrators can manage user log-on credentials (username and password) on a central server and allow the user access to their account within Alexandria using these same credentials. While a permanent record must exist locally in the Alexandria database for all patrons and operators that use the system, their log-on credentials do not have to be separately updated within these systems when they change. Instead, our software can authenticate the user on the LDAP server and then look them up locally by unique information returned from that server when the authentication is successful.
Our software’s LDAP capabilities are designed to be utilized in an environment where security is required for operators and patrons to gain access to the software, or log into their accounts to view personal information or place holds or reservations on items.
In many environments, administrators choose to maintain user account credentials directly within Alexandria. With LDAP, administrators can now choose to manage these credentials on a central LDAP server instead as these credentials may change frequently and often need to be standardized across many different systems.
Please note that operator and patron records can not be created or entirely managed by LDAP at this time; they must exist as unique records locally within the Alexandria database.
LDAP authentication is accomplished in the following manner:
The COMPanion software will send the credentials the user enters in any log-in dialog to the specified LDAP server in the form of a BIND. If the BIND is successful, the software will...Locate the user's record within the local database—looking it up using the information returned in the specified Local ID field from the LDAP server. Once the record is located, the user will be logged in. If this fails, Alexandria will also test the credentials against the local data base as a fallback.
TLS Communications
It is highly recommended that you secure communications with the LDAP server by requiring TLS. TLS configuration is performed at the system level. There are no additional settings within the application required. When the system is correctly configured for secure communications with your LDAP server, Alexandria will also be able to communicate with the LDAP server securely. If, for example, in a Macintosh / Open Directory environment, the client (or machine running the Data Station) has Directory Services or the OpenLDAP client configured for TLS, Alexandria will also be able to talk to the server via TLS.
LDAP Settings
Enable LDAP—When checked, the system will attempt to use the provided values to perform user authentication via LDAP. If the authentication is successful, the value returned from the field defined as Local ID will be used to identify the person to Alexandria. If unable to authenticate using LDAP, the system will use the previous authentication method as a fallback.
LDAP Domain— This is the Domain of the LDAP server, as in “yourdomain.com”. This is used in conjunction with sAMAccountName to produce a complete userPrincipalName.
LDAP Server—This is the full name of the LDAP server, as in “ldap.yourdomain.com”. This is the host address of the LDAP server used for network communication.
Allow Non-Secure Connections—When checked, the system will use non-TLS connections if it cannot make an TLS connection. For the best security, don't check this.
Base DN for all LDAP users—This is a DN that matches all the users, as in “cn=users,dc=ldap,dc=yourdomain,dc=com”, so that any search using the User ID field specifies a unique user. Multiple Base DNs can be specified if separated by semicolons: “cn=staff,ou=COMPanion,dc=demo,dc=goalexandria,dc=com;cn=student,ou=COMPanion,dc=demo,dc=goalexandria,dc=com”.
User ID—This is the name of the LDAP database attribute whose value is the LDAP login name (e.g. “uid=yourlogin" in the context of the Base DN). For an Open Directory, this is typically uid. For an Active Directory this is typically cn, sAMAccountName, or userPrincipalName.
Local ID—This is the name of the LDAP database attribute whose value contains the Patron Username or Patron Barcode in Alexandria. This MUST be one of the users' LDAP attributes. Common attribute names include uid, uidNumber, givenName, cn, and others.
Operator Usernames and Patron Barcodes must be unique across the system. Please ensure no patrons using Alexandria share a Patron Barcode with an Operator Username. |
Note: In a Centralized Catalog, these settings will apply to all sites.
Test your LDAP settings before saving. Attempting to connect to an invalid server (and other invalid settings), can cause the test to take several minutes before failing.
Test Login—Enter the test login.
Test Password—Enter the password for the test login.
Test—Clicking on this button initiates a test, which attempts to log into the LDAP server using the settings and credentials provided above.
More on Testing LDAP
If configured correctly, your users should be able to log into Alexandria using the same login credentials as configured on the directory server for their account. However, sometimes difficulty arises. In these cases, verify your preferences settings and test whether the Base DN and other information you have specified is accurate to your configuration.
We have found that Active Directory configurations seem to prefer binds using the user's CN while OSXs Open Directory prefers the uid (i.e. user identification).
The use of ldapsearch tool is suggested.
For example:ldapsearch -x -v -H ldap://LDAP.yourdomain.com -b"cn=users, dc=LDAP, dc=yourdomain, dc=com" -D"cn=testing user id, cn=users, dc=LDAP, dc=yourdomain, dc=com" -w the users password -ZZ
- NOTE - |
---|
| The -ZZ parameter requires successful connection utilizing StartTLS over port 389. If you have selected to Allow Non-Secure Connections, omit this in your testing with ldapsearch as well. |
Alternately, ldp.exe can be utilized for testing in a Windows environment.