LDAP Authentication enables Faculty Success to check user credentials against a campus-wide directory. Users will visit a Faculty Success login page for your campus, where they will enter a username and password. These credentials are then passed on to your campus-wide account management system for verification.
To use LDAP Authentication, your campus must have a deployed account management system, such as Microsoft's Active Directory, Oracle's Internet Directory, Novell eDirectory, or one of many other LDAP servers.
Users visit a Faculty Success login page and make an authentication attempt. Faculty Success connects to your directory server and attempts to authenticate against it with the authentication information provided by the user. The user is allowed into Faculty Success if the authentication attempt is successful and a Faculty Success account for the person exists.
LDAP Authentication lets your users use their campus credentials to access Faculty Success. Unlike an integrated portal solution, users must log in using the Faculty Success login page. However, they use their normal campus username and password, which Faculty Success checks using a secure connection to your campus’s server.
Although user credentials are sent over a secure connection, they still must pass through Faculty Success servers and you must make a rule allowing this connection in your campus's firewall. A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications.
Some of the individuals tracked in Faculty Success may not have accounts in your campus system. In addition, you may wish to leave some administrator accounts to use Faculty Success default, Local Authentication, so that they may still access Faculty Success, even if the connection to your campus server fails. You will need to provide a list of those user accounts that should continue to use the default, Local Authentication.
Only one LDAP Authentication server can be in place per institution at one time.
Requirements
LDAP Authentication requires that your campus configure its firewall so it allows requests:
- Over any of the following ports:
- 636 (LDAP over SSL)
- 1636 (LDAP over SSL, alternate)
- 3269 (LDAP over SSL, Microsoft Global Catalog Server)
- 389 (LDAP with TLS)
- 1389 (LDAP with TLS, alternate)
- 3268 (LDAP with TLS, Microsoft Global Catalog Server)
Note that either SSL or TLS is required; Faculty Success does not support unencrypted LDAP Authentication.
- From the following Faculty Success IP addresses:
- 13.56.61.123
- 34.230.162.194
- 35.168.130.197
Your campus will also need to create an account on that server for Faculty Success to access the campus server.
Implementation Details
Once your technical staff has completed the required steps, they will need to provide you the following technical details for the campus server:
- Domain name or IP address of the LDAP server
- LDAP server's port
- LDAP server's X.509 certificate chain, encoded as ASN.1 DER, if using options 2 or 3 below.
Faculty Success supports the following certificate authorities, in order of preference:
- Any certificate authority trusted by the Mozilla project
- A campus certificate authority
- A self-signed certificate
Note: Any certificate issued must have the Hostname or IP address that Faculty Success is using to find and connect to your server listed as the hostname or an alternate name on the certificate. Additionally, options 2 and 3, above, require you, as the Faculty Success Administrator, to perform ongoing work. You must provide Faculty Success with the full chain of X.509 certificates in ASN.1 DER format to connect to your LDAP server, and notify Faculty Success each time any of the certificates in the chain are renewed or replaced.
- Account credentials for Faculty Success to access the campus server.
- DN and password for a permanent test account.
- Preferred DN conversion method and details:
- If Pattern:
- String used to construct DN
- If Anonymous Search:
- String used to construct search criteria
- One or more parent DNs to search under
- If Authenticated Search:
- DN and Password to bind with when searching
- String used to construct search criteria
- One or more parent DNs to search under
- If Pattern:
Once you have received this information, submit a General work request with it and your list of excluded users. Faculty Success will complete the necessary work to configure LDAP Authentication for you in Faculty Success. Faculty Success will contact you when we have made the change and will ask you to confirm the date on which we should switch the user accounts to LDAP Authentication.
Note: Once LDAP Authentication is in place, users will continue to use the same Faculty Success login page to authenticate, but they may use a different username to do so than they did previously. Take a moment to review the login page and evaluate whether you would like to make any modifications to convey more clearly the username users should use to authenticate. See “Logging In to Faculty Success” in Chapter 2: Navigating Faculty Success for more information. |
Warning: Submit the account Faculty Success will use to access your server in an attachment to the work request, rather than in the work request note itself. When Faculty Success responds to one of your work requests, we generate a notification to alert you that the request is awaiting your response. This notification email will include the text from the original work request note. As attachments to work requests are never included in the notification email, including passwords and other sensitive details in an attachment will ensure that these always remain within the secure Work Requests utility. |