An LDAP (Lightweight Directory Access Protocol) server synchronizes each user’s password across multiple databases, such as your student information server, your campus email system, and your Finalsite website. LDAP integration is an easy, reliable process for allowing some or all of your constituents to log into various school systems, including your Finalsite school website, using the same username and password provided by your domain’s LDAP server.
Some of the advantages of using an LDAP integration include:
- Simplified password management. Passwords are only stored in one place
- Transparency for end users. Users don’t see anything different, or have to remember anything new.
- Customized per role. LDAP integration can be configured for individual constituent roles (e.g., students, faculty).
Note: Finalsite does not support updating LDAP passwords from Finalsite. We recommend disabling password updating in Finalsite for any constituent group that is LDAP-authenticated.
LDAP authentication process
-
A user enters their username and password on the school website login page.
-
The username is checked in the Finalsite constituent database.
-
If the username is valid, the Finalsite server connects to your LDAP directory service using a separate, predefined username and password. (This connection is encrypted via SSL.)
-
The Finalsite server carries out a search for the user’s username in your LDAP directory service.
-
If the username exists, the Finalsite server retrieves the unique LDAP details associated with that username.
-
The Finalsite server then attempts to connect to your LDAP directory service a second time, this time using the user’s password details they have entered. This connection is also encrypted.
-
If this second connection is successful, the user is logged into the school website.
LDAP authentication requirements
In order for the Finalsite server to be able to access your LDAP directory service, your network settings must meet the following conditions:
-
Your LDAP directory service must be accessible from the public internet on a TCP/IP port number of your choice. The default port number for LDAP over SSL (secure LDAP) is 636. You may need to adjust or configure your firewall to allow access to your LDAP directory service.
-
The server running your LDAP directory service must be accessible from the public internet using a fully qualified domain name (FQDN). Forward DNS resolution (domain to IP) is required; reverse DNS (IP to domain) is not.
-
Constituents must have a username in Constituent Manager that matches a chosen field in the school's directory (UID, sAMAccount, etc.). NO data is imported via the LDAP connection.
-
LDAP connection requires TLS version 1.2 or greater.
SSL digital certificates
In order for the Finalsite server to communicate with your LDAP directory service securely, your server must have a digital certificate installed. This certificate must be issued by a trusted third-party Certificate Authority (CA) and “signed” by a root CA.
Note: Self-signed certificates and other third-party certificates not issued by a CA (that therefore do not have a “chain of trust”) are not supported.
When you request a certificate from a third-party CA, we recommend that you speak to one of their qualified technical sales representatives and discuss:
-
The specific purpose of the certificate: Server Authentication for secure LDAP (LDAPS)
-
The operating system name and version on which your LDAP directory service runs (e.g., Microsoft Windows Enterprise Edition, Mac OS X Server, Red Hat Linux Enterprise Edition)
-
Details on how to request the certificate
-
Software and tools needed to generate the certificate request
-
Other administrative details they may require from you (e.g., documented proof of the nature of your organization)
- Details on how to install the certificate once it has been issued to you
Warning: Installing a digital certificate on your LDAP directory service ONLY conforms to the connecting party, in this case the Finalsite server, that your server is indeed a legitimate server on the internet. Without source-IP filtering on your firewall, potentially anyone in the world could attempt to connect to your LDAP directory service.
Other details
For Finalsite to configure the settings in Integrated Services Manager in order to test and subsequently implement the LDAP integration, you will need to provide the following information:
-
The FQDN of your server (e.g. ldap.fnalsite.com)
-
The port number you have chosen (default: 636 for LDAP over SSL)
-
The full DN of your test user (e.g., cn=FinalsiteUser,ou=Users,dc=fnalsite,dc=com)
-
Alternatively (AD only), the userPrincipalName of your test user (e.g. John.Doe@ fnalsite.com). Please note the userPrincipalName is NOT necessarily the user’s email address.
-
The test user’s password
-
The constituent groups for whom you will require LDAP authentication (e.g. “students and faculty, but not parents.”)
Once testing has been completed, we recommend that you set up a separate account that the Finalsite server will use to search your LDAP directory. This account should be locked down (limit the computers that have access to it, its privileges, and so on), as it should ONLY be used for LDAP searches in your directory.
Whitelisting
We recommend that you whitelist Finalsite’s subnets as a trusted source for your firewall configuration. Our Support/deployment team will provide you with that information at time of configuration.
Setup steps
LDAP integration may not always work on the first attempt, because various systems and settings have to be adjusted to make sure your LDAP directory is accessible from the outside, is secured with a digital certificate, and allows access only to Finalsite’s server. It is recommended to work from “open to closed”; that is, to first attempt connections and searches using relatively few security settings and to add them one by one, thereby “locking down” your LDAP directory service in the process.
Note: Proceed with caution. At NO time should your external firewall or other security measures be disabled.
As a best practice, use the following approach:
-
Determine which constituent groups require LDAP authentication and share this information with Finalsite.
-
Attempt to connect to your LDAP directory service from your internal network using a tool such as ldp.exe (Windows) or JXplorer. Do this over an insecure (open) connection (on port 389 by default).
-
Carefully record the details Finalsite will need to connect (see Other details).
-
Obtain and install a digital certificate onto your LDAP directory service.
-
Attempt to connect to your LDAP directory service from your internal network over a secure connection using a third-party LDAP browser. (Softerra’s LDAP Administrator is recommended for this purpose, as it will show you which digital certificate is being returned.)
-
Configure your systems to allow access to your LDAP directory service over a secure connection (on port 636, for example).
-
If possible, test this connection yourself from outside your organization, or allow the Finalsite team to test the connection.
-
Carefully record the details you used to test this connection.
-
Share the details recorded in steps 1, 3, and 8 with the Finalsite team.
-
In consultation with Finalsite, arrange a time for the Finalsite team to test your LDAP directory service over a secure connection.
-
Apply the security best practices, allowing Finalsite to test upon completion.
-
Lock down the user account you’ve created to search the directory.
-
Apply IP filtering to ensure only Finalsite’s servers can connect.
-
Apply advanced logging and other policies as necessary.
-
Disable all anonymous searching or binding.
Alternative authentication
Finalsite also offers support for Azure authentication, ADFS, and SAML authentication with most third-party identity platforms. If you are unable to meet the SSL requirements or would prefer to not expose your LDAP server, using one of these methods is the best alternative.
Find out more about ADFS Authentication in Active Directory (AD) integration.
Warning: Exposing your LDAP directory to the internet poses a security risk. It is recommended that you implement source-IP filtering on your firewall, whereby you ensure that any incoming connections to your LDAP directory service originate from one of Finalsite's IP numbers. It is also advised that you implement the security best practices as recommended by your vendor, including but not limited to: account lockout policies; logging and tracking of connections and queries; disabling all anonymous binding or searching of your directory, at all levels.
Comments
Please Sign in to leave a comment if you don't see the comment box below.