For operational security considerations, all requests will come from our IP block, which allows for entries in ACLs to limit exposure. We're absolutely able to use LDAPS / SSL connections to ensure encryption in transit, and our database is fully encrypted at rest. Additionally, we have Intrusion Detection Systems (IDS) systems in place at multiple levels within the network, and an extensive logging framework with automated audits to look for anomalies.
To get started with integrating existing LDAP infrastructure with the Edlio CMS, please do the following on your end:
1. Whitelist our IP addresses on the client firewall to permit our system to communicate with the server(s):
(if your firewall can't accept logical names then please have it whitelist the IP range 220.127.116.11/24
and let us know this has been done).
That address should have access to TCP/UDP port 389 or 636. If unsure, open both ports.
2. Create a read-only "lookup" account for us with permissions that allow it to read data (e.g., name, address, telephone) to populate the profile of any user that logs in through LDAP.
3. Locate the following information
- Vendor and version of the LDAP server (we support Active Directory, Oracle Internet Directory, and Novell eDirectory)
- Host address
- port (389 or 636) of the LDAP server
- Search base
- Lookup DN (Distinguished Name)
- Lookup Password
4. Every user that will log into the Edlio CMS using LDAP will need to return a unique GUID on directory lookups. Each vendor calls refers to this property by the following terms:
- Active Directory: 'objectGUID'
- Oracle: 'orclobjectguid'
- Novell: 'uid'
5. Next steps are optional, but highly recommended.
a. Authentication Filters
Essentially this would be one or more LDAP Security or Distribution Groups that we can restrict each site to. The result would limit access to only the users you want to have access, vs the entire Search Base. As an example, districts will often have an LDAP group defined per location / school and an Administrators group, we will then add a filter for each school site to only allow the group defined plus the administrators.
Example: memberOf:18.104.22.168.1941 TSD Users,OU=groups,DC=k12,DC=mi,DC=us)(sAMAccountName=edlio))
b. User Groups filters
We're able to automatically provide CMS privileges based on basic criteria (filters) around LDAP Groups. A few examples:
- "Website Administrator" privileges can be granted to users who are members of the "Administrators" group within your LDAP.
- "Teachers" privileges granted to members of a "Teachers" LDAP group.
- Automatic access to Password Protected Pages for users within an LDAP group named after their department.
We're quite flexible with how the filtering works and support basic conditional logic (and, or, not).