LDAP User Authentication Setup
Your Edlio admin site can be configured to authenticate users through your existing LDAP infrastructure.
LDAP Security
- For operational security considerations, all requests will come from our IP block, which allows for entries in ACLs to limit exposure.
- We're absolutely able to use LDAPS / SSL connections to ensure encryption in transit, and our database is fully encrypted at rest.
- Additionally, we have Intrusion Detection Systems (IDS) systems in place at multiple levels within the network, and an extensive logging framework with automated audits to look for anomalies.
How can I set up LDAP authentication for my Edlio admin site?
1. Whitelist IP Addresses
Whitelist our IP address on the client firewall to permit our system to communicate with the server(s):
- Whitelist
ldap-secure.edlio.net
and let us know this has been done. - That address should have access to TCP/UDP port 389 or 636. If unsure, open both ports.
2. Create Look-up Account
Create a read-only "lookup" account for us with permissions that allow it to read data (e.g., name, address, telephone) to populate the profile of any user that logs in through LDAP.
3. Return Unique GUID Per User
Every user that will log into the Edlio CMS using LDAP will need to return a unique GUID on directory lookups.
Each vendor calls refers to this property by the following terms:
- Active Directory: 'objectGUID'
- Oracle: 'orclobjectguid'
- Novell: 'uid'
4. Contact Edlio Support with required info
Submit a support case to Edlio with the following information, so we can complete the necessary set up steps on our end:
- Vendor and version of the LDAP server (we support Active Directory, Oracle Internet Directory, and Novell eDirectory)
- Host address
- Protocol (LDAP or LDAPS)
- Port (389 or 636) of the LDAP server
- Search base; resembles: OU=___,DC=____,DC=____
- Lookup Distinguished Name (DN); resembles: CN=____,OU=___,DC=____,DC=____
- Lookup Password
Additional Steps
These steps are optional but highly recommended.
Once the initial LDAP connection has been set up, there are additional steps that can be taken to give you better control over user management.
Add Authentication Filters
Add one or more LDAP Security or Distribution Groups that we can restrict each site to. The result will limit access to only the users you want to have access, as opposed to the entire Search Base.
As an example, districts will often have an LDAP group defined per location/school and an Administrators group, we will then add a filter for each school site to only allow the group defined plus the administrators.
Add User Group Filters
We're able to automatically provide CMS privileges based on basic criteria (filters) around LDAP Groups. A few examples:
- "Website Administrator" privileges can be granted to users who are members of the "Administrators" group within your LDAP.
- "Teachers" privileges granted to members of a "Teachers" LDAP group.
- Automatic access to Password Protected Pages for users within an LDAP group named after their department.
We're quite flexible with how the filtering works and support basic conditional logic (and, or, not).