Configuring LDAP

You can configure the Lightweight Directory Access Protocol (LDAP) settings any time after the initial library configuration.

The library supports all LDAP servers. You can also use Kerberos for added security. If you want to configure Kerberos, follow the LDAP configuration steps below, and also see Configuring Kerberos.

NOTES ON CONFIGURING SECURE LDAP: You can configure Secure LDAP using one of two methods (do not use both). These methods are described in detail below (click the links to go directly). LDAPS — Uses Secure Sockets Layer (SSL) over a specific port for LDAP (636). This method has been deprecated in favor of using StartTLS. StartTLS — Uses Transport Layer Security (TLS) over the same port as regular LDAP (389). Additionally, if you are using one of these methods, you can also Install a TLS CA certificate for additional verification of the LDAP server.

NOTE: This operation should not be performed concurrently by multiple administrators logged in from different locations. You can access the appropriate screens, but you cannot apply changes while another administrator is performing the same operation.

You need administrator privileges to configure LDAP.

1. From the Setup menu, select User Management > Remote Authentication .

   The Setup - Remote Authentication screen displays.

2. Under Authentication Type, do one of the following:
   • To enable LDAP, select LDAP and continue with step 3.
   • To disable LDAP, select Local Only and continue with step 4.
   • To modify LDAP configuration settings, continue with step 3.
3. Enter the LDAP configuration parameters. Obtain the required information from your network administrator.
   • Server URI — The Uniform Resource Identifier (URI) of the LDAP server where user account information is stored. The URI includes the LDAP server host name or IP address and can include the LDAP server network port. Port 389 is the default.
     
     LDAPS — Optional. You may enable LDAP over SSL (LDAPS) by entering a URI in the form of "ldaps://hostname" in the Server URI field. This will use SSL to send secure communication via port 636. If the LDAP server does not support LDAPS or does not have LDAPS enabled, then login operations will fail. LDAPS has been deprecated in favor of using StartTLS (see option below). Do not use LDAPS if you are using StartTLS. Once you apply LDAPS, StartTLS will not be available.
   • StartTLS — Optional. Select this check box to configure secure LDAP communication using TLS. StartTLS uses the same port as regular LDAP (389). If TLS mode is not supported on your LDAP server, then login operations will fail. Do not use StartTLS if you want to use LDAPS.
   • Install TLS CA Certificate — Optional. For additional security, you can install a TLS CA certificate. If the certificate is installed, the library verifies that the LDAP server has not been compromised. The certificate must be the same certificate that is installed on your LDAP server and must be in .pem format. The maximum size the file can be is 4 KB. The library will only perform the verification if you have configured Secure LDAP (either LDAPS or StartTLS). Place a copy of the certificate file in an accessible location on your computer and use the Browse button to locate and install it.
   • Remove TLS CA Certificate — Once a certificate is installed, you can remove it by selecting this check box. The certificate will be removed after you click Apply.
   • Principal — An LDAP user login ID with permissions to search the LDAP directory. The library logs into LDAP using this ID.
   • Password — The password for the principal authorization login ID.
   • User DN — The Fully Qualified Distinguished Name that contains the users.
     
     For example: cn=users,ou=system,dc=mycompany,dc=com
   • Group DN —The Fully Qualified Distinguished Name that contains the groups.
     
     For example: cn=groups,ou=system,dc=mycompany,dc=com
   • Library User Group — The value of the Common Name attribute for the group entry on the LDAP server associated with library users who have user-level privileges (see Working With Local User Accounts for more information on privilege levels). This group must exist on your LDAP server (see LDAP Server Guidelines for more information).
     
     For example: usergroup
   • Library Admin Group — The value of the Common Name attribute for the group entry on the LDAP server associated with library users who have administrator privileges (see Working With Local User Accounts for more information on privilege levels). This group must exist on your LDAP server (see LDAP Server Guidelines for more information).
     
     For example: admingroup
4. Click Apply to make the changes.

The Progress Window displays. The Progress Window contains information on the action, elapsed time, and status of the requested operation. Do one of the following:

1. • If Success displays in the Progress Window, the LDAP settings were successfully applied. Click Close to close the Progress Window. Do one of the following:
     • If you enabled LDAP or modified LDAP settings, continue with step 5.
     • If you disabled LDAP, continue with step 6.
   • If Failure displays in the Progress Window, the LDAP settings were not successfully applied. Follow the instructions listed in the Progress Window to resolve any issues that occurred during the operation.

• To test all the new or changed LDAP settings, do the following:

1. Make sure to click Apply to save your changes before testing. Otherwise, any changes you made will be lost and will not be tested.
2. Obtain the user name and password of someone who is a member of both the Library User Group and the Library Admin Group on the LDAP server. You may need to create a special or temporary user specifically for this purpose.
3. Type the user name and password into their respective text boxes and click Test Settings.

The Progress Window displays. The Progress Window contains information on the action, elapsed time, and status of the requested operation. Do one of the following:

• If Success displays in the Progress Window, the LDAP Test was successful. Click Close to close the Progress Window. Continue to next step.
• If Failure displays in the Progress Window, the LDAP Test failed. Follow the instructions listed in the Progress Window to resolve any issues that occurred during the operation.

• Save the library configuration.

For instructions on how to save the library configuration, see Saving the Configuration.

See also:

• About LDAP
• LDAP Server Guidelines
• Configuring Kerberos
• Working With Local User Accounts