LDAP Authentication

Things to Set Up/Configure on Your End

  • enable SSL on your LDAP server
  • create an account we can use to look up a user’s first and last names, user id, and email address (if you keep track of all of your users’ email addresses)
  • if your LDAP server is firewalled, you will need to allow all IP addresses of our clustered VCL web servers to access tcp port 636 on your LDAP server:
    • 152.1.227.82
    • 152.1.227.83
    • 152.1.227.84
    • 152.1.227.85
    • 152.1.227.86
    • 152.1.227.87
    • 152.1.227.88
    • 152.1.227.89

Information We Need From You

  • hostname or IP address of your LDAP server
  • userid (full DN) and password for account created above to look up information about your users
  • the bind dn to use when looking up users on your LDAP server
  • the attribute under which users id’s are listed that we would use for searching (in Active Directory, this is usually “samAccountName”)

Optional User Group Management

Once we have LDAP authentication working with your server, you can optionally take things a step further to do some user group management. In VCL, user groups are used to grant access to resources. With many users, it is really time consuming to manually add each user to a VCL user group. To make this easier, you can create an OU on your LDAP server under which you will create user groups that we can automatically mirror in VCL. Then, you give us the name of the OU, and you can manage the user groups with any scripts you already have on your end. For example, you could create an OU named OU=VCL,DC=myinst,DC=edu and create 2 user groups under that named pilotusers and pilotinstructors. Next, give us the name of the OU, and we’ll set up VCL to mirror the groups under the OU. Then, pilotusers and pilotinstructors can be granted access to resources in VCL and when someone that is a member of one of those groups in your LDAP system logs in to VCL, that person will automatically see any resources that the group has access to.

There are a couple of gotchas to be aware of with this. A group isn’t mirrored in to VCL until someone that is a member of the group logs in to VCL. So, what we generally suggest is to add yourself as a member of each group. Then, when you log in, the groups will be mirrored in VCL so that you can grant them access to something. The second gotcha is that VCL caches your LDAP information for up to 24 hours. So, if you log in to VCL, then add yourself to a group on your LDAP server, you will have to wait for up to 24 hours before VCL looks up your LDAP information again.