LDAP Authentication

Things to Set Up/Configure on Your End

  • enable SSL on your LDAP server
  • create an account we can use to look up a user’s first and last names, user id, and email address (if you keep track of all of your users’ email addresses)
  • if your LDAP server is firewalled, you will need to allow all IP addresses of our clustered VCL web servers to access tcp port 636 on your LDAP server:
    • 152.1.227.82
    • 152.1.227.83
    • 152.1.227.84
    • 152.1.227.85
    • 152.1.227.86
    • 152.1.227.87
    • 152.1.227.88
    • 152.1.227.89

Information We Need From You

  • hostname or IP address of your LDAP server
  • userid (full DN) and password for account created above to look up information about your users
  • the bind dn to use when looking up users on your LDAP server
  • the attribute under which users id’s are listed that we would use for searching (in Active Directory, this is usually “samAccountName”)

Optional User Group Management

Once we have LDAP authentication working with your server, you can optionally take things a step further to do some user group management. In VCL, user groups are used to grant access to resources. With many users, it is really time consuming to manually add each user to a VCL user group. To make this easier, you can create an OU on your LDAP server under which you will create user groups that we can automatically mirror in VCL. Then, you give us the name of the OU, and you can manage the user groups with any scripts you already have on your end. For example, you could create an OU named OU=VCL,DC=myinst,DC=edu and create 2 user groups under that named pilotusers and pilotinstructors. Next, give us the name of the OU, and we’ll set up VCL to mirror the groups under the OU. Then, pilotusers and pilotinstructors can be granted access to resources in VCL and when someone that is a member of one of those groups in your LDAP system logs in to VCL, that person will automatically see any resources that the group has access to.

There is one gotcha to be aware of with this. A group isn’t mirrored in to VCL until someone that is a member of the group logs in to VCL or is looked up under User Lookup. So, we recommend when creating a new group to look up one of the users that is a member of the group under User Lookup. If the user has recently been looked up or logged in to VCL, you may need to check the checkbox to force a lookup of the user data in LDAP.