About LDAP/AD authentication in NJVID


LDAP/AD authentication lets users to log into NJVID platform using their credentials from an institutional LDAP or Active Directory (AD) server.


To begin the setup and configuration the institution is required to provide certain information about its LDAP/AD and its parameters. These values are required to configure the LDAP/AD with NJVID.


A user's role (e.g faculty, staff, student, alumni) determines the access to content that the user is authorized to view. This authorization is based on the user’s membership in organizational groups. The organizational groups are managed in the organization’s LDAP server.


Configuring an institutional LDAP with NJVID:


NJVID subscribing institutions are required to provide the necessary values to configure the institutions LDAP/AD with NJVID. The required values are provided below along with their description.


  • host: Provide the address of the institutional LDAP server (for example: ladp.institution.edu)


  • port: Provide the port number of the institutional LDAP server


  • Protocol: The Protocol used by the LDAP server (ldap Or ldaps)


  • protocolVersion: The protocol version used by the LDAP server (v2 or v3)


  • baseDn: A base dn is the point from where a server will search for users. Enter the base DN of the institutional LDAP server (for example: dc=institution,dc=edu)


  • Add member role to user always on successful authentication: Available options are Yes/No


 


    bindMethod: The institution must specify which mode of operation is used for authenticating with their LDAP. The options available are Direct Bind AND Search before Bind. Each option is discussed below:


    • Direct Bind: When this method is selected the user Distinguished Name (DN) is constructed automatically according to the format specified under the userDnFormat. NJVID will then try to bind the user using this constructed DN and the password entered by the user during login. If the user is successfully bound the user will be logged into NJVID.

      • userDnFormat: For this field provide the username DN format. Place the @@USERNAME@@ token where the username should be in the string, for example: cn=@@USERNAME@@, dc=institution,dc=edu

     


    • Search before Bind: On selection of this method the user’s Distinguished Name (DN) is discovered by searching the institutions AD/LDAP server. If a record is found, MediaSpace tries to bind the user using the DN that was found and the password entered in the login window. The options required under this field are:

      • Anonymous bind: Allow anonymous search of users without any required authentication. (Note: When selected no need to provide the username and password fields)

      • username: If anonymous search is not allowed what is the DN of the account that should be used to bind for searching users.

      • password: If anonymous search is not allowed what is the password of the account that should be used to bind for searching users.

      • userSearchQueryPattern: Enter the pattern for querying the LDAP server to search for a user. The @@USERNAME@@ token will be replaced with the actual username provided in the login page. For example: (&(objectClass=person)(uid=@@USERNAME@@))


     


    • emailAttribute: Provide the name of the attribute on the user record that contains the email ID of the user.


    • firstNameAttribute: Provide the name of the attribute on the user record that contains the first name of the user.


    • lastNameAttribute: Provide the name of the attribute on the user record that contains the last name of the user.


     


    • groupSearch: This field configures the LDAP option for group searches and comprises of the “Get user from groups” and “Get groups from user” options. They are explained below:

      • Get user from groups: Fetch group records with their member attribute.

        • Student Value: Boolean value representing Student status for the current term. A true value means owner is enrolled or admitted to the current term only.


      • Staff Value: Boolean value representing staff status for the current term. A true value means owner has an active employment status and is currently assigned to a job (in other words, is working)


      • Faculty Value: Boolean value representing faculty status for the current term. A true value means owner has an active employment status and is currently assigned to a job (in other words, is working)


      • groupSearchQueryPattern: Provide the pattern for querying all groups in one query. The @@GROUPS_REPLACEMENTS@@ token will be replaced with the pattern that is specified for the groupSearchEachGroupPattern. The query results lists all groups in the defined in the mapping settings.


      • groupSearchEachGroupPattern: Provide the pattern for each group in the above groupSearchQueryPattern. This pattern is used multiple times, once for each group defined in the mapping settings. The relation between the groups is OR. For example: (cn=@@GROUPNAME@@)


      • groupSearchQuery: Provide the LDAP query that finds all groups. This query runs only once so it returns all groups defined in the matching settings.


      • groupMembershipAttribute: Provide the attribute on a group record that lists the users who are members in the group. For example: member


      • groupsMatchingOrder: Provide the order for matching roles to LDAP groups. The order determines whether the strongest or weakest role is mapped first. For example if a uder belongs to a group that is mapped to an admin role, enter admin role before other roles. For example adminRole, viewerRole.

     


      • Get groups from user: Fetches the user record with its memberOf attribute

        • Student Value: Boolean value representing Student status for the current term. A true value means owner is enrolled or admitted to the current term only.


      • Staff Value: Boolean value representing staff status for the current term. A true value means owner has an active employment status and is currently assigned to a job (in other words, is working)


      • Faculty Value: Boolean value representing faculty status for the current term. A true value means owner has an active employment status and is currently assigned to a job (in other words, is working)


      • memberOfAttribute: Provide the memberOf attribute to use the memberOf search filter to map groups to users. Note: The memberOf search filter is not enabled by default on all LDAP servers.


      • userSearchQueryPattern: Provide the pattern for querying the LDAP server to find a user. The @@USERNAME@@ token will be replaced with the actual username provided by the user during login.


      • primaryGroupAttribute (optional): Provide the attribute name for the primary group ID. Only to be used to authorize by primary group ID when AD is being used.


     



    Once institutional LDAP is configured with NJVID by NJVID staff, the institutional users can visit the institutional branded NJVID portal and login using their LADP/AD credentials.