ldap user guide

8/2/2019 LDAP User Guide

1/16

LDAP User Guide

PowerSchool Premier 5.1

Student Information System


2/16

LDAP User Guide

Introduction Copyright 2007 Pearson Education, Inc or its affiliates.All rights reserved.

2

Document PropertiesCopyright Copyright 2007 Pearson Education, Inc. or its affiliates. All rights

reserved. This document is the property of Pearson Education, Inc. and is

for reference only. It is not to be reproduced or distributed in any waywithout the express written consent of Pearson Education, Inc. All

trademarks are either owned or licensed by Pearson Education, Inc. or itsaffiliates. Other brands and names are the property of their respectiveowners.

Owner Technical Communication and Documentation

Content provided by J. Brown and J. Steele.

Last Updated 3/21/2007

Version PowerSchool Premier 5.1

Please send comments, suggestions, or requests for this document to [email protected]. Your feedbackis appreciated.


3/16

LDAP User Guide


3

ContentsIntroduction ...............................................................................................................................4

Configuration.........................................................................................................................4Active Directory LDAP Setup...........................................................................................4

How to Set Up Active Directory LDAP .......................................................................4Open Directory LDAP Setup............................................................................................7

How to Set Up Open Directory LDAP ........................................................................8Synchronization and Authentication ....................................................................................11

LDAP Directory Synchronization ...................................................................................11How to Synchronize Using LDAP Directory Synchronization ...................................11

Student LDAP Lookup ...................................................................................................14How to Synchronize Using Student LDAP Lookup ...................................................14

Teacher LDAP Lookup ..................................................................................................14How to Synchronize Using Student LDAP Lookup ...................................................14

LDAP for PowerGrade ........................................................................................................15


4/16

LDAP User Guide


4

IntroductionLDAP (Lightweight Directory Access Protocol) functionality enables administrators to establish a

single source for securely managing authentication for all users on the district network, including

those using PowerSchool, PowerSchool Teacher, PowerGrade, and the Public Portal.

ConfigurationIn order for PowerSchool to authenticate users using an LDAP directory server, the LDAP

directory server must be configured within PowerSchool.

Configuring the LDAP directory server consists of providing the servers address, port, SSLsetting, and LDAP directory administrator credentials. It is possible to selectively enable ordisable the use of LDAP for three groups of users: staff, teachers, and students. Each group of

users enabled for LDAP must also have a domain context configured that identifies the root ofthe tree where each group of user accounts is located along with the name of the user ID

attribute from the directory schema.

Once configured, the LDAP directory server synchronizes the login IDs stored in PowerSchoolsdatabase with the login (user) IDs stored in your LDAP directory server. For a user tosuccessfully authenticate in PowerSchool using LDAP, the login ID must match in both

PowerSchool and the LDAP directory server.

Active Directory LDAP Setup

Use the LDAP Directory Setup page to configure PowerSchool to authenticate via an LDAP

directory server.

How to Set Up Active Directory LDAP

The following procedure illustrates the standard configuration for Active Directory LDAP Setup.

1. On the start page, choose System from the main menu. The System Administrator page

displays.

2. Click Security. The Security page displays.

3. Click LDAP Directory Setup. The LDAP Directory Setup page displays. The following

illustrates the standard setup for Active Directory LDAP Setup:


5/16

LDAP User Guide


5

4. Use the following table to enter information in the Server Configuration fields:

Field Description

LDAP ServerHostname or IP

Address

Enter the hostname or IP address of the LDAP directoryserver, such as 192.168.1.12.

LDAP Port Enter the TCP port to use, such as 636.

Enable SSL Select the checkbox to enable SSL between PowerSchool

and the LDAP Directory.

Note: It is strongly recommended that when using LDAP,


6/16

LDAP User Guide


6

Field Description

SSL also be enabled within PowerSchools web server. This

setting is independent of using SSL between PowerSchooland the LDAP directory. To access the web server settings,go to Admin > System > System Settings > Server Settings.

Enabling this option requires installing a certificate on both

the LDAP server and the PowerSchool server. The details of

installing the certificate on the directory server are server-specific. Please refer to your servers documentation for

more information.

Installing the certificate on the PowerSchool server involvesusing the keytool utility to add the certificate to Javas

keystore. The command is

keytool import file certficate.pem keystore

PS_HOME/data/ssl/jssecacerts trustcacerts aliasLDAPCert

certificate.pem is the certificate to be imported and must be

created specifically for the LDAP Directory server.

keystore is the location in which to store the certificate. TheLDAPCert alias is a user-defined name to identify this

certificate. This command must be executed as theadministrator (or root).

PS_HOME is the location in which PowerSchool has been

installed on the server. For OS X this is typically

/Applications/PowerSchool. For Microsoft Windows this istypically C:\PowerSchool.

Active DirectoryFQDN

Enter the fully qualified domain name of the Active DirectoryServer, such as ad.powerschool.com.

Typically this will be the same as the LDAP ServerHostname, but does not have to be. When authenticatingagainst Active Directory the Security Principal is of theform userID@fqdn.

Note: When configuring LDAP for Open Directory, this field

may be left blank.

LDAP Admin DN Enter the distinguished name of an account in the LDAPDirectory with read privileges within the directory, such as

cn=Administrator,cn=users,dc=ad,dc=powerschool,dc=com.

Enter the distinguished name of an account in the LDAPDirectory with read privileges within the directory. This canbe the directory administrator account, but an account

with read-only access is sufficient. This account is used


7/16

LDAP User Guide


7

Field Description

for directory searches when attempting to synchronizelogin IDs between PowerSchool and the Directory.

LDAP Admin

Password

Enter the password for the Admin DN.

5. Click Validate Server Connection to establish an anonymous connection to thedirectory using the values entered on this page and to authenticate the connection usingthe Admin DN and Password credentials, if provided. A window displays indicating the

success or failure of these operations.

6. Click Active Directory Defaults to populate all schema configuration items with

reasonable defaults based on the Server Configuration. If any of the Server

Configuration information is missing or ambiguous, you will be prompted for clarification.

7. Use the following table to enter information in the Schema Configuration fields:

Field Description

Enable LDAP Select the Staff, Teachers, and Students checkboxes toenable LDAP Authentication.

LDAP Authentication may be selectively enabled for three

distinct groups of users: Staff, Teachers and Students. The

remaining attributes, Domain Context and User ID Attribute,are settable for each user type.

Enable LDAP for

PowerGrade

Select this checkbox to enable LDAP Authentication for

PowerGrade. For more information, see the section LDAPfor PowerGrade.

Domain Context The Domain Context to which the user will bind when tryingto authenticate, such as

cn=users,dc=ad,dc=powerschool,dc=com for Staff,

Teachers, and Students.

This domain context is also used when performing LDAP

Directory Synchronization activities. For example, if you aretrying to synchronize the login ID for a student, the student

domain context will be used as the base when searching thedirectory.

8. Click Submit.

Open Directory LDAP Setup

Use the LDAP Directory Setup page to configure PowerSchool to authenticate via an LDAP

directory server.


8/16

LDAP User Guide


8

How to Set Up Open Directory LDAP

The following procedure illustrates the standard configuration for Open Directory LDAP Setup.


displays.

2. Click Security. The Security page displays.3. Click LDAP Directory Setup. The LDAP Directory Setup page displays.

4. Use the following table to enter information in the Server Configuration fields:

Field Description

LDAP Server Enter the hostname or IP address of the LDAP directory


9/16

LDAP User Guide


9

Field Description

Hostname or IP

Address

server, such as 192.168.1.12.

LDAP Port Enter the TCP port to use, such as 636.

Enable SSL Select the checkbox to enable SSL between PowerSchool

and the LDAP Directory.

Note: It is strongly recommended that when using LDAP,

SSL also be enabled within PowerSchools web server. Thissetting is independent of using SSL between PowerSchooland the LDAP directory. To access the web server settings,

go to Admin > System > System Settings > Server Settings.

Enabling this option requires installing a certificate on boththe LDAP server and the PowerSchool server. The details of

installing the certificate on the directory server are server-specific. Please refer to your servers documentation for

more information.

Installing the certificate on the PowerSchool server involves

using the keytool utility to add the certificate to Javas

keystore. The command is

keytool import file certficate.pem keystore

PS_HOME/data/ssl/jssecacerts trustcacerts alias

LDAPCert

certificate.pem is the certificate to be imported and must becreated specifically for the LDAP Directory server.

keystore is the location in which to store the certificate. The

LDAPCert alias is a user-defined name to identify thiscertificate. This command must be executed as the

administrator (or root).

PS_HOME is the location in which PowerSchool has beeninstalled on the server. For OS X this is typically

/Applications/PowerSchool. For Microsoft Windows this istypically C:\PowerSchool.

Active DirectoryFQDN

This field is for Active Directory only. For Open Directory,leave blank.

LDAP Admin DN Enter the distinguished name of an account in the LDAPDirectory with read privileges within the directory, such asuid=diradmin,cn=users,dc=od,dc=powerschool,dc=com.

This can be the directory administrator account, but anaccount with read-only access is sufficient. This account is

used for directory searches when attempting tosynchronize login IDs between PowerSchool and the


10/16

LDAP User Guide


10

Field Description

Directory.

LDAP AdminPassword

Enter the password for the Admin DN.

5. Click Validate Server Connection to establish an anonymous connection to thedirectory using the values entered on this page and to authenticate the connection using

the Admin DN and Password credentials, if provided. A window displays indicating thesuccess or failure of these operations.

6. Click Open Directory Defaults to populate all schema configuration items with

reasonable defaults based on the Server Configuration. If any of the ServerConfiguration information is missing or ambiguous, you will be prompted for clarification.

7. Use the following table to enter information in the Schema Configuration fields:

Field Description

Enable LDAP Select the Staff, Teachers, and Students checkboxes toenable LDAP Authentication.

LDAP Authentication may be selectively enabled for threedistinct groups of users: Staff, Teachers and Students. The

remaining attributes, Domain Context and User ID Attribute,are settable for each user type.

Enable LDAP forPowerGrade

Select this checkbox to enable LDAP Authentication forPowerGrade. For more information, see the section LDAP

for PowerGrade.

Domain Context The Domain Context to which the user will bind when trying

to authenticate, such ascn=users,dc=od,dc=powerschool,dc=com for Staff,Teachers, and Students.

This domain context is also used when performing LDAPDirectory Synchronization activities. For example, if you are

trying to synchronize the login ID for a student, the studentdomain context will be used as the base when searching the

directory.

User ID Attribute Specify which schema attribute to use when forming thedistinguished name (DN) when the user attempts to login,such as uid for Staff, Teachers, and Students.

For example, if the User ID Attribute is uid and the domaincontext is cn=users,dc=ldap,dc=powerschool,dc=com, then

the DN for user jsmith becomes

uid=jsmith,cn=users,dc=ldap,dc=powerschool,dc=com.

8. Click Submit.


11/16

LDAP User Guide


11

Synchronization and AuthenticationDirectory synchronization is the process of synchronizing the login IDs stored in PowerSchools

database with the login (user) IDs stored in your LDAP directory. For a user to successfullyauthenticate in PowerSchool via LDAP, the login IDs must match in both PowerSchool and theLDAP Directory.

When LDAP is enabled, Login IDs are no longer directly editable through the PowerSchool user

interface on either the Modify Info for Students or Security Settings for Teachers and Staffpages. Instead, one of the Synchronization processes must be used.

Synchronization can either be performed as a mass operation, using a selection of students or

teachers and staff, or, one at a time using the LDAP Lookup button on either the ModifyInformation or Security Settings pages.

LDAP Directory Synchronization

Use the LDAP Directory Synchronization page to synchronize PowerSchool Login IDs with an

LDAP directory server.

How to Synchronize Using LDAP Directory Synchronization


displays.

2. Click Security. The Security page displays.

3. Click LDAP Directory Synchronization. The LDAP Directory Synchronization page

displays.

The LDAP Directory Synchronization page acts as a hub for all of the synchronizationprocesses. From this page you can choose to synchronize the current selection ofstudents or teachers and staff, all students (district wide), all students with blank login

IDs (district wide), all teachers (district wide), all staff (district wide), all teachers with

blank login IDs (district wide), or all staff with blank login IDs (district wide).


12/16

LDAP User Guide


12

You can also invoke mass student synchronization from the Functions menu afterestablishing a selection of students.

Similarly, you can invoke mass teacher/staff synchronization from the Functions menuafter establishing a selection of teachers and/or staff.

Once a selection is established and the LDAP Directory Synchronization process is

selected, one of the two following pages displays depending on whether you are workingwith students or teachers and staff:


13/16

LDAP User Guide


13

In either case, before the synchronization process begins, the expected user ID attributedisplays and you have the opportunity to change it before proceeding. The User ID

attribute is the name of the schema element in the LDAP directory that holds the login

ID. This is the value that is brought back into PowerSchool and stored in the appropriate

login ID field in PowerSchools database.

4. Click Submit. When you click submit, the synchronization process begins and each

record in the selection is processed. The first and last name in each record is used tofind an exact match in the directory. If no exact match is found, a second search is doneusing only the last name in an effort to find partial matches.

If an exact match is found the login ID in PowerSchools database is compared to the

login ID reported by the directory. If they are the same no action is taken. If they differ,the value from the directory is stored in PowerSchool. All matching records are reported

in the first section of the Synchronization Results.

When processing an exact match for a teacher/staff record the following logic applies. Ifthe record represents a teacher, the Teacher Login ID will be checked and updated ifnecessary. And, if the teacher has access to the admin portion of PowerSchool, the

Admin Login ID is also checked. If the record represents a staff member, the Admin

Login ID is checked and updated if necessary.

If partial matches are found a list of the partial matches will be displayed in the exception

portion of the Synchronization Results. A link will also be provided next to the record andopens in a new browser window to allow manual lookup and synchronization.

Records with no matches (either exact or partial) are reported in the exception portion ofthe Synchronization Results. For records with no matches the appropriate users should

be added to the LDAP directory or the first and last names should be checked to ensure

that they match in PowerSchool and the Directory. Once the issue is corrected thesynchronization process can run again.


14/16

LDAP User Guide


14

Student LDAP Lookup

Student Login ID synchronization can be done on a user-by-user basis using LDAP Lookup, onthe Modify Information page.

How to Synchronize Using Student LDAP Lookup1. On the start page, search for and select the student.

2. Choose Modify Information from the student pages menu. The Modify Information

page displays for that student.

3. Note the LDAP Enabled checkbox and the LDAP Lookup and Clearbuttons next to theStudent Web ID field.

Note: The LDAP Enabled checkbox can be used to enable/disable LDAPAuthentication for an individual. The Clearbutton, next to the LDAP Lookup button

clears the contents of the Login ID field. This is necessary if, for instance, the login IDfield is inadvertently set, because the field is no longer user editable.

4. Click LDAP Lookup. The LDAP Lookup window opens and attempts to find a match for

the selected user based on first and last name. If an exact or partial match is found inthe directory, it displays in the window.

5. Click Select next to the matching entry to transfer the login ID to the Modify Informationpage and close the window.

Teacher LDAP LookupTeacher and staff Login ID synchronization can be done on a user-by-user basis using LDAP

Lookup, on the Security Settings page.

How to Synchronize Using Student LDAP Lookup

1. On the start page, search for and select the teacher or staff member.

2. Choose Security Settings from the staff pages menu. The Security Settings page

displays for that teacher or staff member.

3. Note the LDAP Enabled checkbox and the LDAP Lookup and Clearbuttons next to theAdmin Login ID and Teacher Login ID fields.

Note: The LDAP Enabled checkbox can be used to enable/disable LDAP

Authentication for an individual. The Clearbutton, next to the LDAP Lookup button


15/16

LDAP User Guide


15

clears the contents of the Login ID field. This is necessary if, for instance, the login IDfield is inadvertently set, because the field is no longer user editable.

4. Click LDAP Lookup. The LDAP Lookup window opens and attempts to find a match forthe selected user based on first and last name. If an exact or partial match is found in

the directory, it displays in the window.

5. Select the Login IDs to update. Remember that staff and teachers have two login IDs,one for PowerTeacher and one for Admin. The choices are Admin Login, Teacher Login,

or Both.

Note: If the current record represents a teacher and that teacher has admin access,then Both option is selected. If the teacher does not have admin access, then theTeacher Login option is selected. If the current record represents a staff member then

the Admin Login option is selected.

6. After ensuring that the correct login IDs are updated, click Select next to the appropriate

exact or partial match. This transfers the login ID back to the Security Settings page,

updates the selected login IDs, and then closes the window.

LDAP for PowerGradeLDAP can be enabled for PowerGrade using the LDAP Directory Setup page in PowerSchool.This page includes the Enable LDAP for PowerGrade checkbox. If selected, PowerGrade usesthe LDAP directory server to synchronize and authenticate PowerGrade users passwords.

Note: SSL is not required to use LDAP with PowerGrade.

How It WorksOnce enabled, you will be required to enter your PowerSchool LDAP password the first time youstart PowerGrade. If you do not remember your PowerSchool LDAP password, contact your

PowerSchool administrator. Unlike the connectivity key, you may not launch PowerGrade if youdo not have an LDAP password.

Note: Your school may not elect to enable LDAP. If so, you will not be required to enter anLDAP password the first time you start PowerGrade.

How LDAP Works with the PowerGrade Lock Function and the Connectivity Key

The following outlines how LDAP works with PowerGrade and the different levels of security

within PowerGrade:

LDAP Enabled

When LDAP is enabled, Basic authentication is used. The username and password areencrypted using TwoFish encryption.


16/16

LDAP User Guide


16

When LDAP is enabled, teachers cannot log on to PowerGrade without their LDAPpassword. This differs from the connectivity key, which allows teachers to launchPowerGrade in offline mode when the connectivity key is unknown.

When LDAP and the connectivity key are both enabled, any currently active

PowerGrade sessions continue to use the connectivity key for the remainder of the

session. Upon restart, PowerGrade uses LDAP. When working in online mode, if LDAP and the PowerGrade Lock function are both

enabled, PowerGrade uses LDAP upon restart.

When LDAP and the PowerGrade Lock function are both enabled and there is noconnection to the server upon launch, only the PowerGrade Lock function is used.

LDAP Disabled

When LDAP is not enabled, Digest authentication is used.

If LDAP is disabled and a connectivity key is enabled, any active PowerGrade sessionsswitch to using the connectivity key. Active PowerGrade users who do not have a

connectivity key stored in PowerGrade will experience authentication errors.

ldap user guide

Documents