ldap user guide
TRANSCRIPT
-
8/2/2019 LDAP User Guide
1/16
LDAP User Guide
PowerSchool Premier 5.1
Student Information System
-
8/2/2019 LDAP User Guide
2/16
LDAP User Guide
Introduction Copyright 2007 Pearson Education, Inc or its affiliates.All rights reserved.
2
Document PropertiesCopyright Copyright 2007 Pearson Education, Inc. or its affiliates. All rights
reserved. This document is the property of Pearson Education, Inc. and is
for reference only. It is not to be reproduced or distributed in any waywithout the express written consent of Pearson Education, Inc. All
trademarks are either owned or licensed by Pearson Education, Inc. or itsaffiliates. Other brands and names are the property of their respectiveowners.
Owner Technical Communication and Documentation
Content provided by J. Brown and J. Steele.
Last Updated 3/21/2007
Version PowerSchool Premier 5.1
Please send comments, suggestions, or requests for this document to [email protected]. Your feedbackis appreciated.
-
8/2/2019 LDAP User Guide
3/16
LDAP User Guide
Introduction Copyright 2007 Pearson Education, Inc or its affiliates.All rights reserved.
3
ContentsIntroduction ...............................................................................................................................4
Configuration.........................................................................................................................4Active Directory LDAP Setup...........................................................................................4
How to Set Up Active Directory LDAP .......................................................................4Open Directory LDAP Setup............................................................................................7
How to Set Up Open Directory LDAP ........................................................................8Synchronization and Authentication ....................................................................................11
LDAP Directory Synchronization ...................................................................................11How to Synchronize Using LDAP Directory Synchronization ...................................11
Student LDAP Lookup ...................................................................................................14How to Synchronize Using Student LDAP Lookup ...................................................14
Teacher LDAP Lookup ..................................................................................................14How to Synchronize Using Student LDAP Lookup ...................................................14
LDAP for PowerGrade ........................................................................................................15
-
8/2/2019 LDAP User Guide
4/16
LDAP User Guide
Introduction Copyright 2007 Pearson Education, Inc or its affiliates.All rights reserved.
4
IntroductionLDAP (Lightweight Directory Access Protocol) functionality enables administrators to establish a
single source for securely managing authentication for all users on the district network, including
those using PowerSchool, PowerSchool Teacher, PowerGrade, and the Public Portal.
ConfigurationIn order for PowerSchool to authenticate users using an LDAP directory server, the LDAP
directory server must be configured within PowerSchool.
Configuring the LDAP directory server consists of providing the servers address, port, SSLsetting, and LDAP directory administrator credentials. It is possible to selectively enable ordisable the use of LDAP for three groups of users: staff, teachers, and students. Each group of
users enabled for LDAP must also have a domain context configured that identifies the root ofthe tree where each group of user accounts is located along with the name of the user ID
attribute from the directory schema.
Once configured, the LDAP directory server synchronizes the login IDs stored in PowerSchoolsdatabase with the login (user) IDs stored in your LDAP directory server. For a user tosuccessfully authenticate in PowerSchool using LDAP, the login ID must match in both
PowerSchool and the LDAP directory server.
Active Directory LDAP Setup
Use the LDAP Directory Setup page to configure PowerSchool to authenticate via an LDAP
directory server.
How to Set Up Active Directory LDAP
The following procedure illustrates the standard configuration for Active Directory LDAP Setup.
1. On the start page, choose System from the main menu. The System Administrator page
displays.
2. Click Security. The Security page displays.
3. Click LDAP Directory Setup. The LDAP Directory Setup page displays. The following
illustrates the standard setup for Active Directory LDAP Setup:
-
8/2/2019 LDAP User Guide
5/16
LDAP User Guide
Introduction Copyright 2007 Pearson Education, Inc or its affiliates.All rights reserved.
5
4. Use the following table to enter information in the Server Configuration fields:
Field Description
LDAP ServerHostname or IP
Address
Enter the hostname or IP address of the LDAP directoryserver, such as 192.168.1.12.
LDAP Port Enter the TCP port to use, such as 636.
Enable SSL Select the checkbox to enable SSL between PowerSchool
and the LDAP Directory.
Note: It is strongly recommended that when using LDAP,
-
8/2/2019 LDAP User Guide
6/16
LDAP User Guide
Introduction Copyright 2007 Pearson Education, Inc or its affiliates.All rights reserved.
6
Field Description
SSL also be enabled within PowerSchools web server. This
setting is independent of using SSL between PowerSchooland the LDAP directory. To access the web server settings,go to Admin > System > System Settings > Server Settings.
Enabling this option requires installing a certificate on both
the LDAP server and the PowerSchool server. The details of
installing the certificate on the directory server are server-specific. Please refer to your servers documentation for
more information.
Installing the certificate on the PowerSchool server involvesusing the keytool utility to add the certificate to Javas
keystore. The command is
keytool import file certficate.pem keystore
PS_HOME/data/ssl/jssecacerts trustcacerts aliasLDAPCert
certificate.pem is the certificate to be imported and must be
created specifically for the LDAP Directory server.
keystore is the location in which to store the certificate. TheLDAPCert alias is a user-defined name to identify this
certificate. This command must be executed as theadministrator (or root).
PS_HOME is the location in which PowerSchool has been
installed on the server. For OS X this is typically
/Applications/PowerSchool. For Microsoft Windows this istypically C:\PowerSchool.
Active DirectoryFQDN
Enter the fully qualified domain name of the Active DirectoryServer, such as ad.powerschool.com.
Typically this will be the same as the LDAP ServerHostname, but does not have to be. When authenticatingagainst Active Directory the Security Principal is of theform userID@fqdn.
Note: When configuring LDAP for Open Directory, this field
may be left blank.
LDAP Admin DN Enter the distinguished name of an account in the LDAPDirectory with read privileges within the directory, such as
cn=Administrator,cn=users,dc=ad,dc=powerschool,dc=com.
Enter the distinguished name of an account in the LDAPDirectory with read privileges within the directory. This canbe the directory administrator account, but an account
with read-only access is sufficient. This account is used
-
8/2/2019 LDAP User Guide
7/16
LDAP User Guide
Introduction Copyright 2007 Pearson Education, Inc or its affiliates.All rights reserved.
7
Field Description
for directory searches when attempting to synchronizelogin IDs between PowerSchool and the Directory.
LDAP Admin
Password
Enter the password for the Admin DN.
5. Click Validate Server Connection to establish an anonymous connection to thedirectory using the values entered on this page and to authenticate the connection usingthe Admin DN and Password credentials, if provided. A window displays indicating the
success or failure of these operations.
6. Click Active Directory Defaults to populate all schema configuration items with
reasonable defaults based on the Server Configuration. If any of the Server
Configuration information is missing or ambiguous, you will be prompted for clarification.
7. Use the following table to enter information in the Schema Configuration fields:
Field Description
Enable LDAP Select the Staff, Teachers, and Students checkboxes toenable LDAP Authentication.
LDAP Authentication may be selectively enabled for three
distinct groups of users: Staff, Teachers and Students. The
remaining attributes, Domain Context and User ID Attribute,are settable for each user type.
Enable LDAP for
PowerGrade
Select this checkbox to enable LDAP Authentication for
PowerGrade. For more information, see the section LDAPfor PowerGrade.
Domain Context The Domain Context to which the user will bind when tryingto authenticate, such as
cn=users,dc=ad,dc=powerschool,dc=com for Staff,
Teachers, and Students.
This domain context is also used when performing LDAP
Directory Synchronization activities. For example, if you aretrying to synchronize the login ID for a student, the student
domain context will be used as the base when searching thedirectory.
8. Click Submit.
Open Directory LDAP Setup
Use the LDAP Directory Setup page to configure PowerSchool to authenticate via an LDAP
directory server.
-
8/2/2019 LDAP User Guide
8/16
LDAP User Guide
Introduction Copyright 2007 Pearson Education, Inc or its affiliates.All rights reserved.
8
How to Set Up Open Directory LDAP
The following procedure illustrates the standard configuration for Open Directory LDAP Setup.
1. On the start page, choose System from the main menu. The System Administrator page
displays.
2. Click Security. The Security page displays.3. Click LDAP Directory Setup. The LDAP Directory Setup page displays.
4. Use the following table to enter information in the Server Configuration fields:
Field Description
LDAP Server Enter the hostname or IP address of the LDAP directory
-
8/2/2019 LDAP User Guide
9/16
LDAP User Guide
Introduction Copyright 2007 Pearson Education, Inc or its affiliates.All rights reserved.
9
Field Description
Hostname or IP
Address
server, such as 192.168.1.12.
LDAP Port Enter the TCP port to use, such as 636.
Enable SSL Select the checkbox to enable SSL between PowerSchool
and the LDAP Directory.
Note: It is strongly recommended that when using LDAP,
SSL also be enabled within PowerSchools web server. Thissetting is independent of using SSL between PowerSchooland the LDAP directory. To access the web server settings,
go to Admin > System > System Settings > Server Settings.
Enabling this option requires installing a certificate on boththe LDAP server and the PowerSchool server. The details of
installing the certificate on the directory server are server-specific. Please refer to your servers documentation for
more information.
Installing the certificate on the PowerSchool server involves
using the keytool utility to add the certificate to Javas
keystore. The command is
keytool import file certficate.pem keystore
PS_HOME/data/ssl/jssecacerts trustcacerts alias
LDAPCert
certificate.pem is the certificate to be imported and must becreated specifically for the LDAP Directory server.
keystore is the location in which to store the certificate. The
LDAPCert alias is a user-defined name to identify thiscertificate. This command must be executed as the
administrator (or root).
PS_HOME is the location in which PowerSchool has beeninstalled on the server. For OS X this is typically
/Applications/PowerSchool. For Microsoft Windows this istypically C:\PowerSchool.
Active DirectoryFQDN
This field is for Active Directory only. For Open Directory,leave blank.
LDAP Admin DN Enter the distinguished name of an account in the LDAPDirectory with read privileges within the directory, such asuid=diradmin,cn=users,dc=od,dc=powerschool,dc=com.
This can be the directory administrator account, but anaccount with read-only access is sufficient. This account is
used for directory searches when attempting tosynchronize login IDs between PowerSchool and the
-
8/2/2019 LDAP User Guide
10/16
LDAP User Guide
Introduction Copyright 2007 Pearson Education, Inc or its affiliates.All rights reserved.
10
Field Description
Directory.
LDAP AdminPassword
Enter the password for the Admin DN.
5. Click Validate Server Connection to establish an anonymous connection to thedirectory using the values entered on this page and to authenticate the connection using
the Admin DN and Password credentials, if provided. A window displays indicating thesuccess or failure of these operations.
6. Click Open Directory Defaults to populate all schema configuration items with
reasonable defaults based on the Server Configuration. If any of the ServerConfiguration information is missing or ambiguous, you will be prompted for clarification.
7. Use the following table to enter information in the Schema Configuration fields:
Field Description
Enable LDAP Select the Staff, Teachers, and Students checkboxes toenable LDAP Authentication.
LDAP Authentication may be selectively enabled for threedistinct groups of users: Staff, Teachers and Students. The
remaining attributes, Domain Context and User ID Attribute,are settable for each user type.
Enable LDAP forPowerGrade
Select this checkbox to enable LDAP Authentication forPowerGrade. For more information, see the section LDAP
for PowerGrade.
Domain Context The Domain Context to which the user will bind when trying
to authenticate, such ascn=users,dc=od,dc=powerschool,dc=com for Staff,Teachers, and Students.
This domain context is also used when performing LDAPDirectory Synchronization activities. For example, if you are
trying to synchronize the login ID for a student, the studentdomain context will be used as the base when searching the
directory.
User ID Attribute Specify which schema attribute to use when forming thedistinguished name (DN) when the user attempts to login,such as uid for Staff, Teachers, and Students.
For example, if the User ID Attribute is uid and the domaincontext is cn=users,dc=ldap,dc=powerschool,dc=com, then
the DN for user jsmith becomes
uid=jsmith,cn=users,dc=ldap,dc=powerschool,dc=com.
8. Click Submit.
-
8/2/2019 LDAP User Guide
11/16
LDAP User Guide
Introduction Copyright 2007 Pearson Education, Inc or its affiliates.All rights reserved.
11
Synchronization and AuthenticationDirectory synchronization is the process of synchronizing the login IDs stored in PowerSchools
database with the login (user) IDs stored in your LDAP directory. For a user to successfullyauthenticate in PowerSchool via LDAP, the login IDs must match in both PowerSchool and theLDAP Directory.
When LDAP is enabled, Login IDs are no longer directly editable through the PowerSchool user
interface on either the Modify Info for Students or Security Settings for Teachers and Staffpages. Instead, one of the Synchronization processes must be used.
Synchronization can either be performed as a mass operation, using a selection of students or
teachers and staff, or, one at a time using the LDAP Lookup button on either the ModifyInformation or Security Settings pages.
LDAP Directory Synchronization
Use the LDAP Directory Synchronization page to synchronize PowerSchool Login IDs with an
LDAP directory server.
How to Synchronize Using LDAP Directory Synchronization
1. On the start page, choose System from the main menu. The System Administrator page
displays.
2. Click Security. The Security page displays.
3. Click LDAP Directory Synchronization. The LDAP Directory Synchronization page
displays.
The LDAP Directory Synchronization page acts as a hub for all of the synchronizationprocesses. From this page you can choose to synchronize the current selection ofstudents or teachers and staff, all students (district wide), all students with blank login
IDs (district wide), all teachers (district wide), all staff (district wide), all teachers with
blank login IDs (district wide), or all staff with blank login IDs (district wide).
-
8/2/2019 LDAP User Guide
12/16
LDAP User Guide
Introduction Copyright 2007 Pearson Education, Inc or its affiliates.All rights reserved.
12
You can also invoke mass student synchronization from the Functions menu afterestablishing a selection of students.
Similarly, you can invoke mass teacher/staff synchronization from the Functions menuafter establishing a selection of teachers and/or staff.
Once a selection is established and the LDAP Directory Synchronization process is
selected, one of the two following pages displays depending on whether you are workingwith students or teachers and staff:
-
8/2/2019 LDAP User Guide
13/16
LDAP User Guide
Introduction Copyright 2007 Pearson Education, Inc or its affiliates.All rights reserved.
13
In either case, before the synchronization process begins, the expected user ID attributedisplays and you have the opportunity to change it before proceeding. The User ID
attribute is the name of the schema element in the LDAP directory that holds the login
ID. This is the value that is brought back into PowerSchool and stored in the appropriate
login ID field in PowerSchools database.
4. Click Submit. When you click submit, the synchronization process begins and each
record in the selection is processed. The first and last name in each record is used tofind an exact match in the directory. If no exact match is found, a second search is doneusing only the last name in an effort to find partial matches.
If an exact match is found the login ID in PowerSchools database is compared to the
login ID reported by the directory. If they are the same no action is taken. If they differ,the value from the directory is stored in PowerSchool. All matching records are reported
in the first section of the Synchronization Results.
When processing an exact match for a teacher/staff record the following logic applies. Ifthe record represents a teacher, the Teacher Login ID will be checked and updated ifnecessary. And, if the teacher has access to the admin portion of PowerSchool, the
Admin Login ID is also checked. If the record represents a staff member, the Admin
Login ID is checked and updated if necessary.
If partial matches are found a list of the partial matches will be displayed in the exception
portion of the Synchronization Results. A link will also be provided next to the record andopens in a new browser window to allow manual lookup and synchronization.
Records with no matches (either exact or partial) are reported in the exception portion ofthe Synchronization Results. For records with no matches the appropriate users should
be added to the LDAP directory or the first and last names should be checked to ensure
that they match in PowerSchool and the Directory. Once the issue is corrected thesynchronization process can run again.
-
8/2/2019 LDAP User Guide
14/16
LDAP User Guide
Introduction Copyright 2007 Pearson Education, Inc or its affiliates.All rights reserved.
14
Student LDAP Lookup
Student Login ID synchronization can be done on a user-by-user basis using LDAP Lookup, onthe Modify Information page.
How to Synchronize Using Student LDAP Lookup1. On the start page, search for and select the student.
2. Choose Modify Information from the student pages menu. The Modify Information
page displays for that student.
3. Note the LDAP Enabled checkbox and the LDAP Lookup and Clearbuttons next to theStudent Web ID field.
Note: The LDAP Enabled checkbox can be used to enable/disable LDAPAuthentication for an individual. The Clearbutton, next to the LDAP Lookup button
clears the contents of the Login ID field. This is necessary if, for instance, the login IDfield is inadvertently set, because the field is no longer user editable.
4. Click LDAP Lookup. The LDAP Lookup window opens and attempts to find a match for
the selected user based on first and last name. If an exact or partial match is found inthe directory, it displays in the window.
5. Click Select next to the matching entry to transfer the login ID to the Modify Informationpage and close the window.
Teacher LDAP LookupTeacher and staff Login ID synchronization can be done on a user-by-user basis using LDAP
Lookup, on the Security Settings page.
How to Synchronize Using Student LDAP Lookup
1. On the start page, search for and select the teacher or staff member.
2. Choose Security Settings from the staff pages menu. The Security Settings page
displays for that teacher or staff member.
3. Note the LDAP Enabled checkbox and the LDAP Lookup and Clearbuttons next to theAdmin Login ID and Teacher Login ID fields.
Note: The LDAP Enabled checkbox can be used to enable/disable LDAP
Authentication for an individual. The Clearbutton, next to the LDAP Lookup button
-
8/2/2019 LDAP User Guide
15/16
LDAP User Guide
Introduction Copyright 2007 Pearson Education, Inc or its affiliates.All rights reserved.
15
clears the contents of the Login ID field. This is necessary if, for instance, the login IDfield is inadvertently set, because the field is no longer user editable.
4. Click LDAP Lookup. The LDAP Lookup window opens and attempts to find a match forthe selected user based on first and last name. If an exact or partial match is found in
the directory, it displays in the window.
5. Select the Login IDs to update. Remember that staff and teachers have two login IDs,one for PowerTeacher and one for Admin. The choices are Admin Login, Teacher Login,
or Both.
Note: If the current record represents a teacher and that teacher has admin access,then Both option is selected. If the teacher does not have admin access, then theTeacher Login option is selected. If the current record represents a staff member then
the Admin Login option is selected.
6. After ensuring that the correct login IDs are updated, click Select next to the appropriate
exact or partial match. This transfers the login ID back to the Security Settings page,
updates the selected login IDs, and then closes the window.
LDAP for PowerGradeLDAP can be enabled for PowerGrade using the LDAP Directory Setup page in PowerSchool.This page includes the Enable LDAP for PowerGrade checkbox. If selected, PowerGrade usesthe LDAP directory server to synchronize and authenticate PowerGrade users passwords.
Note: SSL is not required to use LDAP with PowerGrade.
How It WorksOnce enabled, you will be required to enter your PowerSchool LDAP password the first time youstart PowerGrade. If you do not remember your PowerSchool LDAP password, contact your
PowerSchool administrator. Unlike the connectivity key, you may not launch PowerGrade if youdo not have an LDAP password.
Note: Your school may not elect to enable LDAP. If so, you will not be required to enter anLDAP password the first time you start PowerGrade.
How LDAP Works with the PowerGrade Lock Function and the Connectivity Key
The following outlines how LDAP works with PowerGrade and the different levels of security
within PowerGrade:
LDAP Enabled
When LDAP is enabled, Basic authentication is used. The username and password areencrypted using TwoFish encryption.
-
8/2/2019 LDAP User Guide
16/16
LDAP User Guide
Introduction Copyright 2007 Pearson Education, Inc or its affiliates.All rights reserved.
16
When LDAP is enabled, teachers cannot log on to PowerGrade without their LDAPpassword. This differs from the connectivity key, which allows teachers to launchPowerGrade in offline mode when the connectivity key is unknown.
When LDAP and the connectivity key are both enabled, any currently active
PowerGrade sessions continue to use the connectivity key for the remainder of the
session. Upon restart, PowerGrade uses LDAP. When working in online mode, if LDAP and the PowerGrade Lock function are both
enabled, PowerGrade uses LDAP upon restart.
When LDAP and the PowerGrade Lock function are both enabled and there is noconnection to the server upon launch, only the PowerGrade Lock function is used.
LDAP Disabled
When LDAP is not enabled, Digest authentication is used.
If LDAP is disabled and a connectivity key is enabled, any active PowerGrade sessionsswitch to using the connectivity key. Active PowerGrade users who do not have a
connectivity key stored in PowerGrade will experience authentication errors.