We can provide single-sign-on authentication with Active Directory / LDAP to handle user and blog management if the requirements of the network meet the required standards. You’ll find an overview of these requirements and how to set up below.
What we need:
Email email@example.com and let us know you want to set up authentication with with Active Directory / LDAP as we first need to install the LDAP plugin. The LDAP plugin should only be installed when you are ready to set up as it can cause issues because Users > Add New is replaced with Users > Add Users which can’t work if it isn’t set up.
- We can only connect to one LDAP server.
- If the student and staff accounts use two different LDAP servers you need to choose which accounts you want to set up LDAP authentication for.
Set Up LDAP
Once we’re installed the LDAP plugin you’ll need someone from your LDAP team to help configure the settings.
You set up LDAP as follows:
1. Add our IP addresses or IP block range to your LDAP firewall (we’ll send these IP addresses once we’ve installed the LDAP plugin).
2. Go to Settings > LDAP Options in the network admin dashboard.
3. Add your Connection settings and click Save Options.
4. Go to General Settings to select your default options and then click Save Options.
- Auto create WPMU username – This needs to be set to Yes for their user account to be created the first time a new user logs in using their LDAP username/password.
- Auto create WPMU Blog – Set to ‘Yes‘ if you want a new blog created the first time a new user logs in using their LDAP username/password. Set it to ‘No‘ if you only want their user account created. Users can create their own blog using Dashboard > My Sites > Create New site once they’ve logged in or a super admin user can create their new site using Batch Create.
- Blog Name For Auto-Created Blogs – allows you to specify the URLs used for creating new blogs.
- Create local users – set to ‘No‘ if you don’t want blog admins creating local user accounts.
- Allow blog admins to add users – leave as ‘Yes‘ if you want your blog admin users to be able to add LDAP users to their blog.
- Allow blog admins to bulk users – leave as ‘Yes‘ if you want your blog admin users to be able to add LDAP users to their blog.
- Disable Public Sign up – leave as “Yes‘ if you want users to be able to create additional sites using Dashboard > My Sites > Create New site
- Lost-Password Message – add a message to explain that their user account is tied to their school account and provide either an email address or link to information on how to reset their password.
- Public Display Name Format – controls how their name is displayed.
5. Once configured test logging using both a staff and student user account in to confirm it is working (you need to use accounts that haven’t logged into your CampusPress network).
Email firstname.lastname@example.org if you have any issues setting up LDAP. You’ll need to provide a test LDAP user account we can use it for troubleshooting. The LDAP user account must be attached to an email address (but it doesn’t need to be a valid email address).
LDAP Overview and Requirements
LDAP , or Lightweight Directory Access Protocol , provides a standard way to share user information. It also allows an internal or external system to authenticate users. The LDAP protocol itself is standard and vendor neutral. However, there are often implementation specific issues, primarily relating to the schema (how the information is presented).
The set of attributes available in a LDAP record is called a schema. Schemas are additive, and there are many standard ones available. We have worked with the Microsoft Active Directory and Apple OpenDirectory schemas as well as rfc2307 (Unix/NIS, posixAccount) and inetOrgPerson. Even plain old inetOrgPerson provides adequate information for Edublogs integration. Non-standard or heavily customized schemas may require custom integration work at an additional charge.
Super Admins will have access to the LDAP settings and options by going to ‘Network Admin’ > ‘Settings’ > ‘LDAP Options’. The Campus network will first need to be up and running before LDAP can be configured.
SSL, or Secure Sockets Layer, is a standard method of encrypting connections between systems. We are able to use this standard method of encryption (or optionally the very similar, also standard TLS, or Transport Layer Security) to encrypt the LDAP connection between your servers and our servers.
We are unable to obtain certificates for domains we don’t own, and will provide CampusPress networks with the needed CSR info to generate certificates. We need the certificate and intermediate certificates in PEM form. If you need to specify which server to select for the Certificate select Apache.
To help ensure the security of your users’ data, SSL certificates must be signed by a reputable Certificate Authority (CA) such as Comodo (including InstantSSL and PositiveSSL), Thawte or Verisign. Other widely recognized certificate authorities are also acceptable (as a rule, if major current web browsers will accept a certificate, it is fine). We do not accept certificates that are self signed or signed by your own CA or any non-accredited signing agent. We are available to assist you in finding an appropriate certificate agency.