Setting up LDAP Authentication for Home Access Center
Home Access Center (HAC) provides the ability to use LDAP (Lightweight Directory Access Protocol) authentication so HAC can use the Active Directory accounts. LDAP is used to access and maintain distributed directory information services over a network. For the purposes of eSchoolPlus, a site would be using LDAP to access the Active Directory within the site’s domain.
HAC LDAP Authentication Processing
When HAC attempts to validate a user using LDAP, the software uses the Active Directory information identified on the LDAP panel of the HAC District Configuration Page .
- Distinguished Name - Identifies the Active Directory location in LDAP format.
- Domain Name - Identifies where the Distinguished Name is stored.
If the Distinguished Name for HAC LDAP authentication was school.powerschool.lcl/dc=school,dc=powerschool,dc=lcl, and the Domain Name was school.powerschool.lcl, to find the student John.Smith, the software would search the Active Directory on the domain school.powerschool.lcl for the user john.smith.
Distinguished Name
The Distinguished Name is the part of the ADsPath that follows the provider moniker (LDAP://). The ADsPath is defined as:
LDAP://HostName[:PortNumber][/DistinguishedName],
so the Distinguished Name is: HostName[:PortNumber][/DistinguishedName].
- Host Name can be a computer name, an IP address, or a domain name.
- PortNumber specifies the port to be used for the connection. If no port number is specified, the LDAP provider uses the default port number. The default port number is 389 when using TLS or 636 when using an SSL connection.
- Bracket characters [ ] enclose optional parameters, but they are not included in the string.
For more information, refer to the following article on LDAP ADsPath: http://msdn.microsoft.com/en-us/library/windows/desktop/aa746384(v=vs.85).aspx.
The Distinguished Name may consist of multiple components called relative distinguished names (RDN). Examples include:
DC = Domain Component
CN = Common Name
OU = Organizational Unit
For additional information on the possible components, refer to the following article on Distinguished Names: http://msdn.microsoft.com/en-us/library/windows/desktop/aa366101(v=vs.85).aspx
Domain Name
The Domain Name is the fully qualified domain name (FQDN) that holds the Active Directory. It is the complete domain name.
Examples
To configure eSchoolPlus to access the Active Directory domain of host.name.lcl on a fully qualified domain name of school.powerschool.lcl, enter:
Distinguished Name: host.name.lcl/dc=school,dc=powerschool,dc=lcl
Domain Name: school.powerschool.lcl
To access the Active Directory domain on a domain controller with an IP address of 10.100.83.2, and a FQDN of school.powerschool.lcl, enter:
Distinguished Name: 10.100.83.2/dc=school,dc=powerschool,dc=lcl
Domain Name: school.powerschool.lcl
Defining HAC Logins for Students/Guardians
The HAC login ID must match the Active Directory User Name. For student accounts, make sure the AD user name is entered on the Mailing Address record. If you use SQL to populate the login ID, make sure you do not enter user name on both the Physical and Mailing Address record for a student.
The Generate HAC Logins & Passwords page (Registration > Utilities > Tools > Generate HAC Credentials) provides the ability to generate login IDs based on combinations of first name and last name. The created data file can then be transferred to the Active Directory.
Impersonating Student/Guardian with LDAP Authentication
Users can impersonate a student/guardian account when LDAP authentication is used if a Login ID is entered in eSchoolPlus. It is not necessary to have a password stored in eSchoolPlus for the student/guardian.
Turning Off Online Registration and Change Passwords
If your site uses LDAP Authentication, the Online Registration, Forgot Password, and Change Password functionality of HAC will not work. Make sure to set up the HAC District Configuration page's Preference panel options so online registration and the ability to change the password are turned off.