Open topic with navigation

Using LDAP with Ektron

Lightweight Directory Access Protocol (LDAPLightweight Directory Access Protocol; permits access to distributed information.) is a set of protocols that enable the hierarchical arrangement of corporate directory entries in a structure, which may reflect geographic or organizational boundaries. Active Directory and LDAP are not the same. While they perform similar functions, LDAP (when used with Ektron) only verifies login information and creates the user in the Everyone group.

Ektron's LDAP feature lets you retrieve user login information from an LDAP server. As a result, you can administer user information from one place, and users only need to remember one password/username combination to sign on to the network and Ektron.

The hierarchical structure of LDAP authentication can be organized in several different ways. For example, with the following LDAP structure, the domain would typically span multiple countries.

NOTE: Abbreviations: CN = Common Name, OU = Organizational Unit, O = Organization, C= Country, DN = Distinguished Name.

CN=j_smith, OU=Sales, O=MyCompany, C=US, DN=example.com

By changing the order of C and DN, the hierarchy indicates that the domain example.com is located in the US.

CN=j_smith, OU=Sales, O=MyCompany, DN=example.com, C=US.

In some instances, it may be necessary to have an Organization appear below an Organizational Unit. For example, your Organizational Unit has it own Organizations.

The following image shows a sample LDAP hierarchical structure.

Enabling LDAP

You enable LDAPLightweight Directory Access Protocol; permits access to distributed information. by editing the web.config file and editing settings on the Active Directory Setup screen. See also: Setting up Active Directory.

IMPORTANT: Before enabling LDAP in Ektron, make sure your LDAP server is ready for use and include an Ektron administrator account for yourself. After you enable LDAP, only the BuiltIn account can access Ektron without LDAP authentication. See also: Editing the builtin username and password.

  1. In the siteroot\web.config file, change the ek_AUTH_Protocol property to GC:
    <add key="ek_AUTH_Protocol" value="GC"/>
  2. Go to Settings > Configuration > Active Directory > Setup. The Active Directory Setup screen appears.
  3. Click Edit.
  4. Select Enable LDAP Authentication.
  5. Complete the LDAP-related fields and click Update.
    • Type. Choose the type of LDAP authentication you are using. Depending on your choices, the fields below may be required or disallowed. The following choices are available:
      • Active Directory (LDAP). Domain allowed, Organization is not. For more information, see Using LDAP to connect to Active Directory.
      • Novell eDirectory/NDS. Organization allowed, Domain is not.
      • Sun Iplanet/JSDS. Domain allowed, Organization is not.
      • Other. Allows Domain and Organization
    • LDAP Server. The IP address or name of the LDAP server.
    • Port. The LDAP server port with which Ektron communicates. If you are unsure of the port number, consult your Directory Service documentation .
    • Organization. The name of your company or organization. For example, Optimizely You can leave this field blank if you enter a domain in the Domain field.
    • Domain. Your domain name. For example, www.ektron.com. This should be the name you used when purchasing your license key. You can leave this field blank if you enter an organization in the Organization field.
    • Attribute. Enter the key value used to reference accounts inside LDAP. As examples: dn, sn, cn, uid, and so on.
    • Use SSL. Check if you want to enforce a secure connection in traffic to the LDAP server.
    • Path. The next levels below your Organization or Domain. These can include multiple levels of Organizational Units. For example, Content Editors, Marketing, East Coast. Click the Expand link to display the Add field.
    • Add. Enter the path to which you would like access in the text field. Then click the Add link.

      When adding Organizational Units, paths are comma-separated and run from specific to general. For example, ou=Amherst,ou=New Hampshire,o=US. For more information, see Adding an organizational unit during setup.

      Do not add individual Common Names here. Only add Organizational Units that contain people who should have access to Ektron. To add a single individual from a different Organizational Unit, see Adding user information from an LDAP server to Ektron

NOTE: You can add additional Organizations below an Organization Units as long as the path on your LDAP server is the same.

Using LDAP to connect to Active Directory

  1. In the \web.config file, add the Username and Password for ek_ADUsername and ek_ADPassword. For example:
    <add key="ek_ADUsername" value="[email protected]" />
    <add key="ek_ADPassword" value="mypasswordisthis" />
  2. Go to Settings > Configuration > Active Directory > Setup. The Active Directory Setup screen appears.
  3. Click Edit.
  4. Use the following settings in the Active Directory Setup screen.
    • Type. Active Directory (LDAPLightweight Directory Access Protocol; permits access to distributed information.)
    • LDAP Server. [IP Address of the AD domain controller]
    • Port. 389
    • Organization. [leave this blank]
    • Domain. [dns name of the AD domain]. For example: internal.domain.com
    • Path (Organizational Units). [any OUs that you want to draw users from] For example: Support, Users, Ektron Corporate or Engineering, Users, Ektron Corporate

Adding an organizational unit during setup

Considerations when adding Organizational Units:

Adding user information from an LDAP server to Ektron

Users at each level are automatically available for adding to Ektron. You do not have to be at the OU or CN level to add a user. If a user is at the DC or OU level, they are available.

After LDAPLightweight Directory Access Protocol; permits access to distributed information. is enabled, there are several ways to add LDAP user information to Ektron:

Searching an LDAP server for users

Prerequisite

LDAP is enabled. See Enabling LDAP.

To search for a user on an LDAPLightweight Directory Access Protocol; permits access to distributed information. server and add the user to Ektron:

  1. From the Workarea, go to Settings >Users.
  2. Click Add Users. The Add a New User to the System screen appears
  3. Click Browse LDAP (). The Search LDAP Users screen appears.

  4. Enter one or more search criteria.
    • Username. Username of the user on the LDAP server.
    • Firstname. First name of the user on the LDAP server.
    • Lastname. Last name of the user on the LDAP server.
    • Path. Select a path from the drop-down list. These paths were enabled when you configured Ektron for your LDAP server. If you select a path and enter no other information, you get all users in that path.
  5. Click Search. The search returns users that match the submitted criteria.
  6. Check each user to be added.

  7. Click Save. The user is added to Ektron and the Everyone group. To assign the user to another user group, see Assigning a user to a user group.

Manually adding an LDAP user

Prerequisite

LDAP is enabled. See Enabling LDAP.

  1. Go to Settings > Users.
  2. Click Add User. The Add a New User to the System screen appears.
  3. Fill out the fields according to Creating a user.
  4. Click Save. The View Users in Group Everyone screen appears, displaying the new user and the other Ektron users. To assign the user to another group, see Assigning a user to a user group.

Using the Browse feature to add an LDAP user

The Browse LDAP feature provides a friendly and intuitive way to find usernames, domains/organizations and organizational units.

IMPORTANT: The default server IP/DNS name and port are taken from the settings specified in the Configuration > Setup page. These settings must be specified before connecting to the LDAPLightweight Directory Access Protocol; permits access to distributed information. server.
Before using the browse feature, you must specify an Organizational Unit that can see the user in the Configuration > Setup page.

Prerequisite

LDAP is enabled. See Enabling LDAP.

  1. Go to Settings > Users.
  2. Click Add Users. The Add a New User to the System screen appears.
  3. Click Browse LDAP (). The LDAP Explorer appears.
  4. Go the LDAP server’s folders by clicking on the folder images. Each folder represents an Organizational Unit (OU). When you choose an OU level, its users appear.

    NOTE: In the LDAP Explorer, the Path and Org/Domain fields update dynamically as you go through the LDAP tree.

  5. Select a user. The user is added to Ektron and the Everyone group. To learn how to assign this user to another group, see Assigning a user to a user group.

Editing LDAP user information

It is important to note that Ektron does not write to the LDAPLightweight Directory Access Protocol; permits access to distributed information. server. So, while you can change fields when editing a user in Ektron, you also need to make the same changes on the LDAP server.

  1. Go to Settings > Users.
  2. In the Username column, click a user to edit. The View User Information screen appears.
  3. Click Edit.
  4. Change the information as needed. For more information on the fields you can edit, see Creating a user.
  5. Click Save.

Deleting users

If a user is deleted on the LDAPLightweight Directory Access Protocol; permits access to distributed information. server, Ektron does not automatically delete the user. However, the user’s login fails because the login cannot be authenticated. In this case, delete the user from Ektron using the Delete User function.

NOTE: If you mistakenly delete all users with administrative privileges, you can still sign in using the builtin user’s username and password. See also: Editing the builtin username and password.

Authenticating membership users with AD or LDAP

Usually Membership users are not included in AD or LDAP directories. Ektron's default settings ignore AD or LDAPLightweight Directory Access Protocol; permits access to distributed information. f or membership authentication. If you want Membership users to authenticate with AD or LDAP, follow these steps.

  1. Edit the siteroot\web.config file.
  2. Set LDAPmembershipUser to true.
    <add key "ek_LDAPMembershipUser" value="true" />
    If ek_LDAPmembershipUser is false, membership users are not authenticated with AD or LDAP.

Disabling LDAP authentication

To disable LDAP authentication or integration, edit the Active Directory Setup screen and select Disable Active Directory and LDAP Authentication.

See also: Setting up Active Directory.

Open topic with navigation