LDAP User Guide

LDAP User Guide PowerSchool Premier 5.
1 Student Information System
LDAP User Guide
Document Properties
Copyright Copyright 2007 Pearson Education, Inc. or its affiliates. All rights reserved. This document is the property of Pearson Education, Inc. and is for reference only. It is not to be reproduced or distributed in any way without the express written consent of Pearson Education, Inc. All trademarks are either owned or licensed by Pearson Education, Inc. or its affiliates. Other brands and names are the property of their respective owners. Technical Communication and Documentation Content provided by J. Brown and J. Steele. 3/21/2007 PowerSchool Premier 5.1
Owner Last Updated Version
Please send comments, suggestions, or requests for this document to ps_manuals@pearson.com. Your feedback is appreciated.
Introduction
Copyright 2007 Pearson Education, Inc or its affiliates. All rights reserved.
LDAP User Guide
Contents
Introduction...............................................................................................................................4 Configuration.........................................................................................................................4 Active Directory LDAP Setup...........................................................................................4 How to Set Up Active Directory LDAP .......................................................................4 Open Directory LDAP Setup............................................................................................7 How to Set Up Open Directory LDAP ........................................................................8 Synchronization and Authentication ....................................................................................11 LDAP Directory Synchronization ...................................................................................11 How to Synchronize Using LDAP Directory Synchronization ...................................11 Student LDAP Lookup ...................................................................................................14 How to Synchronize Using Student LDAP Lookup...................................................14 Teacher LDAP Lookup ..................................................................................................14 How to Synchronize Using Student LDAP Lookup...................................................14 LDAP for PowerGrade ........................................................................................................15
Introduction
LDAP User Guide
Introduction
LDAP (Lightweight Directory Access Protocol) functionality enables administrators to establish a single source for securely managing authentication for all users on the district network, including those using PowerSchool, PowerSchool Teacher, PowerGrade, and the Public Portal.
Configuration
In order for PowerSchool to authenticate users using an LDAP directory server, the LDAP directory server must be configured within PowerSchool. Configuring the LDAP directory server consists of providing the servers address, port, SSL setting, and LDAP directory administrator credentials. It is possible to selectively enable or disable the use of LDAP for three groups of users: staff, teachers, and students. Each group of users enabled for LDAP must also have a domain context configured that identifies the root of the tree where each group of user accounts is located along with the name of the user ID attribute from the directory schema. Once configured, the LDAP directory server synchronizes the login IDs stored in PowerSchools database with the login (user) IDs stored in your LDAP directory server. For a user to successfully authenticate in PowerSchool using LDAP, the login ID must match in both PowerSchool and the LDAP directory server.
Active Directory LDAP Setup

Use the LDAP Directory Setup page to configure PowerSchool to authenticate via an LDAP directory server.
How to Set Up Active Directory LDAP

The following procedure illustrates the standard configuration for Active Directory LDAP Setup. 1. On the start page, choose System from the main menu. The System Administrator page displays. 2. Click Security. The Security page displays. 3. Click LDAP Directory Setup. The LDAP Directory Setup page displays. The following illustrates the standard setup for Active Directory LDAP Setup:
Introduction
LDAP User Guide
4. Use the following table to enter information in the Server Configuration fields: Field LDAP Server Hostname or IP Address LDAP Port Enable SSL Description Enter the hostname or IP address of the LDAP directory server, such as 192.168.1.12. Enter the TCP port to use, such as 636. Select the checkbox to enable SSL between PowerSchool and the LDAP Directory. Note: It is strongly recommended that when using LDAP,
Introduction
LDAP User Guide
Field
Description SSL also be enabled within PowerSchools web server. This setting is independent of using SSL between PowerSchool and the LDAP directory. To access the web server settings, go to Admin > System > System Settings > Server Settings. Enabling this option requires installing a certificate on both the LDAP server and the PowerSchool server. The details of installing the certificate on the directory server are serverspecific. Please refer to your servers documentation for more information. Installing the certificate on the PowerSchool server involves using the keytool utility to add the certificate to Javas keystore. The command is keytool import file certficate.pem keystore PS_HOME/data/ssl/jssecacerts trustcacerts alias LDAPCert certificate.pem is the certificate to be imported and must be created specifically for the LDAP Directory server. keystore is the location in which to store the certificate. The LDAPCert alias is a user-defined name to identify this certificate. This command must be executed as the administrator (or root). PS_HOME is the location in which PowerSchool has been installed on the server. For OS X this is typically /Applications/PowerSchool. For Microsoft Windows this is typically C:\PowerSchool.
Active Directory FQDN
Enter the fully qualified domain name of the Active Directory Server, such as ad.powerschool.com.
Typically this will be the same as the LDAP Server Hostname, but does not have to be. When authenticating against Active Directory the Security Principal is of the form userID@fqdn.
Note: When configuring LDAP for Open Directory, this field may be left blank. LDAP Admin DN Enter the distinguished name of an account in the LDAP Directory with read privileges within the directory, such as cn=Administrator,cn=users,dc=ad,dc=powerschool,dc=c om.
Enter the distinguished name of an account in the LDAP Directory with read privileges within the directory. This can be the directory administrator account, but an account with read-only access is sufficient. This account is used
Introduction
LDAP User Guide
Field
Description
for directory searches when attempting to synchronize login IDs between PowerSchool and the Directory.
LDAP Admin Password Enter the password for the Admin DN.
5. Click Validate Server Connection to establish an anonymous connection to the directory using the values entered on this page and to authenticate the connection using the Admin DN and Password credentials, if provided. A window displays indicating the success or failure of these operations. 6. Click Active Directory Defaults to populate all schema configuration items with reasonable defaults based on the Server Configuration. If any of the Server Configuration information is missing or ambiguous, you will be prompted for clarification. 7. Use the following table to enter information in the Schema Configuration fields: Field Description Select the Staff, Teachers, and Students checkboxes to enable LDAP Authentication. LDAP Authentication may be selectively enabled for three distinct groups of users: Staff, Teachers and Students. The remaining attributes, Domain Context and User ID Attribute, are settable for each user type.
Enable LDAP
Enable LDAP for PowerGrade

Domain Context
Select this checkbox to enable LDAP Authentication for PowerGrade. For more information, see the section LDAP for PowerGrade. The Domain Context to which the user will bind when trying to authenticate, such as cn=users,dc=ad,dc=powerschool,dc=com for Staff, Teachers, and Students. This domain context is also used when performing LDAP Directory Synchronization activities. For example, if you are trying to synchronize the login ID for a student, the student domain context will be used as the base when searching the directory.
8. Click Submit.
Open Directory LDAP Setup

Use the LDAP Directory Setup page to configure PowerSchool to authenticate via an LDAP directory server.
Introduction
LDAP User Guide
How to Set Up Open Directory LDAP

The following procedure illustrates the standard configuration for Open Directory LDAP Setup. 1. On the start page, choose System from the main menu. The System Administrator page displays. 2. Click Security. The Security page displays.
3. Click LDAP Directory Setup. The LDAP Directory Setup page displays.
4. Use the following table to enter information in the Server Configuration fields: Field LDAP Server
Introduction
Description Enter the hostname or IP address of the LDAP directory

LDAP User Guide
Field Hostname or IP Address LDAP Port Enable SSL
Description server, such as 192.168.1.12. Enter the TCP port to use, such as 636. Select the checkbox to enable SSL between PowerSchool and the LDAP Directory. Note: It is strongly recommended that when using LDAP, SSL also be enabled within PowerSchools web server. This setting is independent of using SSL between PowerSchool and the LDAP directory. To access the web server settings, go to Admin > System > System Settings > Server Settings. Enabling this option requires installing a certificate on both the LDAP server and the PowerSchool server. The details of installing the certificate on the directory server are serverspecific. Please refer to your servers documentation for more information. Installing the certificate on the PowerSchool server involves using the keytool utility to add the certificate to Javas keystore. The command is keytool import file certficate.pem keystore PS_HOME/data/ssl/jssecacerts trustcacerts alias LDAPCert certificate.pem is the certificate to be imported and must be created specifically for the LDAP Directory server. keystore is the location in which to store the certificate. The LDAPCert alias is a user-defined name to identify this certificate. This command must be executed as the administrator (or root). PS_HOME is the location in which PowerSchool has been installed on the server. For OS X this is typically /Applications/PowerSchool. For Microsoft Windows this is typically C:\PowerSchool.
Active Directory FQDN
This field is for Active Directory only. For Open Directory, leave blank. Enter the distinguished name of an account in the LDAP Directory with read privileges within the directory, such as uid=diradmin,cn=users,dc=od,dc=powerschool,dc=com.
LDAP Admin DN
This can be the directory administrator account, but an account with read-only access is sufficient. This account is used for directory searches when attempting to synchronize login IDs between PowerSchool and the
Introduction
LDAP User Guide
Field
Description
Directory.
LDAP Admin Password Enter the password for the Admin DN.
5. Click Validate Server Connection to establish an anonymous connection to the directory using the values entered on this page and to authenticate the connection using the Admin DN and Password credentials, if provided. A window displays indicating the success or failure of these operations. 6. Click Open Directory Defaults to populate all schema configuration items with reasonable defaults based on the Server Configuration. If any of the Server Configuration information is missing or ambiguous, you will be prompted for clarification. 7. Use the following table to enter information in the Schema Configuration fields: Field Enable LDAP Description Select the Staff, Teachers, and Students checkboxes to enable LDAP Authentication. LDAP Authentication may be selectively enabled for three distinct groups of users: Staff, Teachers and Students. The remaining attributes, Domain Context and User ID Attribute, are settable for each user type. Enable LDAP for PowerGrade Domain Context Select this checkbox to enable LDAP Authentication for PowerGrade. For more information, see the section LDAP for PowerGrade. The Domain Context to which the user will bind when trying to authenticate, such as cn=users,dc=od,dc=powerschool,dc=com for Staff, Teachers, and Students. This domain context is also used when performing LDAP Directory Synchronization activities. For example, if you are trying to synchronize the login ID for a student, the student domain context will be used as the base when searching the directory. User ID Attribute Specify which schema attribute to use when forming the distinguished name (DN) when the user attempts to login, such as uid for Staff, Teachers, and Students. For example, if the User ID Attribute is uid and the domain context is cn=users,dc=ldap,dc=powerschool,dc=com, then the DN for user jsmith becomes uid=jsmith,cn=users,dc=ldap,dc=powerschool,dc=com. 8. Click Submit.
Introduction
10
LDAP User Guide
Synchronization and Authentication

Directory synchronization is the process of synchronizing the login IDs stored in PowerSchools database with the login (user) IDs stored in your LDAP directory. For a user to successfully authenticate in PowerSchool via LDAP, the login IDs must match in both PowerSchool and the LDAP Directory. When LDAP is enabled, Login IDs are no longer directly editable through the PowerSchool user interface on either the Modify Info for Students or Security Settings for Teachers and Staff pages. Instead, one of the Synchronization processes must be used. Synchronization can either be performed as a mass operation, using a selection of students or teachers and staff, or, one at a time using the LDAP Lookup button on either the Modify Information or Security Settings pages.
LDAP Directory Synchronization

Use the LDAP Directory Synchronization page to synchronize PowerSchool Login IDs with an LDAP directory server.
How to Synchronize Using LDAP Directory Synchronization

1. On the start page, choose System from the main menu. The System Administrator page displays. 2. Click Security. The Security page displays. 3. Click LDAP Directory Synchronization. The LDAP Directory Synchronization page displays.
The LDAP Directory Synchronization page acts as a hub for all of the synchronization processes. From this page you can choose to synchronize the current selection of students or teachers and staff, all students (district wide), all students with blank login IDs (district wide), all teachers (district wide), all staff (district wide), all teachers with blank login IDs (district wide), or all staff with blank login IDs (district wide).
Introduction
11
LDAP User Guide
You can also invoke mass student synchronization from the Functions menu after establishing a selection of students.
Similarly, you can invoke mass teacher/staff synchronization from the Functions menu after establishing a selection of teachers and/or staff.
Once a selection is established and the LDAP Directory Synchronization process is selected, one of the two following pages displays depending on whether you are working with students or teachers and staff:
Introduction
12
LDAP User Guide
In either case, before the synchronization process begins, the expected user ID attribute displays and you have the opportunity to change it before proceeding. The User ID attribute is the name of the schema element in the LDAP directory that holds the login ID. This is the value that is brought back into PowerSchool and stored in the appropriate login ID field in PowerSchools database. 4. Click Submit. When you click submit, the synchronization process begins and each record in the selection is processed. The first and last name in each record is used to find an exact match in the directory. If no exact match is found, a second search is done using only the last name in an effort to find partial matches. If an exact match is found the login ID in PowerSchools database is compared to the login ID reported by the directory. If they are the same no action is taken. If they differ, the value from the directory is stored in PowerSchool. All matching records are reported in the first section of the Synchronization Results. When processing an exact match for a teacher/staff record the following logic applies. If the record represents a teacher, the Teacher Login ID will be checked and updated if necessary. And, if the teacher has access to the admin portion of PowerSchool, the Admin Login ID is also checked. If the record represents a staff member, the Admin Login ID is checked and updated if necessary. If partial matches are found a list of the partial matches will be displayed in the exception portion of the Synchronization Results. A link will also be provided next to the record and opens in a new browser window to allow manual lookup and synchronization. Records with no matches (either exact or partial) are reported in the exception portion of the Synchronization Results. For records with no matches the appropriate users should be added to the LDAP directory or the first and last names should be checked to ensure that they match in PowerSchool and the Directory. Once the issue is corrected the synchronization process can run again.
Introduction
13
LDAP User Guide
Student LDAP Lookup

Student Login ID synchronization can be done on a user-by-user basis using LDAP Lookup, on the Modify Information page.
How to Synchronize Using Student LDAP Lookup

1. On the start page, search for and select the student. 2. Choose Modify Information from the student pages menu. The Modify Information page displays for that student.
3. Note the LDAP Enabled checkbox and the LDAP Lookup and Clear buttons next to the Student Web ID field. Note: The LDAP Enabled checkbox can be used to enable/disable LDAP Authentication for an individual. The Clear button, next to the LDAP Lookup button clears the contents of the Login ID field. This is necessary if, for instance, the login ID field is inadvertently set, because the field is no longer user editable. 4. Click LDAP Lookup. The LDAP Lookup window opens and attempts to find a match for the selected user based on first and last name. If an exact or partial match is found in the directory, it displays in the window. 5. Click Select next to the matching entry to transfer the login ID to the Modify Information page and close the window.
Teacher LDAP Lookup

Teacher and staff Login ID synchronization can be done on a user-by-user basis using LDAP Lookup, on the Security Settings page.
How to Synchronize Using Student LDAP Lookup

1. On the start page, search for and select the teacher or staff member. 2. Choose Security Settings from the staff pages menu. The Security Settings page displays for that teacher or staff member.
3. Note the LDAP Enabled checkbox and the LDAP Lookup and Clear buttons next to the Admin Login ID and Teacher Login ID fields. Note: The LDAP Enabled checkbox can be used to enable/disable LDAP Authentication for an individual. The Clear button, next to the LDAP Lookup button
Introduction
14
LDAP User Guide
clears the contents of the Login ID field. This is necessary if, for instance, the login ID field is inadvertently set, because the field is no longer user editable. 4. Click LDAP Lookup. The LDAP Lookup window opens and attempts to find a match for the selected user based on first and last name. If an exact or partial match is found in the directory, it displays in the window. 5. Select the Login IDs to update. Remember that staff and teachers have two login IDs, one for PowerTeacher and one for Admin. The choices are Admin Login, Teacher Login, or Both. Note: If the current record represents a teacher and that teacher has admin access, then Both option is selected. If the teacher does not have admin access, then the Teacher Login option is selected. If the current record represents a staff member then the Admin Login option is selected. 6. After ensuring that the correct login IDs are updated, click Select next to the appropriate exact or partial match. This transfers the login ID back to the Security Settings page, updates the selected login IDs, and then closes the window.
LDAP for PowerGrade

LDAP can be enabled for PowerGrade using the LDAP Directory Setup page in PowerSchool. This page includes the Enable LDAP for PowerGrade checkbox. If selected, PowerGrade uses the LDAP directory server to synchronize and authenticate PowerGrade users passwords.
Note: SSL is not required to use LDAP with PowerGrade. How It Works Once enabled, you will be required to enter your PowerSchool LDAP password the first time you start PowerGrade. If you do not remember your PowerSchool LDAP password, contact your PowerSchool administrator. Unlike the connectivity key, you may not launch PowerGrade if you do not have an LDAP password. Note: Your school may not elect to enable LDAP. If so, you will not be required to enter an LDAP password the first time you start PowerGrade. How LDAP Works with the PowerGrade Lock Function and the Connectivity Key The following outlines how LDAP works with PowerGrade and the different levels of security within PowerGrade: LDAP Enabled When LDAP is enabled, Basic authentication is used. The username and password are encrypted using TwoFish encryption.
Introduction
15
LDAP User Guide
When LDAP is enabled, teachers cannot log on to PowerGrade without their LDAP password. This differs from the connectivity key, which allows teachers to launch PowerGrade in offline mode when the connectivity key is unknown. When LDAP and the connectivity key are both enabled, any currently active PowerGrade sessions continue to use the connectivity key for the remainder of the session. Upon restart, PowerGrade uses LDAP. When working in online mode, if LDAP and the PowerGrade Lock function are both enabled, PowerGrade uses LDAP upon restart. When LDAP and the PowerGrade Lock function are both enabled and there is no connection to the server upon launch, only the PowerGrade Lock function is used. When LDAP is not enabled, Digest authentication is used. If LDAP is disabled and a connectivity key is enabled, any active PowerGrade sessions switch to using the connectivity key. Active PowerGrade users who do not have a connectivity key stored in PowerGrade will experience authentication errors.
LDAP Disabled
Introduction
16

LDAP User Guide

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LDAP User Guide

Uploaded by

Copyright:

Available Formats

LDAP User Guide PowerSchool Premier 5.

1 Student Information System

LDAP User Guide

Owner Last Updated Version

LDAP User Guide

LDAP User Guide

Active Directory LDAP Setup

How to Set Up Active Directory LDAP

LDAP User Guide

LDAP User Guide

Active Directory FQDN

LDAP User Guide

Enable LDAP for PowerGrade

Open Directory LDAP Setup

LDAP User Guide

How to Set Up Open Directory LDAP

Description Enter the hostname or IP address of the LDAP directory

LDAP User Guide

Field Hostname or IP Address LDAP Port Enable SSL

Active Directory FQDN

LDAP User Guide

LDAP User Guide

Synchronization and Authentication

LDAP Directory Synchronization

How to Synchronize Using LDAP Directory Synchronization

LDAP User Guide

LDAP User Guide

LDAP User Guide

Student LDAP Lookup

How to Synchronize Using Student LDAP Lookup

Teacher LDAP Lookup

How to Synchronize Using Student LDAP Lookup

LDAP User Guide

LDAP for PowerGrade

LDAP User Guide

You might also like