Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Before you start you will need:

  • A copy of your LDAP server's certificate (base 64 encoded X.509, often called pem format)
  • A member of your IT team to supply or enter the connection details
  • An LDAP server that can be connected to from outside of your network
    • If this is not possible, you should stop now and consider an ADFS connection instead.
  • A member of your IT team to supply or enter the connection details
  • A copy of your LDAP server's certificate (base 64 encoded X.509, often called pem format)

Add the connection

In the administration interface go to Management > Connections

  1. Click the add button on the left and select LDAP

  2. Have your colleague from the IT team complete the form and click add at the bottom.

  3. At this point the status panel will probably show failures for connection and bind:

  4. Switch to the certificate tab and paste in the contents of the certificate file which should look like this:

    Code Block
    -----END CERTIFICATE-----
  5. . This will be converted to a summary panel:

  6. Save changes

  7. At this point the status panel will update and should now show success if it did not before

  8. You should be able to use the test authentication button now with your own username and password.

What the fields are for




The name of the connection as it will appear to users at our authentication point. This should be a form of your organisation name so users can find it in a list if they need to.

Directory type

Used to set default values for the server port and filterwhere Active Directory is different from the underlying LDAP standard.

Server host

The address where OpenAthens can connect to your server. This address will need to be accessible by our services from outside of your network for this to work.

Server port

The port that your server uses for LDAP traffic. You can specify a non-standard port if necessary.

Connection type

The form of security used. StartTLS is the industry standard but ldaps:// can be chosen for older systems.

Admin bind DN

The full distinguished name of a user that can connect and view all the users you need to authenticate, e.g:


Bind password

The password for the user specified in the admin bind

Base DN

The distinguished name of your directory, e.g:



Allows you to specify the username field and optionally include other requirements. The field you choose to identify as =${uid} will be the user identifier in statistics reports

Live & visible = production ready. Users will be able to access this login at the authentication point

Live and not visible = testing. Will work with the right type of URL, but will not appear at the authentication point.

Not live = cannot be used. The visibility setting is ignored.

Changes to the status can take up to PLACEHOLDER-TIME to go live.

Example filters

cn=${uid} - The default LDAP filter where using cn is as the username


(&(objectCategory=Person)(sAMAccountName=${uid})) - The Default AD ActiveDirectory filter using uses the windows login as the username and requires the user to have an object category of person.

(&(objectCategory=Person)(mail=${uid})(memberOf=cn=students,dc=domain,dc=com)) - AD filter An example ActiveDirectory filter still requiring the user to have an object category of person but this time using email address as the username and additionally limited to the student students security group.

How to test

By putting the connection into live but not visible mode you will need to craft a URL to test with as follows: