OpenAthens can connect directly to an LDAP server so that you do not have to issue accounts yourself. Anything that uses standard LDAP protocols is acceptable e.g. ActiveDirectory and OpenLDAP.

To connect your LDAP:

Preperation

Before you start you will need:

Add the connection

In the administration interface go to Management > Connections

  1. Click the add button on the left and select LDAP
    PLACEHOLDER - SCREENSHOT
  2. Have your colleague from the IT team complete the form and click add at the bottom.
  3. PLACEHOLDER - SCREENSHOT
  4. At this point the status panel will show failures for connection and bind
  5. Switch to the certificate tab and paste in the contents of the certificate file
  6. PLACEHOLDER - SCREENSHOT OF PASTED DATA AND UPLOADED DATA
  7. Save changes
  8. At this point the status panel will update and should show success
What the fields are for

 

  

Name

The name of the connection as it will appear to users

Directory type

Used to set default values for the server port and filter

Server host

The address where OpenAthens can connect to your server. This address will need to be accessible from outside of your network

Server port

The port that your server uses for LDAP traffic. You can specify a non-standard port if nessisary.

Connection type

The form of security used. StartTLS is standard but ldaps:// can be chosen for older systems.

Admin bind DN

The distinguished name of a user that can connect and view all the users you need to authenticate

Bind password

The password for the user specified in the admin bind

Base DN

The distinguished name of your directory.

Filter

Allows you to specify the username field and optionally include other requirements. The field you choose to =${uid} will be the user identifier in statistics reports
Status

Live & visible = production ready. Users will be able to access this login at the authentication point

Live and not visible = testing. Will work with the right type of URL, but will not appear at the authentication point.

Not live = cannot be used. The visibility setting is ignored.

Changes to the status can take up to PLACEHOLDER-TIME to go live.

Example filters

cn=${uid} - default LDAP filter where cn is the username

(&(objectCategory=Person)(sAMAccountName=${uid})) - Default AD filter using the windows login as the username

(&(objectCategory=Person)(mail=${uid})(memberOf=cn=students,dc=domain,dc=com)) - AD filter using email as the username and limited to the student group.