LDAP: How to set up authentication
If you would like your Room Booking users to gain access via the login details they have in Active Directory this article shows you how to configure this using LDAP Authentication.
Why set up LDAP Authentication?
Setting up LDAP authentication means staff can login to Room Booking with their existing username and password from AD meaning there is no need to import and maintain a list of staff login details.
Firewall Rules
To enable us to access your LDAP Server and authenticate your users please configure your firewall to allow communication with your Domain Controller from the following IP Addresses via Port 389 (for LDAP) or 636 (for LDAPS):
3.11.136.51
3.11.149.57
3.11.229.108
18.169.74.250
18.132.11.212
18.135.91.220
Setting Up LDAP Authentication
From the Administrator Homepage go to Settings > Authentication > LDAP Authentication
and complete all fields with your details.
Server Name - This section should be completed with your organisation's public facing IP address
e.g. 210.232.115.79:389, ldaps://mail.mydomain.com:636
Base DN - Enter the Base DN from your Active Directory.
This should be the point from where a server will start the search for users
e.g. ou=People,dc=example,dc=com.
The easiest way to check this information is to bring up the properties field in Active Directory.
Domain - Enter your domain details
e.g.domain, domain.local, domain.co.uk
User Attribute - Enter the attribute format that is being used for the search.
e.g. UID or sAMAccountName.
Search Filter - Optional. This field can be used if you want to search on multiple criteria, or search on users that are members of a specific group. This field can be left blank if you are happy to leave this as the Base DN already entered above. If you decide to use this, always use the "&({userfield}={username})" part of the query. This makes sure that the LDAP query only returns users with a username matching the one entered on the login page.
You can use the search filter to check an attribute or that the user signing in is a member of a specific group:
(&({userfield}={username})(description=staff))
This filter will allow any users who have a description of "staff" or an email assigned to them:
(&({userfield}={username})(|(description=staff)(email=*)))
This filter searches for users in a specific group inside the BaseDN. This is handy when you want only a few specific groups to be able to log in:
(&({userfield}={username})(memberof=CN=YourGroup,OU=Users,DC=YourDomain,DC=com))
The field uses LDAP query syntax and, therefore, you can use the following guide to get some more information on what you can do with the field:
https://docs.microsoft.com/en-us/windows/desktop/adsi/search-filter-syntax.
Test Set Up
You can now test the LDAP settings to ensure the details are correct and that the system can connect to your server.
Under Test LDAP Settings enter a Username and Password for a user that should now have access under your search criteria and click on Test Authentication.
A box will now appear with the results of your test:
If the connection is successful your user will now be able to access the system. When you're ready, you can turn on the authentication method for all users. You can find out how in the next section.
If the connection failed please check your set up and adjust where required. If you need further assistance please contact us.
Enabling the set up
If you have tested the setup to work then it should be fine to enable it. If you don't have any users on the system at the moment, we recommend turning on the Automatically Create New Users option.
If you have users on the system at the moment, we will need to change them over to work with the new authentication method. If the usernames are different in LDAP, we'll need to switch the usernames to the new format while we do this. Please save the LDAP settings then get in touch with us via email on schoolcloud@tes.com and let us know that you'd like to set your user accounts to be compatible with LDAP. If you need to set the usernames, let us know the pattern you would like to apply to the usernames and we'll do that. While we switch the users over to be LDAP compatible, those who aren't compatible or who don't have matching usernames.
Please note that Administrator accounts are separate from user accounts and will not use LDAP to authenticate, they always use username and password.
Can I View the User Accounts on Room Booking?
Once you have set up your LDAP Authentication all the users under your search criteria will have access to the system.
When a user logs into Room Booking for the first time their user account will be created on the system. If the user has not logged in they will not appear on Room Booking - unless an account has been previously manually set up or imported.
It is possible to 'pre-populate' the users on Room Booking, if you need to do this please send us a spreadsheet (to schoolcloud@tes.com) containing the following columns:
- Username
- Firstname
- Surname
Please note that for all our supported authentication methods on Room Booking, we match the logged in user's username to the Room Booking username.
Once the accounts are created you can then go ahead and set up User Permissions if required. See How do I set up user permissions? for more details.
.