Identity Management in Quercus<>

Configuring LDAP in Quercus

Integrating with an external LDAP server

Quercus can be integrated with any of the five supported external LDAP implementations (Apache Directory Server, Microsoft Active Directory, Novell eDirectory, OpenLDAP and Oracle Internet Directory) by setting the appropriate parameter values in the Control Centre.

LDAP parameters

Quercus’s LDAP configuration is maintained by setting LDAP parameter values through the Control Centre.

Note: you must have the correct administrator-level permissions in order to access Control Centre and set the parameter values.

To locate LDAP parameters

1Login to Quercus with administrator permissions and select Control Centre Set-Up.

2Select Parameters.

3Set the Namespace to Quercus System and the Group to Ldap and click Search.

To edit an LDAP parameter

1Choose the parameter associated with the field you want to change and click the corresponding edit icon .

The Edit Parameter screen opens.

2Change the Value to the desired setting and click Save.

List of LDAP parameters

The LDAP parameters are listed in the table below.

For a more detailed explanation of the parameters see Explanation of LDAP parameters.

For examples of how the parameters are set in a real configuration scenario see Example: Establishing the LDAP connection to a Microsoft Active Directory server.

Parameter

Description

Namespace

Value

LDAP_ADMIN_PASSWORD

LDAP Admin Password

Quercus System

password

LDAP_ADMIN_USER_NAME

LDAP Admin User Name

Quercus System

DN, e.g. cn=orcladmin,cn=users,dc=campusit,dc=net

LDAP_GROUP_BASE

LDAP Group Base

Quercus System

DN, e.g. cn=demo,cn=groups,dc=campusit,dc=net

LDAP_NEW_USER_BASE

LDAP New User Base

Quercus System

DN of location on LDAP server where Quercus users created through the online application process are stored.

LDAP_PASSWORD_REMINDER

LDAP Password Reminder

Quercus System

TRUE | FALSE

LDAP_SERVER

LDAP Server Type

Quercus System

Apache Directory Server | CampusIT Embedded |Microsoft Active Directory | Novell eDirectory | OpenLDAP | Oracle Internet Directory

LDAP_SERVER_HOST

LDAP Server Hostname

Quercus System

IP address or Hostname of thr LDAP server

LDAP_SERVER_PORT

LDAP Server Port

Quercus System

Port on server.

Common values are 389 or 636, default is 389.

LDAP_USER_BASE

LDAP User Base

Quercus System

e.g. cn=DEMO,cn=Users,dc=campusit,dc=net

LDAP_USER_ID_NUMBER

LDAP User ID Number

Quercus System

an employee number

LDAP_WALLET

LDAP Wallet

Quercus System

filepath of the location of the Oracle LDAP Wallet on the Quercus database server.

LDAP_WALLET_PASSWORD

LDAP Wallet Password

Quercus System

password

MSAD.LDAP_USER_NAME

MSAD User Name Attribute

Quercus System

legacy logon name

PERSON_LDAP_MERGE

Person LDAP Merge

Quercus Global

TRUE | FALSE

Binding to LDAP

The process of establishing a connection to the LDAP server is known as binding. When we take about linking Quercus to an LDAP server we refer to it as an LDAP bind.

Explanation of LDAP parameters

The following Control Centre parameters provide support for LDAP functions.

For examples of how the parameters are set in a real configuration scenario see Example: Establishing the LDAP connection to a Microsoft Active Directory server.

LDAP_ADMIN_PASSWORD

Purpose

Stores the LDAP server password for the defined admin user.

LDAP_ADMIN_USER_NAME

Purpose

Specifies where the LDAP admin user is located within the LDAP directory structure.

Note: the specified user does not have to be an actual admin-level user — a user with sufficient access privileges to perform the lookups is sufficient for authentication and authorization. However, user account provisioning and management will requires additional system privileges.

In the example below cn=orcladmin is the lowest level node, dc=net the highest. A fragment of a corresponding structure from an LDAP server is shown in the screenshot

Example

cn=orcladmin,cn=Users,dc=campusit-int,dc=net

You can leave this field blank when the LDAP server doesn’t require authentication.

LDAP_GROUP_BASE

Purpose

Specifies where the various LDAP groups (e.g. QP_STUDENT_EDIT, HESA_ADMIN) are located within the LDAP directory structure.

If you create a new LDAP group, it will be located in the lowest level node of this path (in the example below, cn=Groups)

Example

cn=Groups,dc=campusit-int,dc=net

In the above example cn=Groups is the lowest level node, dc=net the highest.

When the application searches for a group, it will only search in (and below) the path specified by this parameter.

An example of a group node from an LDAP server is in the screenshot.

LDAP_NEW_USER_BASE

A location in the directory structure where Quercus users created through the online application process are stored (allowing these users to be kept separate from long-term staff and student users). Not all institutions will use this option.

Note: this parameter is optional. When this parameter is left empty (default) new user accounts are created (provisioned) under the LDAP_USER_BASE.

LDAP_PASSWORD_REMINDER

If set to True, when users create new accounts through the Apply Online and Booking services they will be asked to select a password reminder question and answer. The users will be required to answer the security question as an additional security measure during the password reset process.

If set to False, the security question is not captured and is not required during password reset.

LDAP_SERVER

Set this to the type of LDAP server with which you are communicating. The options are:

Apache Directory Server

CampusIT Embedded

Microsoft Active Directory

Novell eDirectory

OpenLDAP

Oracle Internet Directory

LDAP_SERVER_HOST

Purpose

Specifies the address of the LDAP server.

Format

URL or IP address.

LDAP_SERVER_PORT

Purpose

Specifies the port on which the LDAP server is communicating.

Format

Common values are 389 or 636, default is 389.

LDAP_USER_BASE

Purpose

Specifies where, in the LDAP directory structure, the users are located. When the server receives an authentication request from Quercus the entry-search will be confined to this branch of the directory and any branches below it. For example:

If you create a new LDAP user, the record will be located in the lowest level node of this path (in the example below, cn=QDOC)

Example

cn=QDOC,cn=Users,dc=campusit-int,dc=netn=Groups,dc=campusit-int,dc=net

In the above example cn=QDOC is the lowest level node, dc=net the highest.

When the application searches for a user, it will only search in (and below) the path specified by this parameter.

An example of a user from an LDAP server is

LDAP_USER_ID_NUMBER

Purpose

Specifies the name of the LDAP property which links the LDAP user profile with the PERSON_LDAP.LDAP_ID field in Quercus Menu (see below).

Quercus Menu applications and services which utilise LDAP lookups, must be able to link an LDAP user record with records for the same user within the Quercus Menu database.

This is done using the LDAP_USER_ID_NUMBER parameter.

Example

employeenumber

LDAP_WALLET

Purpose

Specifies the location of the Oracle LDAP Wallet.

The Oracle LDAP Wallet is a resource which stores the database’s authentication credentials, such as security certificates.

Format

Path to the Wallet.

If entered, must begin with file:

Leave blank when SSL communication is not required.

Example

file:d:\wallet

LDAP_WALLET_PASSWORD

Purpose

Stores the password to the Oracle LDAP Wallet.

MSAD.LDAP_USER_NAME

In Microsoft Active Directory you can hold the user name in either the sAMAccountName or the userPrincipalName fields.

The MSAD.LDAP_USER_NAME parameter allows you to specify which field you are using.

We recommend using the userPrincipalName rather than the sAMAccountName.

PERSON_LDAP_MERGE

Quercus has the capability to merge duplicate person (student) records. When this parameter is enabled, associated user accounts are merged as well. This is done by deleting one user account from the LDAP server and updating the other.

Depending on how accounts are provisioned within an institution this automation may not be desirable. When automated merging of user accounts is disabled Quercus will leave both user account intact. However, one account will no longer be linked to an existing person record in Quercus and should be removed by other processes.