Identity Management in Quercus<>

Establishing the LDAP connection

Binding to LDAP

The process of establishing a connection to the LDAP server is known as binding. When we take about linking Quercus to an LDAP server we refer to it as an LDAP bind.

In order to establish an LDAP bind you will need to perform the following activities:

connect to the LDAP server and test the connection

specify the Admin User in Quercus

check the Admin User can authenticate to the LDAP server from Quercus

enable SSL communication if required

specify the location of the LDAP user base

link Quercus accounts with LDAP accounts

set up LDAP Groups

The precise steps required to establish an LDAP connection to an external IDM will vary according to the LDAP server type to which you are connecting and your local Quercus environment.

In the next chapter we provide a detailed example of how these activities are executed when connecting to a Microsoft Active Directory server.

Note

The execution procedures required to establish an LDAP connection to an external IDM will vary according to the LDAP server type to which you are connecting and your local Quercus environment.

Summary of steps

An outline of the steps is given below. The next chapter provides a detailed example of how these activities are executed when connecting to a Microsoft Active Directory server.

Step

Objective

Summary

1

Connect to the server and test the connection

The first step is to enter the connection parameters in Quercus and then test that the connection actually works by telnetting from the Quercus environment to the LDAP server.

Note: The communication must be established from the Quercus database server environment.

2

Identify the Admin User in Quercus

If you wish to add users through services such as Apply Online you will require admin rights for writing to the LDAP directory. In order to perform the various read and write operations required in this scenario, Quercus must connect to the server as an admin user. To support this requirement you must enter details of the administrative user into Quercus.

3

Check the Admin User can authenticate to the LDAP server from Quercus

Once you have set up the admin user you should check that the user can authenticate to the LDAP server. You can use the Oracle SQL*Plus tool to perform this check.

4

Enable SSL communication if required

If you plan to encrypt communication using SSL, you must provide Quercus with the relevant domain certificate for the LDAP sever. In the case of Active Directory SSL mode is mandatory for all connections. Although it is not mandatory for other LDAP servers we recommend that it is used if at all possible.

5

Specify the location of the LDAP user base

Now you have fully operative SSL communication between Quercus and the LDAP server you can specify the location of the Quercus users within the LDAP directory.

6

Link Quercus accounts with Active Directory LDAP accounts

Next, you must establish the link between the users in the LDAP directory and the users in Quercus. So if a user authenticates using LDAP and is granted access to Quercus, Quercus knows who that user is.

This link is maintained by using a field in the Quercus schema known as PERSON_LDAP.LDAP_ID. This field stores a unique LDAP identifier for each user which is compared to a corresponding unique identifier in the LDAP directory.

Any suitable field holding a unique identifier can be used as the join field in the LDAP directory. For this reason it is necessary to specify which field is being used as the join using the LDAP_USER_ID_NUMBER parameter.

7

Set up LDAP Groups

You have now established the user base and how Quercus users are joined to the LDAP server. At this stage student users can log into Quercus Gateway providing they are enrolled on a course instance

Back-end staff, however, must be member of LDAP groups for authorisation purposes. For this reason the Quercus LDAP groups must be set up on the LDAP server before staff members can authenticate and be authorised.

The groups are defined by Quercus and they need to be stored in a location in the LDAP directory.

8

Test the installation

You have now completed all the steps in the LDAP set-up procedure.

You can now begin testing the installation.