LDAP User Guide - Help Desk

LDAP User GuideIntroductionLDAP (Lightweight Directory Access Protocol) functionality enables administrators to establish asingle source for securely managing authentication for all users on the district network, includingthose using PowerSchool, PowerSchool Teacher, PowerGrade, and the Public Portal.ConfigurationIn order for PowerSchool to authenticate users using an LDAP directory server, the LDAPdirectory server must be configured within PowerSchool.Configuring the LDAP directory server consists of providing the server’s address, port, SSLsetting, and LDAP directory administrator credentials. It is possible to selectively enable ordisable the use of LDAP for three groups of users: staff, teachers, and students. Each group ofusers enabled for LDAP must also have a domain context configured that identifies the root ofthe tree where each group of user accounts is located along with the name of the user IDattribute from the directory schema.Once configured, the LDAP directory server synchronizes the login IDs stored in PowerSchool’sdatabase with the login (user) IDs stored in your LDAP directory server. For a user tosuccessfully authenticate in PowerSchool using LDAP, the login ID must match in bothPowerSchool and the LDAP directory server.Active Directory LDAP SetupUse the LDAP Directory Setup page to configure PowerSchool to authenticate via an LDAPdirectory server.How to Set Up Active Directory LDAPThe following procedure illustrates the standard configuration for Active Directory LDAP Setup.1. On the start page, choose System from the main menu. The System Administrator pagedisplays.2. Click Security. The Security page displays.3. Click LDAP Directory Setup. The LDAP Directory Setup page displays. The followingillustrates the standard setup for Active Directory LDAP Setup:IntroductionCopyright © 2007 Pearson Education, Inc or its affiliates.All rights reserved.4

LDAP User Guide4. Use the following table to enter information in the Server Configuration fields:FieldLDAP ServerHostname or IPAddressDescriptionEnter the hostname or IP address of the LDAP directoryserver, such as 192.168.1.12.LDAP Port Enter the TCP port to use, such as 636.Enable SSLSelect the checkbox to enable SSL between PowerSchooland the LDAP Directory.Note: It is strongly recommended that when using LDAP,IntroductionCopyright © 2007 Pearson Education, Inc or its affiliates.All rights reserved.5

LDAP User GuideFieldActive DirectoryFQDNLDAP Admin DNDescriptionSSL also be enabled within PowerSchool’s web server. Thissetting is independent of using SSL between PowerSchooland the LDAP directory. To access the web server settings,go to Admin > System > System Settings > Server Settings.Enabling this option requires installing a certificate on boththe LDAP server and the PowerSchool server. The details ofinstalling the certificate on the directory server are serverspecific.Please refer to your server’s documentation formore information.Installing the certificate on the PowerSchool server involvesusing the keytool utility to add the certificate to Java’skeystore. The command iskeytool –import –file certficate.pem –keystorePS_HOME/data/ssl/jssecacerts –trustcacerts –aliasLDAPCertcertificate.pem is the certificate to be imported and must becreated specifically for the LDAP Directory server.keystore is the location in which to store the certificate. TheLDAPCert alias is a user-defined name to identify thiscertificate. This command must be executed as theadministrator (or root).PS_HOME is the location in which PowerSchool has beeninstalled on the server. For OS X this is typically/Applications/PowerSchool. For Microsoft Windows this istypically C:\PowerSchool.Enter the fully qualified domain name of the Active DirectoryServer, such as ad.powerschool.com.Typically this will be the same as the LDAP ServerHostname, but does not have to be. When authenticatingagainst Active Directory the Security Principal is of theform userID@fqdn.Note: When configuring LDAP for Open Directory, this fieldmay be left blank.Enter the distinguished name of an account in the LDAPDirectory with read privileges within the directory, such ascn=Administrator,cn=users,dc=ad,dc=powerschool,dc=com.Enter the distinguished name of an account in the LDAPDirectory with read privileges within the directory. This canbe the directory administrator account, but an accountwith read-only access is sufficient. This account is usedIntroductionCopyright © 2007 Pearson Education, Inc or its affiliates.All rights reserved.6

LDAP User GuideFieldLDAP AdminPasswordDescriptionfor directory searches when attempting to synchronizelogin IDs between PowerSchool and the Directory.Enter the password for the Admin DN.5. Click Validate Server Connection to establish an anonymous connection to thedirectory using the values entered on this page and to authenticate the connection usingthe Admin DN and Password credentials, if provided. A window displays indicating thesuccess or failure of these operations.6. Click Active Directory Defaults to populate all schema configuration items withreasonable defaults based on the Server Configuration. If any of the ServerConfiguration information is missing or ambiguous, you will be prompted for clarification.7. Use the following table to enter information in the Schema Configuration fields:FieldEnable LDAPEnable LDAP forPowerGradeDomain ContextDescriptionSelect the Staff, Teachers, and Students checkboxes toenable LDAP Authentication.LDAP Authentication may be selectively enabled for threedistinct groups of users: Staff, Teachers and Students. Theremaining attributes, Domain Context and User ID Attribute,are settable for each user type.Select this checkbox to enable LDAP Authentication forPowerGrade. For more information, see the section LDAPfor PowerGrade.The Domain Context to which the user will bind when tryingto authenticate, such ascn=users,dc=ad,dc=powerschool,dc=com for Staff,Teachers, and Students.This domain context is also used when performing LDAPDirectory Synchronization activities. For example, if you aretrying to synchronize the login ID for a student, the studentdomain context will be used as the base when searching thedirectory.8. Click Submit.Open Directory LDAP SetupUse the LDAP Directory Setup page to configure PowerSchool to authenticate via an LDAPdirectory server.IntroductionCopyright © 2007 Pearson Education, Inc or its affiliates.All rights reserved.7

LDAP User GuideHow to Set Up Open Directory LDAPThe following procedure illustrates the standard configuration for Open Directory LDAP Setup.1. On the start page, choose System from the main menu. The System Administrator pagedisplays.2. Click Security. The Security page displays.3. Click LDAP Directory Setup. The LDAP Directory Setup page displays.4. Use the following table to enter information in the Server Configuration fields:FieldLDAP ServerDescriptionEnter the hostname or IP address of the LDAP directoryIntroductionCopyright © 2007 Pearson Education, Inc or its affiliates.All rights reserved.8

LDAP User GuideFieldHostname or IPAddressDescriptionserver, such as 192.168.1.12.LDAP Port Enter the TCP port to use, such as 636.Enable SSLActive DirectoryFQDNLDAP Admin DNSelect the checkbox to enable SSL between PowerSchooland the LDAP Directory.Note: It is strongly recommended that when using LDAP,SSL also be enabled within PowerSchool’s web server. Thissetting is independent of using SSL between PowerSchooland the LDAP directory. To access the web server settings,go to Admin > System > System Settings > Server Settings.Enabling this option requires installing a certificate on boththe LDAP server and the PowerSchool server. The details ofinstalling the certificate on the directory server are serverspecific.Please refer to your server’s documentation formore information.Installing the certificate on the PowerSchool server involvesusing the keytool utility to add the certificate to Java’skeystore. The command iskeytool –import –file certficate.pem –keystorePS_HOME/data/ssl/jssecacerts –trustcacerts –aliasLDAPCertcertificate.pem is the certificate to be imported and must becreated specifically for the LDAP Directory server.keystore is the location in which to store the certificate. TheLDAPCert alias is a user-defined name to identify thiscertificate. This command must be executed as theadministrator (or root).PS_HOME is the location in which PowerSchool has beeninstalled on the server. For OS X this is typically/Applications/PowerSchool. For Microsoft Windows this istypically C:\PowerSchool.This field is for Active Directory only. For Open Directory,leave blank.Enter the distinguished name of an account in the LDAPDirectory with read privileges within the directory, such asuid=diradmin,cn=users,dc=od,dc=powerschool,dc=com.This can be the directory administrator account, but anaccount with read-only access is sufficient. This account isused for directory searches when attempting tosynchronize login IDs between PowerSchool and theIntroductionCopyright © 2007 Pearson Education, Inc or its affiliates.All rights reserved.9

LDAP User GuideFieldLDAP AdminPasswordDescriptionDirectory.Enter the password for the Admin DN.5. Click Validate Server Connection to establish an anonymous connection to thedirectory using the values entered on this page and to authenticate the connection usingthe Admin DN and Password credentials, if provided. A window displays indicating thesuccess or failure of these operations.6. Click Open Directory Defaults to populate all schema configuration items withreasonable defaults based on the Server Configuration. If any of the ServerConfiguration information is missing or ambiguous, you will be prompted for clarification.7. Use the following table to enter information in the Schema Configuration fields:FieldEnable LDAPEnable LDAP forPowerGradeDomain ContextUser ID AttributeDescriptionSelect the Staff, Teachers, and Students checkboxes toenable LDAP Authentication.LDAP Authentication may be selectively enabled for threedistinct groups of users: Staff, Teachers and Students. Theremaining attributes, Domain Context and User ID Attribute,are settable for each user type.Select this checkbox to enable LDAP Authentication forPowerGrade. For more information, see the section LDAPfor PowerGrade.The Domain Context to which the user will bind when tryingto authenticate, such ascn=users,dc=od,dc=powerschool,dc=com for Staff,Teachers, and Students.This domain context is also used when performing LDAPDirectory Synchronization activities. For example, if you aretrying to synchronize the login ID for a student, the studentdomain context will be used as the base when searching thedirectory.Specify which schema attribute to use when forming thedistinguished name (DN) when the user attempts to login,such as uid for Staff, Teachers, and Students.For example, if the User ID Attribute is uid and the domaincontext is cn=users,dc=ldap,dc=powerschool,dc=com, thenthe DN for user jsmith becomesuid=jsmith,cn=users,dc=ldap,dc=powerschool,dc=com.8. Click Submit.IntroductionCopyright © 2007 Pearson Education, Inc or its affiliates.All rights reserved.10

LDAP User GuideSynchronization and AuthenticationDirectory synchronization is the process of synchronizing the login IDs stored in PowerSchool’sdatabase with the login (user) IDs stored in your LDAP directory. For a user to successfullyauthenticate in PowerSchool via LDAP, the login ID’s must match in both PowerSchool and theLDAP Directory.When LDAP is enabled, Login IDs are no longer directly editable through the PowerSchool userinterface on either the Modify Info for Students or Security Settings for Teachers and Staffpages. Instead, one of the Synchronization processes must be used.Synchronization can either be performed as a mass operation, using a selection of students orteachers and staff, or, one at a time using the LDAP Lookup button on either the ModifyInformation or Security Settings pages.LDAP Directory SynchronizationUse the LDAP Directory Synchronization page to synchronize PowerSchool Login IDs with anLDAP directory server.How to Synchronize Using LDAP Directory Synchronization1. On the start page, choose System from the main menu. The System Administrator pagedisplays.2. Click Security. The Security page displays.3. Click LDAP Directory Synchronization. The LDAP Directory Synchronization pagedisplays.The LDAP Directory Synchronization page acts as a hub for all of the synchronizationprocesses. From this page you can choose to synchronize the current selection ofstudents or teachers and staff, all students (district wide), all students with blank loginIDs (district wide), all teachers (district wide), all staff (district wide), all teachers withblank login IDs (district wide), or all staff with blank login IDs (district wide).IntroductionCopyright © 2007 Pearson Education, Inc or its affiliates.All rights reserved.11

LDAP User GuideYou can also invoke mass student synchronization from the Functions menu afterestablishing a selection of students.Similarly, you can invoke mass teacher/staff synchronization from the Functions menuafter establishing a selection of teachers and/or staff.Once a selection is established and the LDAP Directory Synchronization process isselected, one of the two following pages displays depending on whether you are workingwith students or teachers and staff:IntroductionCopyright © 2007 Pearson Education, Inc or its affiliates.All rights reserved.12

LDAP User GuideIn either case, before the synchronization process begins, the expected user ID attributedisplays and you have the opportunity to change it before proceeding. The User IDattribute is the name of the schema element in the LDAP directory that holds the loginID. This is the value that is brought back into PowerSchool and stored in the appropriatelogin ID field in PowerSchool’s database.4. Click Submit. When you click submit, the synchronization process begins and eachrecord in the selection is processed. The first and last name in each record is used tofind an exact match in the directory. If no exact match is found, a second search is doneusing only the last name in an effort to find partial matches.If an exact match is found the login ID in PowerSchool’s database is compared to thelogin ID reported by the directory. If they are the same no action is taken. If they differ,the value from the directory is stored in PowerSchool. All matching records are reportedin the first section of the Synchronization Results.When processing an exact match for a teacher/staff record the following logic applies. Ifthe record represents a teacher, the Teacher Login ID will be checked and updated ifnecessary. And, if the teacher has access to the admin portion of PowerSchool, theAdmin Login ID is also checked. If the record represents a staff member, the AdminLogin ID is checked and updated if necessary.If partial matches are found a list of the partial matches will be displayed in the exceptionportion of the Synchronization Results. A link will also be provided next to the record andopens in a new browser window to allow manual lookup and synchronization.Records with no matches (either exact or partial) are reported in the exception portion ofthe Synchronization Results. For records with no matches the appropriate users shouldbe added to the LDAP directory or the first and last names should be checked to ensurethat they match in PowerSchool and the Directory. Once the issue is corrected thesynchronization process can run again.IntroductionCopyright © 2007 Pearson Education, Inc or its affiliates.All rights reserved.13

LDAP User GuideStudent LDAP LookupStudent Login ID synchronization can be done on a user-by-user basis using LDAP Lookup, onthe Modify Information page.How to Synchronize Using Student LDAP Lookup1. On the start page, search for and select the student.2. Choose Modify Information from the student pages menu. The Modify Informationpage displays for that student.3. Note the LDAP Enabled checkbox and the LDAP Lookup and Clear buttons next to theStudent Web ID field.Note: The LDAP Enabled checkbox can be used to enable/disable LDAPAuthentication for an individual. The Clear button, next to the LDAP Lookup buttonclears the contents of the Login ID field. This is necessary if, for instance, the login IDfield is inadvertently set, because the field is no longer user editable.4. Click LDAP Lookup. The LDAP Lookup window opens and attempts to find a match forthe selected user based on first and last name. If an exact or partial match is found inthe directory, it displays in the window.5. Click Select next to the matching entry to transfer the login ID to the Modify Informationpage and close the window.Teacher LDAP LookupTeacher and staff Login ID synchronization can be done on a user-by-user basis using LDAPLookup, on the Security Settings page.How to Synchronize Using Student LDAP Lookup1. On the start page, search for and select the teacher or staff member.2. Choose Security Settings from the staff pages menu. The Security Settings pagedisplays for that teacher or staff member.3. Note the LDAP Enabled checkbox and the LDAP Lookup and Clear buttons next to theAdmin Login ID and Teacher Login ID fields.Note: The LDAP Enabled checkbox can be used to enable/disable LDAPAuthentication for an individual. The Clear button, next to the LDAP Lookup buttonIntroductionCopyright © 2007 Pearson Education, Inc or its affiliates.All rights reserved.14

LDAP User Guideclears the contents of the Login ID field. This is necessary if, for instance, the login IDfield is inadvertently set, because the field is no longer user editable.4. Click LDAP Lookup. The LDAP Lookup window opens and attempts to find a match forthe selected user based on first and last name. If an exact or partial match is found inthe directory, it displays in the window.5. Select the Login IDs to update. Remember that staff and teachers have two login IDs,one for PowerTeacher and one for Admin. The choices are Admin Login, Teacher Login,or Both.Note: If the current record represents a teacher and that teacher has admin access,then Both option is selected. If the teacher does not have admin access, then theTeacher Login option is selected. If the current record represents a staff member thenthe Admin Login option is selected.6. After ensuring that the correct login IDs are updated, click Select next to the appropriateexact or partial match. This transfers the login ID back to the Security Settings page,updates the selected login IDs, and then closes the window.LDAP for PowerGradeLDAP can be enabled for PowerGrade using the LDAP Directory Setup page in PowerSchool.This page includes the “Enable LDAP for PowerGrade” checkbox. If selected, PowerGrade usesthe LDAP directory server to synchronize and authenticate PowerGrade users passwords.Note: SSL is not required to use LDAP with PowerGrade.How It WorksOnce enabled, you will be required to enter your PowerSchool LDAP password the first time youstart PowerGrade. If you do not remember your PowerSchool LDAP password, contact yourPowerSchool administrator. Unlike the connectivity key, you may not launch PowerGrade if youdo not have an LDAP password.Note: Your school may not elect to enable LDAP. If so, you will not be required to enter anLDAP password the first time you start PowerGrade.How LDAP Works with the PowerGrade Lock Function and the Connectivity KeyThe following outlines how LDAP works with PowerGrade and the different levels of securitywithin PowerGrade:LDAP Enabled• When LDAP is enabled, Basic authentication is used. The username and password areencrypted using TwoFish encryption.IntroductionCopyright © 2007 Pearson Education, Inc or its affiliates.All rights reserved.15

LDAP User Guide• When LDAP is enabled, teachers cannot log on to PowerGrade without their LDAPpassword. This differs from the connectivity key, which allows teachers to launchPowerGrade in offline mode when the connectivity key is unknown.• When LDAP and the connectivity key are both enabled, any currently activePowerGrade sessions continue to use the connectivity key for the remainder of thesession. Upon restart, PowerGrade uses LDAP.• When working in online mode, if LDAP and the PowerGrade Lock function are bothenabled, PowerGrade uses LDAP upon restart.• When LDAP and the PowerGrade Lock function are both enabled and there is noconnection to the server upon launch, only the PowerGrade Lock function is used.LDAP Disabled• When LDAP is not enabled, Digest authentication is used.• If LDAP is disabled and a connectivity key is enabled, any active PowerGrade sessionsswitch to using the connectivity key. Active PowerGrade users who do not have aconnectivity key stored in PowerGrade will experience authentication errors.IntroductionCopyright © 2007 Pearson Education, Inc or its affiliates.All rights reserved.16