LDAP: How to configure teacher logins
LDAP is an excellent way to help your teachers easily log in to SchoolCloud Parents Evening by unifying credentials across all your services. Once this is set up, when a teacher goes to log in to Parents Evening they just enter the same username and password that they use to access the school's network.
How to set up LDAP for teacher authentication
- Firstly make sure that your LDAP services can be accessed by our server IP addresses.
You may also need to configure network routing if you are behind a proxy. Speak to your IT team if that is the case.
- Log into SchoolCloud as an administrator and go to Settings > Teacher Authentication then select the LDAP option.The following will page appear:
- Fill in the boxes with the appropriate information:
Attribute Description Example Server The server URL or IP address with the connection port. If you intend on using LDAPS,
please ensure that you prepend "ldaps://" to the server field and that you append the correct port.
BaseDN The root distinguished name to find the users in. This depends on your school's installation of LDAP.
User Attribute In most cases, if you are using Windows Active Directory, this will simply be sAMAccountName.
Please note that this is the username in Active Directory, it is in no way connected to or matched to the 'username' field on the teacher record in Parents Evening. The only thing that must be the same on both a teacher's Parents Evening and Active Directory account is the email address.
Domain The domain name of the LDAP server we should connect to.
Search Filter This is used to apply specific terms for access on the system. You can define matches to specific LDAP
attributes, which will be checked each time the login is attempted. Search filters are defined using ldapsearch syntax.
You can find a guide on the CentOS site here.
Department Field This is the field used to specify the department for your school, depending on your LDAP installation.
- Finally, you can check the the setup you have entered by testing the login for a particular user via Test Authentication. If you receive a message telling you that you've successfully authenticated, you can proceed to click on Save System Settings.
If the test doesn't succeed, here are a few troubleshooting steps for the most commonly found issues:
Error Troubleshooting Steps Can't contact LDAP server Check that:
- The LDAP server URL is correct.
- The LDAP domain is correct.
- The LDAP server is accessible to our IPs. Our IPs are 22.214.171.124, 126.96.36.199 and 188.8.131.52. We require bi-directional access to the relevant LDAP port.
- LDAP traffic received at the public address is properly NATed to your LDAP server.
Authenticated, however could not retrieve user details,
check User Attribute and BaseDN is correct
- The BaseDN is correct and the user is inside that BaseDN.
- The User Attribute is correct. In particular, make sure there's no spaces either side of the Username Attribute field.
- The user is inside the Search Filter assigned (if you're using one).
For example, the user might need to be inside a particular group inside the BaseDN.
- Once the connection details are saved, it's worth trying to log in as one of the teachers, or observing one of the teachers logging in, to make sure it's working for them.