HIP LDAP authentication allows you to use any unique field (or node) in the LDAP directory as an identifier. Most likely, you will want to choose the field which is used by the student or faculty to log into the campus network (UID, CN, and so forth) as the identifier. The first step to enable this authentication is to select the field used for login and import it into the Horizon borrower table.
After you set up the LDAP authentication, if the user fails to authenticate, you can configure the system to attempt to authenticate that user with a secondary authentication (for example, barcode and pin). This is helpful for places like schools where you want students, for example, to authenticate with LDAP, but guests to authenticate with their library card information.
To set up LDAP authentication for a profile
1 | Have your IT department import the LDAP node that will be used for the user identifier into the borrower table of the Horizon database, for example, UID or CN. |
Note: SirsiDynix recommends that you use the second_id column to house this new data, but remember that, in most systems, this column is set to a maximum of 20 characters. If you need to use more characters or a different column, please add a new column with your preferred column length to the borrower table, and make sure that this column is indexed in the database.
2 | Ensure that your IT department opens a port for routing to the LDAP server. The default port is 389. For SSL, the default is 636. |
3 | Go to the Horizon Information Portal Administration webpage and log in. |
4 | Go to Setup tab > Libraries > Profiles. |
5 | Click the library profile you want to edit. Alternately, you can click Manage Settings Across Profiles to enable LDAP authentication for all libraries at the same time if they will all use the same settings. |
6 | In the Edit Profile screen, click Profile Information. |
The Administration tool displays the Profile Information page.
7 | Scroll down to the Borrower Authentication Information section: |
8 | Update these fields to choose the borrower authentication information for LDAP: |
Field |
Action |
Borrower Authentication Field 1 |
Select a column from the borrower table that the system should validate against if the LDAP authentication fails. Do not select None as an option. For example, select the bbarcode column. |
Borrower Authentication Label 1 |
Enter the text describing what the user needs to do. This text is displayed above the dialog box where the user enters the information. (For example, enter “Type in your User ID or Library Barcode.”) |
Mask |
Mark this box if you want to have asterisks ( * ) displayed as the user types in the authentication information. This prevents others from seeing the information that is entered. |
Borrower Authentication Field 2 |
Choose the second type of authentication that you want to have the user enter when they use Information Portal. Select a column from the borrower table that the system should validate against if the LDAP authentication fails. Do not select None as an option. For example, select the pin# column. |
Borrower Authentication Label 2 |
Enter the text describing what the user needs to do. This text is displayed above the dialog box where the user enters the information. (For example, enter “Type in your Password or Library PIN and press Enter.”) |
Mask |
Mark this box if you want to have asterisks ( * ) displayed as the user types in the authentication information. This prevents others from seeing the information that is entered. |
9 | Scroll down to the Borrower LDAP Authentication Information section. |
10 | Update these fields to choose the LDAP connection information: |
Field |
Action |
URL |
Type the host name or IP address of the LDAP server. Do not include the port number here. For example, ldap.example.org or 10.1.1.116. |
SSL |
If you need to use SSL to authenticate, select the SSL box. |
Port |
Type the port number for connecting to your LDAP server. The default is 389 for non-SSL and 636 for SSL. If you are using a Microsoft Active Directory, this would typically be the port for the global catalog. This must be a valid port number (between 1 and 65535). |
User Identifier |
Type the LDAP identifier your system uses. This identifier distinguishes an entry in the directory. The most common values are “uid” or “cn”. You can use up to 100 characters in the field. You should not include the equals sign (=). See your LDAP administrator to get the value you need. |
Admin Username |
Specify the named entry for a user that has at least the rights to read information contained on the server. If your LDAP directory requires BIND (that is, it requires a client to authenticate before searching; in other words, it does not allow anonymous searching), you must specify a valid Admin Username and provide the Admin Password for that username. This field is optional. Leave this field blank if the LDAP directory allows anonymous searching. |
Admin Password |
Specify an LDAP administrator password for the username you entered in Admin Username. Bind Password is optional. Leave this field blank if the LDAP directory allows anonymous searching. |
Base DN |
Specifies the base distinguished name for entries in the LDAP directory. For example, for the user “uid=myuser,ou=student,dc=ldap,dc=example,dc=org”, the base distinguished name would be “ou=student,dc=ldap,dc=example,dc=org”. Specify a base value that includes all the parts of the tree that you want to include. For example, if you have separate trees for students and faculty, you would go down to the lowest common level in order to allow authentication of both groups. Note: If you specify too generic of a base, the search may take much longer than expected and authentication requests may timeout. If this is the case, you can change the timeout (see Configuring Additional LDAP Settings), or specify a more specific base DN. The system will do a recursive tree search from this level of the directory hierarchy. You can also configure the system to include any referrals returned by the directory (for more information, see Configuring Additional LDAP Settings). The default setting is to not include referrals. |
Borrower Table Column |
Select the column from the database where the LDAP userids are located. For example, select the second_id column if you used the SirsiDynix recommended column for the imported node. |
Use LDAP Authentication Only |
The selection for this field determines how the system should handle user authentication. If the check box is not checked, if LDAP authentication fails, the system attempts to authenticate with the ILS server. Clear the check box if you have some users that validate through LDAP and others that are not part of LDAP directories. If you want to only use LDAP authentication to validate user credentials, select the check box. This is a more secure implementation. The check box is cleared by default. |
11 | Click OK. |
The Administration tool returns to the Edit Profile page.
12 | Optionally, you can configure additional settings in the hip.properties file. For details, see Configuring Additional LDAP Settings. |
13 | Optionally, you can change the login prompt text to instruct users on what values to enter in the fields. To do this, go to Customize tab > Interface > Variables. |
• | Select the name of the file that contains your custom strings. |
• | Select Global from the list of Variable Pages on the left side of the screen. |
• | Click Patron Login Prompt. |
• | Edit the prompt instructions as appropriate. For example, type “Please type your username and password below (nonstudents can use your barcode and pin number):”. |
• | Click OK to save the changes. |
• | Click Done. |
14 | When you finish making changes in Information Portal, restart the Application Server process (JBoss). |
© 1998-2017 Sirsi Corporation