LDAP Configuration
Configuring LDAP
Login to LAMS as a sysadmin.
Setup the LDAP server connection parameters according to the table below.
Enable automatic user creation by setting
LDAP Provisioning Enabled
to 'true'.(Optional) Setup the LDAP user attributes to use for creating a LAMS user according to the table below. At a minimum, set LDAPLoginAttr, LDAPFNameAttr, and LDAPLNameAttr.
A note on LDAPLocaleAttr. The value of this attribute will be used to attempt to match to one of LAMS' supported locales in the following order:
The locale's name e.g. 'en_AU'
The language ISO code e.g. 'en'
The country ISO code e.g. 'AU'
The LAMS server's default locale.
LDAPDisabledAttr refers to an LDAP attribute that marks a user as enabled or disabled (disabled users in LAMS cannot login and are removed from all group lists).
Values of '1' or 'true' are understood to mean true.
Prefix the attribute name with a '!' if the attribute is an 'enabled' flag in LDAP (as opposed to the 'disabled' flag as in LAMS).
(Optional) Setup the LDAP attributes used to place the user into a LAMS group with appropriate roles.
The value of the LDAPOrgAttr attribute is used to find a LAMS group to add the user to - the LAMS group itself must already exist. Configure LDAPOrgField to set which organisation field to search on (name, code, or description).
e.g. LDAPOrgAttr=schoolCode and LDAPOrgField=code will place LDAP users with a schoolCode=schoolA into the LAMS group with a 'code' value of 'schoolA'.
The values of LDAPRolesAttr when combined with LAMSLearnerMap, LAMSAuthorMap, etc. are used to map user roles in LDAP to LAMS roles.
Configure LDAP preferences:
LDAPUpdateOnLogin - set to 'true' to update the LAMS user account from LDAP whenever the user logs in.
LDAPOnlyOneOrg - set to 'true' to restrict the LAMS user to the group matching their LDAPOrgAttr value. Set to 'false' if LAMS users should be allowed to be members of other groups.
LDAPEncryptPasswordFromBrowser - set to 'true' for normal LAMS authentication (password will be encrypted before sending to LAMS server). For LDAP authentication, set to 'false' - this means user's passwords will be sent to LDAP in cleartext for authentication. In this case, you may want to consider using SSL.
LDAPSearchResultsPageSize - if your server has set a limit on the size of a paged results' page size, set this parameter to a compatible value. Used during synchronisation.
Configuration Items
If your LDAP server uses SSL, set the following values for the SSL certificate under the 'System Configuration'
section.
Optional - intial bind user, if your LDAP server doesn't allow anonymous reads. Leave blank if anonymous bind is allowed.
Automatic user creation
Preferences
Synchronise with LDAP
With a single button you can bulk update LAMS with the user details from LDAP. It searches the LDAP repository for users using the base DN from LDAPPrincipalDNSuffix
, and creates or updates a user in LAMS based on each result returned. If LDAPOrgAttr
, LDAPOrgField
, LDAPRolesAttr
, and LDAP[Learner|Author|Monitor|GroupAdmin|GroupManager]Map are also configured, and a LAMS group exists that matches LDAPOrgAttr
, then the user will also be added to that group, with the roles set in the roles mappings.
Courses are not created in LAMS during the synchronise - these must be created manually.
Note that this process may take some time depending on the number of users contained in your LDAP tree. It's best to perform this operation when the LAMS server will not be under load.
The LDAP server will either need to support paged results, or have a limit on search results high enough to return all users, for this feature to work as intended.
Last updated