Skip to main content
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Using LDAP for User Authentication

    If you are working with Primo VE and not Primo, see Supporting LDAP.

    LDAP (Lightweight Directory Access Protocol) is an application protocol for accessing and maintaining distributed directory information services over an IP network. Directory services may provide any organized set of records, often with a hierarchical structure. The usage referred to here is the authentication of user records. The following steps describe the interaction between the user, Primo, and the LDAP server to provide authentication and authorization:
    1. The user invokes the sign-in option in Primo.
    2. Primo displays the Primo login page.
    3. The user enters his or her credentials.
    4. Primo sends the user’s credentials in a secured authentication request to the LDAP server.
    5. The LDAP server sends a response to Primo indicating whether the user has been authenticated.
      If the user has been authenticated, the response will also include user information. Otherwise, an error will display on the Primo login page.
    6. If the user has been authenticated and the user information method is LDAP, Primo will use the user information sent by the LDAP server and log the user in. If a different method is used to provide user information, Primo will use this method to retrieve user information and log the user on to Primo.
    If you need to authenticate against multiple LDAP servers, define multiple login profiles and then define a cascading login profile.
    To configure Primo to use LDAP authentication:
    1. Gather the necessary information about your LDAP server.
    2. Open the User Authentication Wizard page (Primo Home > Ongoing Configuration Wizards > User Authentication Wizard).
    3. From the list of profiles, click Edit next to the LDAP profile that you want to configure.
      The Login Profile page opens.
      LDAP Login Profile Page (1 of 2)
      LDAP Login Profile Page (2 of 2)
    4. Use the following table to configure the LDAP authentication fields:
      LDAP Configuration Fields
      Parameter Description
      (Required) The host name of the remote LDAP server.
      (Required) The port number of the remote LDAP server.
      (Required) Select either LDAP secure mode or Transport Layer Security (TLS) to provide an encrypted connection.
      SSL connections must be secured with a certificate issued by a recognized certificate authority (such as Comodo, Verisign, or Thawte). Use of TLS requires LDAP version 3 or later.
      The timeout value in milliseconds.
      The default value is 60000 (one minute) for the connection timeout.
      The full DN (distinguished name) for the initial bind.
      The DN password for the initial bind.
      Specify the DN when you want to use dynamic password binding instead of a hard-coded password for the initial bind.
      Indicates whether to encode the LDAP response before sending it back to the calling application. The only possible value is UTF8.
      Enter the full path search in the LDAP directory tree to the user. The system searches the LDAP tree to locate the user’s record based on the Search base and Search filter.
      At least one SEARCH_BASE and SEARCH_FILTER pair must be defined.
      The SEARCH_BASE and SEARCH_FILTER parameters can be repeated to search in more than one tree. If the results of the SEARCH_BASE and SEARCH_FILTER pair are not unique (or a zero-size result), the search step is repeated for the next provided SEARCH_BASE and SEARCH_ FILTER pair.
      Enter the parameter by which you want to filter the results to return only one object.
      At least one SEARCH_BASE and SEARCH_FILTER pair must be defined.
      The system searches the LDAP tree to locate the user’s record based on the SEARCH_BASE and SEARCH_FILTER pair. (See the note for the SEARCH_BASE field.)
      Defines the LDAP user attribute that should be used as the user’s unique ID. If this field is not specified, the LDAP default is used.
      The valid values are True and False (default).
      If set to True, the email returned with the user information will always override the email stored in the user’s profile in Primo.
    5. Select LDAP, ALEPH (see Aleph Information Request Fields) , or ALMA (see Alma Information Request Fields) from the Select User Information Method drop-down list.
    6. Click Save.
    7. From the list of profiles, click Edit next to your LDAP profile.
      The Login Profile page opens with the attribute mapping option.
      LDAP Login Profile Page - LDAP Attribute Mapping
      The Attributes Mapping button displays only when the user information method has been selected and saved.
    8. Map the user attributes associated with fetching user information using either LDAP or ALMA requests. For more information, see Attribute Mapping.