Prerequisites, Firewall, & AD Information

Step 1 & 2 must be completed before any testing can begin.
  1. Working with a supported LDAP Server:
    • Active Directory
    • Open Directory
    • Novell
  2. Satisfying the following requirements:
  • Firewall rules
    • Create access rules on your firewalls that allow incoming and outgoing traffic on ports 636 (or 389 for tests without SSL) to and from our Ranges. Our Ranges are:
      • Network IP's - 52.3.124.64, 52.71.117.120, 52.71.112.60
      • Domain user account with limited permissions for testing. This limits the potential for passwords to be read on unencrypted tests.
  • Create a valid public DNS entry for each LDAP server that will be used for authentication. The DNS entry must match the internal server name for the LDAP server unless there is no public DNS in which we would have to set up a host file.
 


Root CA Certificate

Please provide the following information to the Blackbaud Hosting Group. We will begin the initial LDAP configuration for your school.

  • Primary LDAP Server: Public Domain Name and Public IP Address
  • Secondary LDAP Server (a secondary server is suggested but not required) Public Domain Name and Public IP Address
  • LDAP Contact: Name, Email Address, Phone Number
  • PING output (see Below)
 

Determine Fully Qualified Domain Name (FQDN) of the Domain Controller

  • Open a Windows command prompt on your domain controller to get the appropriate FQDN.  
  • You can use the command below to gather this information.  
  • Send Blackbaud the results of this test along with the required information above.
  • ping -a 127.0.0.1
  • EXAMPLE:

C:\>ping -a 127.0.0.1

Pinging servername.domain.com [127.0.0.1] with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Install certificates on the Primary Domain Controller

You will receive an email with two attachments.
  • Import the .cer into your Trusted Root certificate store.
  • Import the .pfx into your Personal certificate store
  • Reboot the Domain Controller.

Note: Instructions to import are located here: https://technet.microsoft.com/en-us/library/cc754489(v=ws.11).aspx  -  ignore step 5. 


 

 Verify Connectivity and Configure the "App"

STEP 3 - Test Connectivity and SSL

  • Go to your app domain (for example https://schoolname.myschoolapp.com/app#login/ldaptest)
  • Fill in your information
  • Submit
  • If successful your firewall and SSL are set up properly

 


STEP 4 - Determine Active Directory Search Base

  • Using the test user you created for LDAP testing, open a command prompt from a Windows computer or domain controller to get the appropriate search base.
  • You can use the commands below for any user to ensure that the search base is entered correctly. Typos in the search base can lead to problems later with LDAP authentication.  
  • Be sure to include in the email (step 3 above) the output of the command
EXAMPLE 1: dsquery user -name "test user"
EXAMPLE 2: dsquery user -name "test*"
dsquery user -name "test*"
"CN=test user,OU=Students,OU=Users,DC=Domain,DC=com"

 

STEP 5 - Configure and Enable the Application for LDAP 

 You must have Platform Manager access to configure the App for LDAP use.

  • Log in to the App
  • On the far right drop down click “Core”
  • Under “Settings” click “Security”
  • Click “LDAP Authentication”

Enable LDAP:  When the box is checked then LDAP users will be enabled. You must accept terms.

Primary LDAP Server ** : The name of the LDAP server used by default

Secondary LDAP Server ** : The name of the LDAP server used by if the Primary is unavailable.

LDAP Type:  (1=AD, 2=Novell, 3=OPEN DIRECTORY) * Most schools use Active Directory (AD)


 

Important information:

  • The Search base is directly tied to the Roles. 
  • The "LDAP Enabled" box must be checked before LDAP can be used actively.
  • When using LDAP to authenticate App users: The App is configured to search Active Directory for user accounts on a per role basis.

The LDAP SB (search base) tells the App where to look for users with the "password manager" role in Active Directory. If a matching Active Directory user is found using the LDAP SB, that user will then authenticate to the App using the Active Directory account.

In order to find the appropriate LDAP search base for a particular user that will be in one of these roles run the following command from a Windows command prompt: dsquery user -name "test*".

 

User-added image



 

Bulk User Upload (Optional)

Meaning, you cannot send a CSV file to insert new users.  But you can send a CSV file to bulk update existing users (to change their existing login username to something else).

LDAP authentication is based on the user name matching in Active Directory and in the application. If you want to integrate existing users then Blackbaud K-12 can import users from your Active Directory to the Blackbaud K-12 App using our bulk upload process. If you choose this option, please send the following user information in a .csv file format:

  • First Name
  • Last Name
  • User Name
  • User ID
  • Grad Year (optional)



Example:

userid       firstname            lastname           grad_year        username

2855555   Carol                  Deson               2015                DesonC

2966666   Charles              Dyon                 2014                DyonC

2877777   Karen                 Juel                   2015                JuelK

2988888   Kyle                   Justice               2016                JusticelK

2999999   Alexander          Pressman          2016                PressmanA