LDAP
Overview
LDAP (Lightweight Directory Access Protocol) is a popular way for organizations to store account information for authentication and other purposes. Our platform can integrate with your LDAP server for authentication and optionally for account creation.
To enable LDAP integration first, make sure that your LDAP server is accessible from our servers at http://www.matrixlms.com. Then click Admin/App center and install LDAP.
Once LDAP is installed click on Configure to start setting up your options.
Then enter the host and port of your LDAP server, an admin DN and password, and whether you want to use simple TLS. At this point, our platform can bind to your LDAP server and use the admin DN permissions in order to perform authentication.
Here's an example server configuration. To check that our site can bind to your LDAP server, click "Test".
Authentication
When LDAP integration is first enabled, no authentication is performed. To enable LDAP authentication for specific account types, click Edit in the Authenticate section.
For each account type that you want authenticated, enter the LDAP base (which can be an organization unit or group that the user is in) and key that is used when authenticating a particular user with that account type. Note also that we support nested LDAP groups.
Here's an example configuration that authenticates instructors and students the against the DN ou=people,cd=edu20,dc=org using the LDAP attribute "uid" as the user id.
When a user tries to log in, we first see if they have an account on our system. If they do, the following steps occur:
- If LDAP authentication is enabled for their account type, we use that information to authenticate their password with your LDAP server.
- If LDAP authentication is not enabled for their account type, we ignore your LDAP server and use the password information on our own servers for authentication.
If the user doesn't have an account on our system, the following steps occur:
- We cycle through each LDAP account type that you have enabled for authentication. If any of them succeed, the next step depends on whether you have enabled "Sync" for that account type. If "Sync" is enabled, we automatically create an account for that user on our system and initialize its fields using the account information on your LDAP server. If "Sync" is disabled, the login attempt fails.
To check that our site can authenticate a particular userid/password with your LDAP server, click "Test", then enter the userid/password and click Continue.
Account fields
If "Sync" is enabled for at least one account type, you must map our account fields to attributes in your LDAP server. This mapping is used during account creation. To do this, click Add in the "Account Fields" section.
Enter the LDAP attribute for the fields you wish to be initialized during syncing. Then click Save.
Here's an example configuration that would initialize a user first name with the LDAP attribute "givenName" and a user last name with the LDAP attribute "sn".
LDAP and Administrator accounts
To ensure that administrators can still log in if there's a problem with your LDAP server or LDAP configuration, we automatically authenticate administrator accounts with the local userid/password stored in our site if authentication cannot be performed by your LDAP server. Other account types are always authenticated by LDAP if you have enabled LDAP authentication.
Related Articles
Best practices for administrators
Overview Here are some best practices that we recommend for administrators. Choose a short URL We recommend that you keep your URL short, ideally less than 10 characters long. For example, if your company is called "The Academy of Digital ...Single sign-on
Overview Single Sign-On (SSO) is a session/user authentication process that permits a user to enter one name and password in order to access multiple applications. Our system currently offers Single Sign-On through Google Workspace, LDAP, Office 365, ...LTI: Adding tool providers
Overview LTI stands for Learning Tool Interoperability, an initiative managed by 1EdTech to seamlessly integrate learning applications and courses. It includes a standard protocol for establishing a trusted relationship between the tool provider and ...API
Overview CYPHER Learning’s API allows you to integrate your learning platform with third party tools and systems that help elevate your user’s experience. The CYPHER API is the intermediary between the features of our LMS and your website or ...Policies
Overview There are many policies that you can set for your company, such as the features that learners, instructors, and administrators can access. Setting these policies is one of the most important things for an administrator to do. To see your ...