LDAP User Guide PowerSchool Premier 5.1 Student Information System



Similar documents
Configuring Sponsor Authentication

NSi Mobile Installation Guide. Version 6.2

IIS, FTP Server and Windows

Lepide Active Directory Self Service. Configuration Guide. Follow the simple steps given in this document to start working with

CA Performance Center

Version 9. Active Directory Integration in Progeny 9

Configuring and Using the TMM with LDAP / Active Directory

Using LDAP Authentication in a PowerCenter Domain

WirelessOffice Administrator LDAP/Active Directory Support

HP Device Manager 4.7

Managing Identities and Admin Access

Skyward LDAP Launch Kit Table of Contents

User Management Guide

Content Filtering Client Policy & Reporting Administrator s Guide

PineApp Surf-SeCure Quick

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

Authentication Methods

LDAP Implementation AP561x KVM Switches. All content in this presentation is protected 2008 American Power Conversion Corporation

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Parent Single Sign-On Quick Reference Guide

Configuring User Identification via Active Directory

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

NetIQ Advanced Authentication Framework - MacOS Client

SecureAware on IIS8 on Windows Server 2008/- 12 R2-64bit

Avatier Identity Management Suite

HP Device Manager 4.6

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

PriveonLabs Research. Cisco Security Agent Protection Series:

Click Studios. Passwordstate. Installation Instructions

Terminology. Enabling Parent Single Sign-On. Server Configuration

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

SSL Configuration on Weblogic Oracle FLEXCUBE Universal Banking Release [August] [2014]

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

ProxySG TechBrief LDAP Authentication with the ProxySG

F-Secure Messaging Security Gateway. Deployment Guide

Summary. How-To: Active Directory Integration. April, 2006

Nexio Insight LDAP Synchronization Service

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

CA Nimsoft Service Desk

Customer Tips. Configuring Color Access on the WorkCentre 7328/7335/7345 using Windows Active Directory. for the user. Overview

Integrating EJBCA and OpenSSO

PRODUCT WHITE PAPER LABEL ARCHIVE. Adding and Configuring Active Directory Users in LABEL ARCHIVE

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Click Studios. Passwordstate. Installation Instructions

Active Directory LDAP Quota and Admin account authentication and management

CA Unified Infrastructure Management Server

Polycom RealPresence Resource Manager System Getting Started Guide

USER GUIDE. Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity

Using LDAP for User Authentication

The following process allows you to configure exacqvision permissions and privileges for accounts that exist on an Active Directory server:

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

Dell KACE K1000 System Management Appliance Version 5.4. Service Desk Administrator Guide

PowerSchool Parent Portal Administrator Guide. PowerSchool 7.x Student Information System

Using LDAP with Sentry Firmware and Sentry Power Manager (SPM)

Clientless SSL VPN Users

Enabling single sign-on for Cognos 8/10 with Active Directory

Configuring SSL in OBIEE 11g

Adeptia Suite LDAP Integration Guide

Defender Token Deployment System Quick Start Guide

Protected Trust Setup Guide for Brother MFC Devices

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

Exchange Reporter Plus SSL Configuration Guide

Folder Proxy + OWA + ECP/EAC Guide. Version 2.0 April 2016

Integration Guide. Microsoft Active Directory Rights Management Services (AD RMS) Microsoft Windows Server 2008

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Basic Exchange Setup Guide

Dell KACE K1000 Management Appliance. Service Desk Administrator Guide. Release 5.3. Revision Date: May 13, 2011

LDAP and Active Directory Guide

Getting Started with Clearlogin A Guide for Administrators V1.01

White Paper. Installation and Configuration of Fabasoft Folio IMAP Service. Fabasoft Folio 2015 Update Rollup 3

SCADA Security. Enabling Integrated Windows Authentication For CitectSCADA Web Client. Applies To: CitectSCADA 6.xx and 7.xx VijeoCitect 6.xx and 7.

How To Use Libap With A Libap Server With A Mft Command Center And Internet Server

Configuration Guide for Active Directory Integration

Siteminder Integration Guide

NETASQ ACTIVE DIRECTORY INTEGRATION

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Security Provider Integration LDAP Server

How to integrate RSA ACE Server SecurID Authentication with Juniper Networks Secure Access SSL VPN (SA) with Single Node or Cluster (A/A or A/P)

VMware Identity Manager Administration

VERALAB LDAP Configuration Guide

Configuring IBM Cognos Controller 8 to use Single Sign- On

Integration Guide. SafeNet Authentication Service. Integrating Active Directory Lightweight Services

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

Use Enterprise SSO as the Credential Server for Protected Sites

Application Note. ShoreTel 9: Active Directory Integration. Integration checklist. AN June 2009

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

SET UP AND OPERATION GUIDE

QuickStart Guide for Mobile Device Management

Integrating WebSphere Portal V8.0 with Business Process Manager V8.0

HOW TO CONFIGURE SQL SERVER REPORTING SERVICES IN ORDER TO DEPLOY REPORTING SERVICES REPORTS FOR DYNAMICS GP

Basic Exchange Setup Guide

Basic Configuration. Key Operator Tools older products. Program/Change LDAP Server (page 3 of keyop tools) Use LDAP Server must be ON to work

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

JAMF Software Server Installation Guide for Linux. Version 8.6

Mozilla Thunderbird: Setup & Configuration Learning Guide

Introduction to Directory Services

LDaemon. This document is provided as a step by step procedure for setting up LDaemon and common LDaemon clients.

Transcription:

PowerSchool Premier 5.1 Student Information System

Document Properties Copyright Owner Copyright 2007 Pearson Education, Inc. or its affiliates. All rights reserved. This document is the property of Pearson Education, Inc. and is for reference only. It is not to be reproduced or distributed in any way without the express written consent of Pearson Education, Inc. All trademarks are either owned or licensed by Pearson Education, Inc. or its affiliates. Other brands and names are the property of their respective owners. Technical Communication and Documentation Content provided by J. Brown and J. Steele. Last Updated 3/21/2007 Version PowerSchool Premier 5.1 Please send comments, suggestions, or requests for this document to ps_manuals@pearson.com. Your feedback is appreciated. 2

Contents...4 Configuration...4 Active Directory LDAP Setup...4 How to Set Up Active Directory LDAP...4 Open Directory LDAP Setup...7 How to Set Up Open Directory LDAP...8 Synchronization and Authentication...11 LDAP Directory Synchronization...11 How to Synchronize Using LDAP Directory Synchronization...11 Student LDAP Lookup...14 How to Synchronize Using Student LDAP Lookup...14 Teacher LDAP Lookup...14 How to Synchronize Using Student LDAP Lookup...14 LDAP for PowerGrade...15 3

LDAP (Lightweight Directory Access Protocol) functionality enables administrators to establish a single source for securely managing authentication for all users on the district network, including those using PowerSchool, PowerSchool Teacher, PowerGrade, and the Public Portal. Configuration In order for PowerSchool to authenticate users using an LDAP directory server, the LDAP directory server must be configured within PowerSchool. Configuring the LDAP directory server consists of providing the server s address, port, SSL setting, and LDAP directory administrator credentials. It is possible to selectively enable or disable the use of LDAP for three groups of users: staff, teachers, and students. Each group of users enabled for LDAP must also have a domain context configured that identifies the root of the tree where each group of user accounts is located along with the name of the user ID attribute from the directory schema. Once configured, the LDAP directory server synchronizes the login IDs stored in PowerSchool s database with the login (user) IDs stored in your LDAP directory server. For a user to successfully authenticate in PowerSchool using LDAP, the login ID must match in both PowerSchool and the LDAP directory server. Active Directory LDAP Setup Use the LDAP Directory Setup page to configure PowerSchool to authenticate via an LDAP directory server. How to Set Up Active Directory LDAP The following procedure illustrates the standard configuration for Active Directory LDAP Setup. 1. On the start page, choose System from the main menu. The System Administrator page displays. 2. Click Security. The Security page displays. 3. Click LDAP Directory Setup. The LDAP Directory Setup page displays. The following illustrates the standard setup for Active Directory LDAP Setup: 4

4. Use the following table to enter information in the Server Configuration fields: Field LDAP Server Hostname or IP Address Description Enter the hostname or IP address of the LDAP directory server, such as 192.168.1.12. LDAP Port Enter the TCP port to use, such as 636. Enable SSL Select the checkbox to enable SSL between PowerSchool and the LDAP Directory. Note: It is strongly recommended that when using LDAP, 5

Field Active Directory FQDN LDAP Admin DN Description SSL also be enabled within PowerSchool s web server. This setting is independent of using SSL between PowerSchool and the LDAP directory. To access the web server settings, go to Admin > System > System Settings > Server Settings. Enabling this option requires installing a certificate on both the LDAP server and the PowerSchool server. The details of installing the certificate on the directory server are serverspecific. Please refer to your server s documentation for more information. Installing the certificate on the PowerSchool server involves using the keytool utility to add the certificate to Java s keystore. The command is keytool import file certficate.pem keystore PS_HOME/data/ssl/jssecacerts trustcacerts alias LDAPCert certificate.pem is the certificate to be imported and must be created specifically for the LDAP Directory server. keystore is the location in which to store the certificate. The LDAPCert alias is a user-defined name to identify this certificate. This command must be executed as the administrator (or root). PS_HOME is the location in which PowerSchool has been installed on the server. For OS X this is typically /Applications/PowerSchool. For Microsoft Windows this is typically C:\PowerSchool. Enter the fully qualified domain name of the Active Directory Server, such as ad.powerschool.com. Typically this will be the same as the LDAP Server Hostname, but does not have to be. When authenticating against Active Directory the Security Principal is of the form userid@fqdn. Note: When configuring LDAP for Open Directory, this field may be left blank. Enter the distinguished name of an account in the LDAP Directory with read privileges within the directory, such as cn=administrator,cn=users,dc=ad,dc=powerschool,dc=c om. Enter the distinguished name of an account in the LDAP Directory with read privileges within the directory. This can be the directory administrator account, but an account with read-only access is sufficient. This account is used 6

Field LDAP Admin Password Description for directory searches when attempting to synchronize login IDs between PowerSchool and the Directory. Enter the password for the Admin DN. 5. Click Validate Server Connection to establish an anonymous connection to the directory using the values entered on this page and to authenticate the connection using the Admin DN and Password credentials, if provided. A window displays indicating the success or failure of these operations. 6. Click Active Directory Defaults to populate all schema configuration items with reasonable defaults based on the Server Configuration. If any of the Server Configuration information is missing or ambiguous, you will be prompted for clarification. 7. Use the following table to enter information in the Schema Configuration fields: Field Enable LDAP Enable LDAP for PowerGrade Domain Context Description Select the Staff, Teachers, and Students checkboxes to enable LDAP Authentication. LDAP Authentication may be selectively enabled for three distinct groups of users: Staff, Teachers and Students. The remaining attributes, Domain Context and User ID Attribute, are settable for each user type. Select this checkbox to enable LDAP Authentication for PowerGrade. For more information, see the section LDAP for PowerGrade. The Domain Context to which the user will bind when trying to authenticate, such as cn=users,dc=ad,dc=powerschool,dc=com for Staff, Teachers, and Students. This domain context is also used when performing LDAP Directory Synchronization activities. For example, if you are trying to synchronize the login ID for a student, the student domain context will be used as the base when searching the directory. 8. Click Submit. Open Directory LDAP Setup Use the LDAP Directory Setup page to configure PowerSchool to authenticate via an LDAP directory server. 7

How to Set Up Open Directory LDAP The following procedure illustrates the standard configuration for Open Directory LDAP Setup. 1. On the start page, choose System from the main menu. The System Administrator page displays. 2. Click Security. The Security page displays. 3. Click LDAP Directory Setup. The LDAP Directory Setup page displays. 4. Use the following table to enter information in the Server Configuration fields: Field LDAP Server Description Enter the hostname or IP address of the LDAP directory 8

Field Hostname or IP Address Description server, such as 192.168.1.12. LDAP Port Enter the TCP port to use, such as 636. Enable SSL Active Directory FQDN LDAP Admin DN Select the checkbox to enable SSL between PowerSchool and the LDAP Directory. Note: It is strongly recommended that when using LDAP, SSL also be enabled within PowerSchool s web server. This setting is independent of using SSL between PowerSchool and the LDAP directory. To access the web server settings, go to Admin > System > System Settings > Server Settings. Enabling this option requires installing a certificate on both the LDAP server and the PowerSchool server. The details of installing the certificate on the directory server are serverspecific. Please refer to your server s documentation for more information. Installing the certificate on the PowerSchool server involves using the keytool utility to add the certificate to Java s keystore. The command is keytool import file certficate.pem keystore PS_HOME/data/ssl/jssecacerts trustcacerts alias LDAPCert certificate.pem is the certificate to be imported and must be created specifically for the LDAP Directory server. keystore is the location in which to store the certificate. The LDAPCert alias is a user-defined name to identify this certificate. This command must be executed as the administrator (or root). PS_HOME is the location in which PowerSchool has been installed on the server. For OS X this is typically /Applications/PowerSchool. For Microsoft Windows this is typically C:\PowerSchool. This field is for Active Directory only. For Open Directory, leave blank. Enter the distinguished name of an account in the LDAP Directory with read privileges within the directory, such as uid=diradmin,cn=users,dc=od,dc=powerschool,dc=com. This can be the directory administrator account, but an account with read-only access is sufficient. This account is used for directory searches when attempting to synchronize login IDs between PowerSchool and the 9

Field LDAP Admin Password Description Directory. Enter the password for the Admin DN. 5. Click Validate Server Connection to establish an anonymous connection to the directory using the values entered on this page and to authenticate the connection using the Admin DN and Password credentials, if provided. A window displays indicating the success or failure of these operations. 6. Click Open Directory Defaults to populate all schema configuration items with reasonable defaults based on the Server Configuration. If any of the Server Configuration information is missing or ambiguous, you will be prompted for clarification. 7. Use the following table to enter information in the Schema Configuration fields: Field Enable LDAP Enable LDAP for PowerGrade Domain Context User ID Attribute Description Select the Staff, Teachers, and Students checkboxes to enable LDAP Authentication. LDAP Authentication may be selectively enabled for three distinct groups of users: Staff, Teachers and Students. The remaining attributes, Domain Context and User ID Attribute, are settable for each user type. Select this checkbox to enable LDAP Authentication for PowerGrade. For more information, see the section LDAP for PowerGrade. The Domain Context to which the user will bind when trying to authenticate, such as cn=users,dc=od,dc=powerschool,dc=com for Staff, Teachers, and Students. This domain context is also used when performing LDAP Directory Synchronization activities. For example, if you are trying to synchronize the login ID for a student, the student domain context will be used as the base when searching the directory. Specify which schema attribute to use when forming the distinguished name (DN) when the user attempts to login, such as uid for Staff, Teachers, and Students. For example, if the User ID Attribute is uid and the domain context is cn=users,dc=ldap,dc=powerschool,dc=com, then the DN for user jsmith becomes uid=jsmith,cn=users,dc=ldap,dc=powerschool,dc=com. 8. Click Submit. 10

Synchronization and Authentication Directory synchronization is the process of synchronizing the login IDs stored in PowerSchool s database with the login (user) IDs stored in your LDAP directory. For a user to successfully authenticate in PowerSchool via LDAP, the login ID s must match in both PowerSchool and the LDAP Directory. When LDAP is enabled, Login IDs are no longer directly editable through the PowerSchool user interface on either the Modify Info for Students or Security Settings for Teachers and Staff pages. Instead, one of the Synchronization processes must be used. Synchronization can either be performed as a mass operation, using a selection of students or teachers and staff, or, one at a time using the LDAP Lookup button on either the Modify Information or Security Settings pages. LDAP Directory Synchronization Use the LDAP Directory Synchronization page to synchronize PowerSchool Login IDs with an LDAP directory server. How to Synchronize Using LDAP Directory Synchronization 1. On the start page, choose System from the main menu. The System Administrator page displays. 2. Click Security. The Security page displays. 3. Click LDAP Directory Synchronization. The LDAP Directory Synchronization page displays. The LDAP Directory Synchronization page acts as a hub for all of the synchronization processes. From this page you can choose to synchronize the current selection of students or teachers and staff, all students (district wide), all students with blank login IDs (district wide), all teachers (district wide), all staff (district wide), all teachers with blank login IDs (district wide), or all staff with blank login IDs (district wide). 11

You can also invoke mass student synchronization from the Functions menu after establishing a selection of students. Similarly, you can invoke mass teacher/staff synchronization from the Functions menu after establishing a selection of teachers and/or staff. Once a selection is established and the LDAP Directory Synchronization process is selected, one of the two following pages displays depending on whether you are working with students or teachers and staff: 12

In either case, before the synchronization process begins, the expected user ID attribute displays and you have the opportunity to change it before proceeding. The User ID attribute is the name of the schema element in the LDAP directory that holds the login ID. This is the value that is brought back into PowerSchool and stored in the appropriate login ID field in PowerSchool s database. 4. Click Submit. When you click submit, the synchronization process begins and each record in the selection is processed. The first and last name in each record is used to find an exact match in the directory. If no exact match is found, a second search is done using only the last name in an effort to find partial matches. If an exact match is found the login ID in PowerSchool s database is compared to the login ID reported by the directory. If they are the same no action is taken. If they differ, the value from the directory is stored in PowerSchool. All matching records are reported in the first section of the Synchronization Results. When processing an exact match for a teacher/staff record the following logic applies. If the record represents a teacher, the Teacher Login ID will be checked and updated if necessary. And, if the teacher has access to the admin portion of PowerSchool, the Admin Login ID is also checked. If the record represents a staff member, the Admin Login ID is checked and updated if necessary. If partial matches are found a list of the partial matches will be displayed in the exception portion of the Synchronization Results. A link will also be provided next to the record and opens in a new browser window to allow manual lookup and synchronization. Records with no matches (either exact or partial) are reported in the exception portion of the Synchronization Results. For records with no matches the appropriate users should be added to the LDAP directory or the first and last names should be checked to ensure that they match in PowerSchool and the Directory. Once the issue is corrected the synchronization process can run again. 13

Student LDAP Lookup Student Login ID synchronization can be done on a user-by-user basis using LDAP Lookup, on the Modify Information page. How to Synchronize Using Student LDAP Lookup 1. On the start page, search for and select the student. 2. Choose Modify Information from the student pages menu. The Modify Information page displays for that student. 3. Note the LDAP Enabled checkbox and the LDAP Lookup and Clear buttons next to the Student Web ID field. Note: The LDAP Enabled checkbox can be used to enable/disable LDAP Authentication for an individual. The Clear button, next to the LDAP Lookup button clears the contents of the Login ID field. This is necessary if, for instance, the login ID field is inadvertently set, because the field is no longer user editable. 4. Click LDAP Lookup. The LDAP Lookup window opens and attempts to find a match for the selected user based on first and last name. If an exact or partial match is found in the directory, it displays in the window. 5. Click Select next to the matching entry to transfer the login ID to the Modify Information page and close the window. Teacher LDAP Lookup Teacher and staff Login ID synchronization can be done on a user-by-user basis using LDAP Lookup, on the Security Settings page. How to Synchronize Using Student LDAP Lookup 1. On the start page, search for and select the teacher or staff member. 2. Choose Security Settings from the staff pages menu. The Security Settings page displays for that teacher or staff member. 3. Note the LDAP Enabled checkbox and the LDAP Lookup and Clear buttons next to the Admin Login ID and Teacher Login ID fields. Note: The LDAP Enabled checkbox can be used to enable/disable LDAP Authentication for an individual. The Clear button, next to the LDAP Lookup button 14

clears the contents of the Login ID field. This is necessary if, for instance, the login ID field is inadvertently set, because the field is no longer user editable. 4. Click LDAP Lookup. The LDAP Lookup window opens and attempts to find a match for the selected user based on first and last name. If an exact or partial match is found in the directory, it displays in the window. 5. Select the Login IDs to update. Remember that staff and teachers have two login IDs, one for PowerTeacher and one for Admin. The choices are Admin Login, Teacher Login, or Both. Note: If the current record represents a teacher and that teacher has admin access, then Both option is selected. If the teacher does not have admin access, then the Teacher Login option is selected. If the current record represents a staff member then the Admin Login option is selected. 6. After ensuring that the correct login IDs are updated, click Select next to the appropriate exact or partial match. This transfers the login ID back to the Security Settings page, updates the selected login IDs, and then closes the window. LDAP for PowerGrade LDAP can be enabled for PowerGrade using the LDAP Directory Setup page in PowerSchool. This page includes the Enable LDAP for PowerGrade checkbox. If selected, PowerGrade uses the LDAP directory server to synchronize and authenticate PowerGrade users passwords. Note: SSL is not required to use LDAP with PowerGrade. How It Works Once enabled, you will be required to enter your PowerSchool LDAP password the first time you start PowerGrade. If you do not remember your PowerSchool LDAP password, contact your PowerSchool administrator. Unlike the connectivity key, you may not launch PowerGrade if you do not have an LDAP password. Note: Your school may not elect to enable LDAP. If so, you will not be required to enter an LDAP password the first time you start PowerGrade. How LDAP Works with the PowerGrade Lock Function and the Connectivity Key The following outlines how LDAP works with PowerGrade and the different levels of security within PowerGrade: LDAP Enabled When LDAP is enabled, Basic authentication is used. The username and password are encrypted using TwoFish encryption. 15

When LDAP is enabled, teachers cannot log on to PowerGrade without their LDAP password. This differs from the connectivity key, which allows teachers to launch PowerGrade in offline mode when the connectivity key is unknown. When LDAP and the connectivity key are both enabled, any currently active PowerGrade sessions continue to use the connectivity key for the remainder of the session. Upon restart, PowerGrade uses LDAP. When working in online mode, if LDAP and the PowerGrade Lock function are both enabled, PowerGrade uses LDAP upon restart. When LDAP and the PowerGrade Lock function are both enabled and there is no connection to the server upon launch, only the PowerGrade Lock function is used. LDAP Disabled When LDAP is not enabled, Digest authentication is used. If LDAP is disabled and a connectivity key is enabled, any active PowerGrade sessions switch to using the connectivity key. Active PowerGrade users who do not have a connectivity key stored in PowerGrade will experience authentication errors. 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information