Active Directory Requirements and Setup
The information contained in this document has been written for use by Soutron staff, clients, and prospective clients. Soutron reserves the right to change the information in this document without prior notice and data should not be relied upon to address all circumstances or needs.The contents of this document do not provide guarantees or warranties of the Soutron application by Soutron Limited.
Soutron Limited assumes no responsibility for any errors that may appear in this document. The software described in this document is provided under a license agreement and may be used only in accordance with the terms of such license.
All names of companies and products described in this document are the trademarks of their respective owners and Soutron makes no claims on their behalf.
Contents
Active directory preparation ... 2
Soutron role mapping ... 2
Setup connectivity to LDAP and security groups. ... 3
Create and set default user profile. ... 4
Setup import task schedule ... 4
Web.config changes ... 4
IIS configuration (IIS 7.5) ... 5
Active directory preparation
Soutron requires several active directory groups be setup in order to import users and assign the correct permission.
1. For general users, we require an AD container (CN) which contains all users who will be permitted access to the catalogue. You may already have such a group in place, such as the built-in users CN.
2. Security groups for the following roles, these groups will be mapped to the inbuilt roles in Soutron: a. Administrators
b. Catalogue Administrators c. Clerical
d. Librarian e. Read Only
3. A domain username and password are required, this user should needs read-only access to the domain so it can read user properties from AD.
4. LDAP Path, and if applicable LDAP filter address – this is only required if you will only be importing a subset of users from AD. If the application will be accessible by all staff a filter is not usually required.
5. You will also require access to the Soutron database and the application files from the web server. 6. There are a few tasks which require you to login to the library application so it is suggested you request an
admin login from the library team, or have them on hand to assist.
You do not need a group for roles that will not be used, in most cases two-three groups are enough. Please discuss this with Soutron and the library administrator.
Soutron role mapping
We must map our AD security groups to the pre-defined roles in Soutron.
1. Login to your catalogue as an administrator
2. Go to System management > System configuration maintenance > External Mapping 3. Enter the name of each security group against the corresponding role.
a. You must add a prefix or suffix to the security group name with your domain name in one of the following formats.
i. DOMAIN.EXT\GROUP ii. DOMAIN\GROUP iii. [email protected]
Setup connectivity to LDAP and security groups.
You now need to specify your LDAP address, security groups, user filter and domain account in the database. In order to do this we have prepared the below scripts to run against the Library database. Please ensure you correct the values in red to match your environment.
update SystemConfig
set SystemConfigParamValue='ActiveDirectory'
where SystemConfigParamName='ExternalHrBase' -- Authentication type
update SystemConfig
set SystemConfigParamValue = 'LDAP://your LDAP Path'
where SystemConfigParamName = 'LDAPPath' -- LDAP Path
update SystemConfig
set SystemConfigParamValue = 'domain\Admin group name'
where SystemConfigParamName = 'RoleAdministratorExternalName' -- Admin group
update SystemConfig
set SystemConfigParamValue = 'domain\Cat Admin group name'
where SystemConfigParamName = 'RoleCatalogueAdministratorExternalName' -- Cat Admin group
update SystemConfig
set SystemConfigParamValue = 'domain\Librarian group name'
where SystemConfigParamName = 'RoleLibrarianExternalName' -- Librarian Group
update SystemConfig
set SystemConfigParamValue = 'domain\Clerical group name'
where SystemConfigParamName = 'RoleClericalExternalName' -- Clerical
update SystemConfig
set SystemConfigParamValue = 'domain\Read Only group name'
where SystemConfigParamName = 'RoleReadOnlyExternalName' -- Readonly
update SystemConfig
set SystemConfigParamValue = NULL -- If you wish to restrict access to a
specific area of users specify the path here. i.e
‘CN=SoutronUsersToImport,OU=SoutronLMS_AD_Sync, DC=Soutron,DC=lan’
where SystemConfigParamName = 'UserImportFilter' -- Import filter - if required
update SystemConfig
set SystemConfigParamValue = 'domain\Domain User or service account'
where SystemConfigParamName = 'SyncApiUsersApiLogin' -- AD username with read-only access
update SystemConfig
set SystemConfigParamValue = 'domain\Domain user or service acount'
Create and set default user profile.
First check that the default profile is enabled, to do this go to: Modules > Users > User profile template. You should see a profile called ‘Default’ this profile should be set as active.
Setup import task schedule
We need to setup a schedule when new users will be imported from AD into the catalogue. 1. In Soutron go to Modules > Task Centre > Task maintenance
2. Select Create Task.
3. Enter a task description ‘AD User Sync’, Set the accessibility as Shared. 4. Set the task type as ‘Data Maintenance’ > ‘User synchronisation’ 5. On the task schedule tab click Create new schedule.
6. Setup the schedule based on your requirements. We recommend running the process out of hours every night.
7. Click Save & Exit
8. Give the schedule a name ‘ AD User Sync’ 9. Save & Close task.
Web.config changes
To enable single sign on (SSO) you must make changes to the web.config and IIS settings. 1. Open the web.config file, this can be found in the root of the Library folder on your web server. Find the section of the file that refers to Bindings, as shown below.
<basicHttpBinding>
<binding name="StreamedBasicHttpBinding" maxBufferPoolSize="67108864"
maxReceivedMessageSize="67108864" maxBufferSize="64108864" transferMode="Streamed" /> <binding>
<readerQuotas maxStringContentLength="1024768" /> </binding>
The above should be replaced with the below (changes are marked in red): <basicHttpBinding>
<binding name="StreamedBasicHttpBinding" maxBufferPoolSize="67108864"
Then apply the same change to the section shown below: <webHttpBinding> <binding> <readerQuotas maxStringContentLength="256000" /> </binding> </webHttpBinding>
The above should be replaced with the below (changes are marked in red): <webHttpBinding> <binding> <readerQuotas maxStringContentLength="256000" /> <security mode="TransportCredentialOnly"> <transport clientCredentialType="Windows" /> </security> </binding> </webHttpBinding>
IIS configuration (IIS 7.5)
Open IIS and select the library application directory where your site is configured.
6. Select ‘Handler Mappings’ from the features list for the Library application pool. 7. Click ‘View ordered list on the right hand menu.
8. Ensure ‘ExtensionlessUrlHandler-ISAPI-4.0_32bit’ and ‘ExtensionlessUrlHandler-ISAPI-4.0_64bit’ are 2nd &
3rd from the bottom. Use the Move down option to move the handler into the correct position.
Testing SSO & user import
You can now open your browser and go to your catalogue URL where you will be logged in automatically. If you are part of a security group defined at the start of this document you should also have the module and/or system configuration menu available.
To test the full synchronisation of users is occurring wait for the task to run then go to:
Module > Users >User Search > Click the search button
.
If you see all your users returned in the results list the task completed correctly. If very few
users appear contact Soutron for assistance in debugging the cause of the failure.
Note: The Soutron Task service must be running for users to be imported.
