Using LDAP with Ektron

Lightweight Directory Access Protocol (LDAP) is a set of protocols that enable the hierarchical arrangement of corporate directory entries in a structure, which may reflect geographic or organizational boundaries. Active Directory and LDAP are not the same. While they perform similar functions, LDAP (when used with Ektron) only verifies login information and creates the user in the Everyone group.

Ektron's LDAP feature lets you retrieve user login information from an LDAP server. As a result, you can administer user information from one place, and users only need to remember one password/username combination to sign on to the network and Ektron.

The hierarchical structure of LDAP authentication can be organized in several different ways. For example, if you had the following LDAP structure, the domain would typically span multiple countries.

NOTE: Abbreviations: CN = Common Name, OU = Organizational Unit, O = Organization, C= Country, DN = Distinguished Name.

CN=j_smith, OU=Sales, O=MyCompany, C=US, DN=example.com

By changing the order of C and DN, the hierarchy indicates that the domain example.com is located in the US.

CN=j_smith, OU=Sales, O=MyCompany, DN=example.com, C=US.

In some instances, it may be necessary to have an Organization appear below an Organizational Unit. For example, your Organizational Unit has it own Organizations.

Below is a visual example of an LDAP hierarchical structure.

Enabling LDAP

Enabling LDAP

You enable LDAP by editing the web.config file and editing settings on the Active Directory Setup screen. See Also: Setting Up Active Directory

WARNING! Before enabling LDAP in Ektron, make sure your LDAP server is ready for use. Be sure to include an Ektron administrator account for yourself. After you enable LDAP, only the BuiltIn account can access Ektron without LDAP authentication. See Also: Editing the Builtin Username and Password

  1. In the siteroot\web.config file, change the ek_AUTH_Protocol property to GC:
    <add key="ek_AUTH_Protocol" value="GC"/>
  2. Go to Settings > Configuration > Active Directory > Setup. The Active Directory Setup screen appears.
  3. Click Edit.
  4. Select Enable LDAP Authentication.
  5. Complete the LDAP-related fields and click Update.
    • Type—Choose the type of LDAP authentication you are using. Depending on your choices, the fields below may be required or disallowed. The following choices are available:
      • Active Directory (LDAP)—Domain allowed, Organization is not. For more information, see Using LDAP to Connect to Active Directory.
      • Novell eDirectory/NDS—Organization allowed, Domain is not.
      • Sun Iplanet/JSDS—Domain allowed, Organization is not.
      • Other—Allows Domain and Organization
    • LDAP Server—The IP address or name of the LDAP server.
    • Port—The LDAP server port with which Ektron communicates. If you are unsure of the port number, consult your Directory Service documentation .
    • Organization—The name of your company or organization. For example, Ektron, Inc. You can leave this field blank if you enter a domain in the Domain field.
    • Domain—Your domain name. For example, www.ektron.com. This should be the name you used when purchasing your license key. You can leave this field blank if you enter an organization in the Organization field.
    • Attribute—Enter the key value used to reference accounts inside LDAP. As examples: dn, sn, cn, uid, and so on.
    • Use SSL—Check if you want to enforce a secure connection in traffic to the LDAP server.
    • Path—The next levels below your Organization or Domain. These can include multiple levels of Organizational Units. For example, Content Editors, Marketing, East Coast. Click the Expand link to display the Add field.
    • Add—Enter the path to which you would like access in the text field. Then click the Add link.

      When adding Organizational Units, paths are comma-separated and run from specific to general. For example, ou=Amherst,ou=New Hampshire,o=US. For more information, see Adding an Organizational Unit During Setup.

      Do not add individual Common Names here. Only add Organizational Units that contain people who should have access to Ektron. To add a single individual from a different Organizational Unit, see Adding User Information from an LDAP Server to Ektron

NOTE: You can add additional Organizations below an Organization Units as long as the path on your LDAP server is the same.

Using LDAP to connect to Active Directory

Using LDAP to Connect to Active Directory

  1. In the \web.config file, add the Username and Password for ek_ADUsername and ek_ADPassword. For example:
    <add key="ek_ADUsername" value="[email protected]" />
    <add key="ek_ADPassword" value="mypasswordisthis" />
  2. Go to Settings > Configuration > Active Directory > Setup. The Active Directory Setup screen appears.
  3. Click Edit.
  4. Use the following settings in the Active Directory Setup screen.
    • Type—Active Directory (LDAP)
    • LDAP Server—[IP Address of the AD domain controller]
    • Port—389
    • Organization—[leave this blank]
    • Domain—[dns name of the AD domain]. For example: intra.ektron.com
    • Path (Organizational Units)—[any OUs that you want to draw users from] For example: Support,Users,Ektron Corporate or Engineering,Users,Ektron Corporate
Adding an organization unit during setup

Adding an Organizational Unit During Setup

Things to consider when adding Organizational Units:

  • Should everyone in the OU have access to Ektron?
  • When LDAP is enabled, users are added to the Everyone group upon login. While everyone in the OU has access to Ektron, every user should not necessarily have permission to edit content. To control permissions, set up user groups, add users to groups, and assign permissions to the group. See Also: Managing User Groups and Managing Folder Permissions
  • Do users in other Organizational Units need access?
  • Sometimes, managers or editors are in a different OU. They need to be added manually, or you need to add their OU.
  • When adding an Organizational Unit, several entries might cover the same hierarchical path. For example, you might have: ou=Sales,ou=Sales_Service,o=MyCompany
    ou=Sales_Service,o=MyCompany
    o=MyCompany
    This lets you authenticate users listed in Sales, Sales_Sevice, and MyCompany.
Adding user information from an LDAP server to Ektron

Adding User Information from an LDAP Server to Ektron

Users at each level are automatically available for adding to Ektron. You do not have to be at the OU or CN level to add a user. If a user is at the DC or OU level, they are available.

After LDAP is enabled, there are several ways to add LDAP user information toEktron:

  • The user logs in. As a result, the user appears in the Users list and is added to the Everyone group. After a user logs in, some fields on the Add User screen can be filled in manually, such as first and last name. For a description of these fields, see Manually Adding an LDAP User
  • Search an LDAP server for LDAP users.
  • Add the user’s LDAP information manually.
  • A combination of searching and manually completing the remaining fields.
Searching an LDAP server for users

Searching an LDAP Server for Users

To search for a user on an LDAP server and add the user to Ektron:

  1. Enable LDAP by following the instructions in Enabling LDAP.
  2. From the Workarea, navigate to Settings >Users.
  3. Click Add Users. The Add a New User to the System screen appears
  4. Click Browse LDAP (). The Search LDAP Users screen appears.

  5. Enter one or more search criteria.
    • Username—the username of the user on the LDAP server
    • Firstname—the first name of the user on the LDAP server
    • Lastname—the last name of the user on the LDAP server
    • Path—select a path from the drop-down list. These are the paths that were enabled when you configuredEktron for your LDAP server. If you select a path and enter no other information, you get all users in that path.
  6. Click Search. The search returns users that match the criteria entered.
  7. Check the box next to the user to be added.

  8. Click Save The user is now added to Ektron and the Everyone group. To learn how to assign the user to another user group, see Assigning Users to User Groups.
Manually adding an LDAP user

Manually Adding an LDAP User

  1. Enable LDAP by following the instructions in Enabling LDAP.
  2. Go to Settings > Users.
  3. Click Add User. The Add a New User to the System screen appears.
  4. Fill out the fields according to Creating a New User.
  5. Click Save. The View Users in Group Everyone screen appears, displaying the new user and the other Ektron users. To learn how to assign the user to another group, see Assigning Users to User Groups.
Using the browse feature to add and LDAP user

Using the Browse Feature to Add an LDAP User

The Browse LDAP feature provides a friendly and intuitive way to find usernames, domains/organizations and organizational units.

WARNING! The default server IP/DNS name and port are taken from the settings specified in the Configuration > Setup page. These settings must be specified before connecting to the LDAP server.

Before using the browse feature, you must specify an Organizational Unit that can see the user in the Configuration > Setup page.

  1. Enable LDAP by following the instructions in Enabling LDAP.
  2. Go to Settings > Users.
  3. Click Add Users. The Add a New User to the System screen appears.
  4. Click Browse LDAP (). The LDAP Explorer appears.
  5. Navigate the LDAP server’s folders by clicking on the folder images. Each folder represents an Organizational Unit (OU). When you choose an OU level, its users appear.

    NOTE: In the LDAP Explorer, the Path and Org/Domain fields update dynamically as you navigate through the LDAP tree.

  6. Select a user. The user is added to Ektron and the Everyone group. To learn how to assign this user to another group, see Assigning Users to User Groups.
Editing LDAP user information

Editing LDAP User Information

It is important to note that Ektron does not write to the LDAP server. So, while you can change fields when editing a user in Ektron, you also need to make the same changes on the LDAP server.

  1. Go to Settings > Users.
  2. In the Username column, click a user to edit. The View User Information screen appears.
  3. Click Edit.
  4. Change the information as needed. For more information on the fields you can edit, see Creating a New User.
  5. Click Save.
Deleting users

Deleting Users

If a user is deleted on the LDAP server, Ektron does not automatically delete the user. However, the user’s login fails because the login cannot be authenticated. In this case, delete the user from Ektron using the Delete User function.

NOTE: If you mistakenly delete all users with administrative privileges, you can still sign in using the builtin user’s username and password. For more information, see

Authenticating membership users with AD or LDAP

Authenticating Membership Users with AD or LDAP

Usually Membership users are not included in AD or LDAP directories. Ektron's default settings ignore AD or LDAP for Membership authentication.

If you want Membership users to authenticate with AD or LDAP, do the following steps.

  1. Edit the web.config file.
  2. Set LDAPmembershipUser to true.
    <add key "ek_LDAPMembershipUser" value="true" />
    When ek_LDAPmembershipUser is false, Membership users are not authenticated with AD or LDAP.
Disabling LDAP authentication

Disabling LDAP Authentication

To disable LDAP authentication or integration, edit the Active Directory Setup screen and select Disable Active Directory and LDAP Authentication.

See Also: Setting Up Active Directory