The LMS can connect to an external, LDAP-compatible user directory. This allows users to log in using credentials stored in the directory rather than the email address and password stored in the LMS.
User profile details in the LMS are synchronized with the directory. Users can also be automatically added to groups in the LMS and thus assigned courses based on the groups they are assigned in the directory.
This feature primarily supports Active Directory, but it is also compatible with other software that support LDAP.
About directories: A directory stores usernames, passwords, and other information about users. Organizations typically use a directory as a single, centralized database for this information and have all of their applications connected to it. This allows users to log into everything using a single user account rather than having a separate account for each application.
About LDAP: LDAP (Lightweight Directory Access Protocol) is an industry-standard protocol for retrieving information from directories.
About Active Directory: Active Directory is software by Microsoft that implements a directory. It is a core service included with the Windows Server operating system. It supports LDAP.
LDAP can be configured under Users → LDAP Connections. Any number of directories can be configured for your organization.
Creating an LDAP connection requires the following information:
- The URL of the directory.
- The credentials (DN and password) of a user in the directory. The LMS logs into the directory using this user in order to search the directory.
- The path (DN) to the folder in the directory that contains the users that will be able to log into the LMS.
- The names of user attributes: ID, username, first name, last name, and email.
LDAP software can have varying names for these attributes. For example, a user's first name is their givenName in Active Directory. Custom attributes may also be assigned.
There is a button that will configure these attributes for Active Directory.
Distinguished Names: Some settings require a Distinguished Name (DN) which specifies the full path to a user, folder, Organizational Unit (OU), or other resource in the directory.
For example, CN=Administrator,CN=Users,DC=example,DC=com would be a DN for the Administrator user in the Users folder in the example.com domain.
Any number of groups can be associated to a connection. This requires entering the name (DN) of a group in the directory and selecting the corresponding group in the LMS. Adding and removing groups here will not affect any existing user's group memberships in the LMS.
Note: The Domain Users group of Active Directory is not supported at this time. A user-created group must be used instead.
There is a "Test" button in the connection list. Clicking this will test the connection to the directory and check for a number of issues which could cause problems when users log in with LDAP.
Once a connection is configured, the login page on your organization's domains will default to logging in using LDAP.
In case of multiple connections, there is a dropdown for selecting which connection to use. It defaults to the first connection in the list. There is also an "LMS account" option which allows non-directory users to still be able to log in with an email address and password stored in the LMS.
Directory users are added to the LMS user list when they log in for the first time. Every time a user logs in, their name and email address in the LMS will be synchronized with the directory. They will also be added to groups in the LMS based on the groups they are currently assigned in the directory.
Can the LMS connect using SSL/TLS encryption?
Yes, the LMS supports both insecure (unencrypted) and secure (encrypted with SSL/TLS) connections.
When configuring the URL for your server in the LMS, use the ldap:// protocol for insecure connections and the ldaps:// protocol for secure connections.
How do I allow the LMS to access my Active Directory server if I have a firewall?
You will need to whitelist this IP address in your firewall: 126.96.36.199
The LMS will use port 389 for insecure connections or port 636 for secure connections.
Does the LMS support site-to-site VPN?
I don't use the default Users folder in Active Directory. My users are organized into different folders or Organizational Units (OUs). How do I configure the LMS to find them?
You can change the Root DN to the root of your domain. This will allow all users in your domain to be able to log into the LMS.
Or, you can set it to a top-level folder or OU containing the users that will be able to log into the LMS. Users in nested folders or nested OUs are also granted access. Users outside of the top-level folder or OU will not have access to the LMS. This provides additional security in case you only want a subset of your users to be able to log into the LMS.
For example, if your directory is organized like this:
- User A
- User B
- User C
- User D
- User E
- User F
Then the following are some example Root DNs and the resulting users that will be able to log into the LMS:
- DC=example,DC=com: all users can log into the LMS
- OU=Departments,DC=example,DC=com: all users in the Departments OU (including Accounting and Sales which are nested) can log in (A, B, C, and D)
- OU=Sales,OU=Departments,DC=example,DC=com: all users in the Sales OU can log in (C and D)
- CN=Users,DC=example,DC=com: all users in the Users folder can log in (E and F)
How do I import users from Active Directory into the LMS?
Users are added to the LMS when they log in using LDAP for the first time.
We don't have a way to import all users directly from Active Directory into the LMS all at once. However, this can be accomplished by creating a CSV containing the user's information from Active Directory and using the Upload Users tool to import the CSV.
The CSV would have to contain at least the email address for each user in Active Directory. This is because the LMS will match accounts by email address when users log in with LDAP for the first time. See the next question for more information.
I have users already in the LMS, and I want them to start logging in with their Active Directory credentials. How do I accomplish this?
Before a user logs in with LDAP for the first time, you need to ensure their account in the LMS has the same email address as their corresponding account in your directory. Email addresses are case insensitive.
When a user logs in with LDAP for the first time, the LMS will search for an existing LMS account with the same email address as the directory account. If an account is found, then it will associate the directory account with the LMS account instead of creating a new LMS account. The user will retain all of their progress, answers, and other data, and they can now log in with their directory credentials going forward.
Once the LDAP connection is created in the LMS, users are able to log in with their directory credentials right away.
Are there any restrictions on usernames when logging in with LDAP?
The only restriction is that usernames are limited to 100 characters. Any username format is accepted.
When a user logs in with LDAP, the username and password they enter is passed as-is to the directory in order to authenticate.
I have created a sub-organization that uses LDAP, but users from the parent organization cannot log into the sub-organization using LDAP. Why?
Security reasons. If a directory user matches an existing LMS user by email address, then the LMS user must be a member of the same organization where LDAP is configured. Otherwise, an error occurs.
In this case where a user needs to log into both a sub-organization with LDAP and a parent organization, then the user must be manually added as a member of the sub-organization first.