LDAP Server Guidelines
This topic provides LDAP server guidelines. For general information about LDAP, see About LDAP. For information on how to configure LDAP on the library, see Configuring LDAP.
The library supports all LDAP servers. You can also use Kerberos for added security. For specific instructions on configuring Kerberos, see Configuring Kerberos.
The library Web client and operator panel do not allow you to create, modify, or delete user account information located on an LDAP server. This must be done by the directory service provider.
The following groups must be created on the LDAP server:
- Library User Group — Assign users to this group who need user privileges on the library (see Working With Local User Accounts for more information on privilege levels). Enter the name of this group in the Library User Group field on the Setup - Remote Authentication screen on the library.
- Partition Groups — For LDAP users with user privileges, access to library partitions is determined by group assignment on the LDAP server. Groups must be created on the LDAP server with names that match the library partition names (names must match, but are not case sensitive). Users with user privileges must be assigned to these groups on the LDAP server to have access to the corresponding partitions on the library.
- Library Admin Group — Assign users to this group who need administrator privileges on the library (see Working With Local User Accounts for more information on privilege levels). LDAP users with administrator privileges have access to all partitions and administrative functions and do not need to be assigned to partition-related groups on the LDAP server. Enter the name of this group in the Library Admin Group field on the Setup - Remote Authentication screen on the library.
You will need to have at least one user assigned to both the Library User Group and the Library Admin Group on the LDAP server in order to test the LDAP settings on the library (using the Test Settings button on the Setup - Remote Authentication screen; see Configuring LDAP). Since users are not typically members of both groups, you may need to create a special or temporary user specifically for this purpose.
See also: