Add an LDAP Server

  1. Log in as a Destiny Administrator.
  2. Select Setup > District Options sub-tab.
  3. Next to LDAP Servers, click Edit.
  4. On the LDAP Setup page, click Add Server.
  5. In the User-Defined Display Name field, enter the name (up to 80 characters) that you want to appear on the LDAP Setup page and the LDAP Mappings page. For details, see Map Patrons to LDAP Servers.
  6. In the Host Name / IP field, enter your LDAP's server name or IP address.

    Notes:

    • If you are a self-hosted customer, you can enter a private IP address. If you are a Follett Destiny Cloud customer, you need to enter the public IP address of your LDAP server.
    • If your Patron Types require different Distinguished Names (DN) for authentication, you may need to set up the same server more than once, specifying the correct DN for each.
  7. If you are not using the default port number, enter the port number through which you will be connecting.
    The default port number is 389 for regular communication (not using SSL) or 636 for encrypted communication (using SSL).
    Note: Destiny supports unencrypted and SSL connections only. It does not support SASL.
  8. In the Distinguished Name (DN) field, specify the bind DN to use when connecting to the LDAP server.

    Example:

    For Active Directory users:

    ${USERNAME}@myschool.edu

    For other directories:

    uid=davesmith, o=Users, dc=d15, dc=org

    uid=${USERNAME}, ou=${PATRONTYPE}, ou=people dc=myschool, dc=e

    Each component of the DN consists of an attribute that names the object, an equals sign, and the value of the attribute. Components are connected by commas.

    Destiny lets you use pre-defined tokens to replace the value of an attribute. When a patron attempts to log in, the token is replaced with the appropriate value, taken from the patron or site record in Destiny.

    The acceptable token values are defined in the token table, below.

  9. From the Authentication drop-down, select either Unencrypted or SSL.
  10. Click Save.

To support SSL for LDAP, you must provide Destiny with a public encryption key (digital certificate). Destiny includes a certificate management utility called keytool that helps you update the cacerts keystore and add your root CA certificate.

Note: If the bind does not authenticate the patron's password, an error message appears, indicating the failure of the login. The login page then reappears.
If the Destiny patron record contains a password, an LDAP bind is not initiated; the user must log in using that password.
In LDAP, all names are case sensitive, and spaces are significant.
Token Details
${USERNAME} User (login) Name
patron record
${SITENAME} Site Name
Edit Site page
${SHORTSITENAME} Short Name
Edit Site page
${PATRONTYPE} patron record
text version
Example: Faculty
${ACCESSLEVEL} patron record
text version
Example: Administrator
${DISTRICTID} District ID
patron record
${UD1} User Defined 1
patron record
${UD2} User Defined 2
patron record
${UD3} User Defined 3
patron record
${UD4} User Defined 4
patron record
${UD5} User Defined 5
patron record
${SIFREFID} patronid from SIFRefids sr where sr.patronid = p.patronid "{132313123-1231-1312-12312312}"