Guide to Using Lightweight Directory Access Protocol with Typing

Guide to Using Lightweight Directory Access Protocol with Typing
Guide to Using
Lightweight Directory Access Protocol
with Typing Quest
The guide applies to the web-based typing tutor sold under the brand name
Typing Quest, TypingMaster or NäppisTaituri, depending on program language.
In this guide, the typing tutor is referred to as Typing Quest.
Setup Guide:
LDAP Authentication
Contents
1. Introduction ........................................................................................................................................................... 2
2. Implementation of LDAP login with Typing Quest ................................................................................................ 3
2.1 Connecting to your LDAP server ...................................................................................................................... 3
2.1.1 Open firewall for Typing Quest ................................................................................................................ 3
2.1.2 Send LDAP connection settings to Typing Quest...................................................................................... 3
2.2 Grouping options ............................................................................................................................................. 4
2.2.1 Effects of automatic grouping .................................................................................................................. 4
2.2.2 Update groups setting .............................................................................................................................. 5
2.3 Preventing unauthorized use .......................................................................................................................... 5
2.4 Applying global course settings ....................................................................................................................... 6
3. Effects of LDAP on the use of Typing Quest .......................................................................................................... 6
3.1 Authentication process.................................................................................................................................... 7
3.2 Effects of LDAP authentication ........................................................................................................................ 7
3.3 Teacher accounts ............................................................................................................................................. 8
Group Ownership .............................................................................................................................................. 8
4. Changes to LDAP connection Settings and troubleshooting ................................................................................. 8
4.1 Error: Invalid credentials ................................................................................................................................. 8
4.2 Changes to your LDAP settings ........................................................................................................................ 9
4.3 Discontinuing LDAP authentication ................................................................................................................. 9
This guide applies to the web-based typing tutor sold under the brand name
Typing Quest, TypingMaster or NäppisTaituri, depending on program language.
In this guide, the typing tutor is referred to as Typing Quest.
© TypingMaster, Inc. 2016
Page | 1
Setup Guide:
LDAP Authentication
1. Introduction
This guide applies to the web-based typing tutor sold under the brand name Typing Quest, TypingMaster or
NäppisTaituri, depending on program language. In this guide, Typing Quest refers to all language versions
regardless of the marketing name of the service.
When Typing Quest is set to use LDAP authentication, user data is shared between the LDAP Directory and
Typing Quest and you will not need to maintain user information in Typing Quest.
In addition, you will not need to create student accounts to Typing Quest. Instead, they are created
automatically when users successfully log in to Typing Quest for the first time with their LDAP credentials.
LDAP Directory Servers currently supported by Typing Quest are:
 Microsoft® Active directory®
 OpenLDAP™ (Beta)
 Novell® eDirectory™ (Beta)
Here’s an overview of what you will need to set up LDAP Authentication for Typing Quest. Sections 2 - 4 will give
detailed information on each step.
1. Prepare your LDAP Server for LDAP connectivity so that the Typing Quest server can connect to it
successfully.
2. Set up Typing Quest if you already have users taking the courses. At simplest, you’ll just need to
make sure that “old” users’ Typing Quest login IDs are the same as their network user IDs on the LDAP
server. Or, you may simply want to archive or delete old users and have them start over with new user
accounts (login IDs will need to be unique).
3. Prepare grouping. If you want Typing Quest to automatically assign users to groups, you will need to
decide what base information will be used for the groups: your options are either the LDAP OU
attribute(s) in user’s Distinguished Name or an LDAP attribute of your choice. See section 2.2 Grouping
Options for more information about grouping and to find out which alternative suits you the best.
4. Send an email to Typing Quest containing the LDAP connection information described in section.
You’ll find the contact form at the bottom of Typing Quest pages after logging in the service.
© TypingMaster, Inc. 2016
Page | 2
Setup Guide:
LDAP Authentication
2. Implementation of LDAP login with Typing Quest
We recommend starting using LDAP authentication from clean slate as that will ensure smooth deployment.
However, it is possible to switch to LDAP authentication even after your students have started using Typing
Quest. In this case, there will be additional steps to take, but our tech team will guide you through them.
2.1 Connecting to your LDAP server
2.1.1 Open firewall for Typing Quest
You will need to set your firewalls to allow connections from Typing Quest. Please contact us for the IP of the
Typing Quest server. We recommend allowing only the Typing Quest server to connect to the specified LDAP
port, you should not open the port publically. By default, the port for LDAP is 389, and for LDAP over SSL it’s
636. However, Typing Quest can be configured to connect to any port of your choice. You should also make sure
that connections from Typing Quest will be forwarded to your LDAP server.
2.1.2 Send LDAP connection settings to Typing Quest Customer Care
Once the above steps have completed to allow requests from the Typing Quest server, please send the
information described below to our Customer Care so that we can successfully connect to your LDAP server. We
use this information to configure the LDAP settings on your Typing Quest account.

Type of LDAP server you are using. Currently we support Windows Active Directory, OpenLDAP and
Novell eDirectory.

Fully Qualified Domain Name or IP Address for your LDAP Directory server. For added failover capacity,
you can provide a primary server address and an optional secondary server.

Whether or not LDAP over SSL should be used (ldap:// vs ldaps://). Remember that this also
determines which port you need to open in your firewall. We highly recommend using SSL and to only
use LDAP communication without SSL when testing
When you use LDAP over SSL, you must have a valid SSL certificate on your server that we will install on
the Typing Quest server. We will retrieve the certificate automatically, provided that the connectivity
works. In case the certificate cannot be retrieved, we will contact you.

Search base directory to use (base DN). This DN indicates the unique starting point within your LDAP
Directory where user credentials are found. Usually this is the Directory root, for example:
DC=mycompany,DC=com. If you wish, you can also specify a specific OU, for example:
OU=Students&Teachers,OU=Users,DC=mycompany,DC=com.

User filter. By default, Typing Quest searches for a match between given login name and LDAP attribute
‘cn’ (&(objectclass=user)(cn=login name)). If we should match to another attribute such as
‘sAMAccountName’ or ‘uid’, let us know.
Advanced feature: Restricting access with user filter (authorization)
If you are familiar with defining user filters for LDAP searches, you can use the user filter to limit access
© TypingMaster, Inc. 2016
Page | 3
Setup Guide:
LDAP Authentication
to Typing Quest to users who match the given criteria (such as school, group, student year, for
example).
Kindly note, however, that Typing Quest’s tech support is not able to help you in creating the user filter
because our support staff is not trained to do that, but we can of course help you test that the filter you
created works properly.

Full Distinguished Name and password of your bind user.
Note that Typing Quest doesn’t offer support for anonymous binding.

A test user name and password.
Once we have the above details, our tech team will enable LDAP authentication for you and send you a
confirmation email. Your next step is to decide how to group users.
2.2 Grouping options
When setting Typing Quest up to use LDAP authentication, you have three alternatives for grouping your users.
1. Do not use automatic grouping at all. In this case, all new users will be assigned to the Default Group in
Typing Quest.
If you decide not to use LDAP groups, you can create groups in Typing Quest and have teachers
manually assign users to their groups after first login. An easy way to mass create groups is to import all
your teachers in Typing Quest with group names (for instructions, log in to Typing Quest and go to ‘Tools
> Import users’). You can also leave group creation to individual teachers or do it later once you are
more familiar with Typing Quest.
2. Use LDAP attribute OU (Organizational Unit) in user’s Distinguished Name to create groups in Typing
Quest. This is a simple grouping option to get started without needing any changes to your LDAP
Directory. If the user DN contains more than one OU attribute, Typing Quest will take the first (deepest,
most granular OU from the directory structure) and use that as the group name.
3. Use another LDAP attribute that you have already populated in the Directory with data suitable for
grouping in Typing Quest. If this option is used, any user whose attribute is empty will get assigned to
Default Group in Typing Quest.
4. Use LDAP group membership (limited support in Typing Quest). In some fairly simple Directory
structures, you can use the memberOf[group] as group name. The limitation here is that if user belongs
to more than one group, Typing Quest will simply pick the first memberOf entry and use its CN as the
group name.
2.2.1 Effects of automatic grouping
Group exists in Typing Quest:
If group already exists in Typing Quest, the user will be assigned to that group.
© TypingMaster, Inc. 2016
Page | 4
Setup Guide:
LDAP Authentication
Group does not yet exist in Typing Quest:
If the group does not exist in Typing Quest, a new group will be created and user is assigned to the new group.
Important: If new group is created, Typing Quest will copy the course settings for the new group from the user’s
old group. If old group does not exist, course settings are copied from the Default Group (see also section 4:
Applying Global Course Settings).
2.2.2 Update groups setting
If you decide to use automatic grouping, you will also need to make a decision whether or not to reassign users
to new groups if their group changes in your Directory. If you enable this setting - called “Update groups” on
your LDAP settings page - any user whose group has been changed in the Directory will automatically be
reassigned to the new group the next time that he or she logs in to Typing Quest. If the group does not yet exist,
it will be created by the system.
Note: When “Update groups” is enabled and results in the creation of a new group in Typing Quest, all course
settings from the student’s old group are copied to the new group.
Reasons for deciding not to use the automatic updating of student group:
In many cases, it can be convenient to assign users to default groups upon first login so that teachers can easily
find them. However, you may have a hunch that the grouping that you have in the Directory does not work very
well when your teachers start managing their classes in Typing Quest. For example, teachers may want to
rename or create their own groups using a different naming logic or create groups based on student skill levels.
In this case, if user group gets updated at each login, the teacher will need to reassign students back to their
correct groups again and again.
2.3 Preventing unauthorized use
Typing Quest does not currently feature options for allowing or preventing access based specific LDAP data
(authorization). For this reason, any user who can successfully log in with their credentials from your Directory
(successful authentication), will get a user account in Typing Quest and can take the typing courses.
You can prevent unauthorized users from reserving licenses, you can use Typing Quest’s “License password”
feature which you will find in Typing Quest Manager > Settings page.
When “Require Password” is set to Enabled, the users need to enter a License Password created by you to be
able to take a license and access the courses.
Advanced user filtering to prevent access
If you are familiar with defining user filters for LDAP searches, you can use the user filter to limit access to
Typing Quest to users who match the given criteria (such as school, group, student year, for example). User filter
limits Directory searches and users who don’t match the user filter criteria will be denied access to Typing Quest
(error message ‘User not found’).
Kindly note, however, that Typing Quest’s tech support is not able to help you in creating the user filter because
our support staff is not trained to do that, but we can of course help you test that the filter you created works
properly.
© TypingMaster, Inc. 2016
Page | 5
Setup Guide:
LDAP Authentication
2.4 Applying global course settings
At the moment Typing Quest does not feature global course settings. However, when using LDAP
authentication, you have an easy workaround for applying the same base course settings to all new groups that
are automatically created when students start using the typing tutor.
The prerequisite for applying global course defaults is that:

You are using automatic grouping with LDAP authentication; AND

Update groups is enabled; AND

Group does not yet exist in Typing Quest.
To use global defaults, do this:
1. Go to ‘Courses’ page and select group ‘Default group’ from the group dropdown. Default group
should be the first on the list.
If your default group has been renamed, go to ‘Groups’ page where you will find it easily as it is tagged as
‘Default’ group. Then click on ‘View courses’.
2. For each course that is active for your students, configure the course settings to your liking. See the
Manager Manual for details on course settings.
Important: Modifying the course settings for the Default Group will not update the new settings in any of the
old groups in Typing Quest. The copying is only done when new group gets created at user login.
If you want to apply modified settings from Default Group to any other group, select the group for which you
want to copy the settings and use the tool “Copy settings for this group from group: Default group” at the
bottom of the Settings page.
Note: If default group settings have not been changed, then the program will use factory default settings for all
courses.
3. Effects of LDAP on the use of Typing Quest
When LDAP is enabled, all students and teachers must use their LDAP directory user names and passwords to
enter Typing Quest. If user credentials are authenticated by your Directory, a new user account will be
automatically created to Typing Quest the first time that the user logs in.
If grouping is enabled, users are assigned to groups either based on OU or another LDAP attribute that you have
given to Typing Quest. At your option, user’s group gets checked at each login and updated if it has changed.
Important: Administrators are always non-LDAP users and must use the login ID and password that are natively
created in Typing Quest. You can create additional accounts with administrator privileges on the Users page.
© TypingMaster, Inc. 2016
Page | 6
Setup Guide:
LDAP Authentication
3.1 Authentication process
When a user attempts to sign in to Typing Quest on the login page:
1. If the user is already found on your Typing Quest account, the user is authenticated against your LDAP
Directory.

If that user is found on the LDAP Directory and the sign in name and password match, the sign in is
successful. If user's last name, first name or email has changed in the Directory, it will get updated in
Typing Quest.

If that user is not found in your Directory or the sign in name and password do not match, the sign in
fails. Note that sign in may also fail because of bind errors – see section 5.1 to troubleshoot.
2. If the user is not found on your Typing Quest account, but is found in your Directory and successfully
authenticated, the user is automatically added as a new user in Typing Quest. User ID, first name, last name and
email address are passed from the Directory and saved to the user's Typing Quest account.
This is the user information that saved in Typing Quest:





Sign In Name / User ID
First Name
Last Name
Email Address
Optional: User group based on the selected group attribute
3.2 Effects of LDAP authentication
All Typing Quest users can use the same sign in name and password that they use for your network.
When users go to edit their personal settings in Typing Quest, they will not be able to change their Login ID, First
Name, Last Name and Email, or password because those are maintained in the LDAP Directory.
Users will not be able to change their group themselves. Teachers and account administrator(s) can change user
group provided that automatic updating of groups is not being used.
If you delete a user from your LDAP Directory, you do not need to delete that user from Typing Quest. If such
user attempts to log in to Typing Quest, authentication will fail and the user will be unable to log in.
Each user who starts a typing course or takes a typing test will take up a license. To release licenses for reuse,
you will need to periodically purge non-functioning user accounts from your Typing Quest account. Licenses are
released when you place a user in the Archived Users group or permanently delete a user account.
We recommend that you archive or delete users from Typing Quest at least once a year. Note that a user placed
in the “Archived Users” group will not be able to log in to the program, but teachers have the opportunity to
revisit their result reports or recover the user from the archive.
© TypingMaster, Inc. 2016
Page | 7
Setup Guide:
LDAP Authentication
3.3 Teacher accounts
Typing Quest does not recognize user types from your Directory and therefore by default assigns student
privileges to your teachers if their account is automatically created upon login. With student privileges a teacher
will have no access to his/her classes’ study records or course configuration.
For this reason, we recommend that you import teachers in Typing Quest in advance. You can do this one by
one on the Users & Reports page or you can mass-import users on the page Tools > Import users . So that
teachers are able to login with LDAP credentials, make sure that the login ID matches their user ID on LDAP
servers.
If you need to give teacher rights to user already created in Typing Quest, you can change their user type in
User settings (Users & Reports > Click on user name > Change Settings).
Group Ownership
If you have a lot of teachers and groups in Typing Quest, we recommend that you ask your teachers to claim
ownership to their own classes. This will make it easier for the teachers to manage their classes as they will only
see users in their own groups and the shared groups in Typing Quest.
To do this, ask the teacher to go on the Groups page and find their class. Then click on “Settings” and select the
radio button “My group”. One teacher can claim ownership more than one group, but groups can’t be owned by
more than one teacher. If more than one teachers need to oversee the same class then you should leave the
group as a shared group.
4. Changes to LDAP connection Settings and troubleshooting
4.1 Error: Invalid credentials
Typing Quest returns error message “Invalid credentials. Check your login and password.” for all errors with
LDAP: error code 49. It does not consider sub-codes.
If you receive the error when you are just setting up your LDAP authentication, or authentication has worked
before and stopped, or it works for some but not all users, the error may be caused by a failed bind instead of
the user entering incorrect user ID or password.
Please investigate your Directory servers Bind Error options in case server configuration has caused the problem
at Typing Quest login. You can also contact Typing Quest in case we have received LDAP error notifications from
your account.
Good online source for Active Directory and eDirectory bind errors is the LDAP Wiki: http://ldapwiki.willeke.com
Active Directory bind errors:
http://ldapwiki.willeke.com/wiki/Common Active Directory Bind Errors
eDirectory bind errors:
http://ldapwiki.willeke.com/wiki/Common Edirectory Bind Errors
© TypingMaster, Inc. 2016
Page | 8
Setup Guide:
LDAP Authentication
OpenLDAP bind errors:
http://www.openldap.org/doc/admin24/appendix-common-errors.html#Common causes of LDAP errors
4.2 Changes to your LDAP settings
Once LDAP authentication is set up and running, account administrator can at any time change the bind
method, bind user credentials, and the grouping settings. This is done on the page ‘Tools > LDAP Settings’.
Connection settings can only be modified by Typing Quest’s technical support. The following changes to your
LDAP environment can cause your students to not be able to use Typing Quest. For this reason, we recommend
that you contact us so that we can update your LDAP settings for Typing Quest.





You renew your SSL certificate and Typing Quest will need to reinstall it.
You opt to start using or discontinue using SSL.
You move your LDAP Directory to a different server.
You make IP Address changes.
You change your LDAP server provider.
4.3 Discontinuing LDAP authentication
If you decide to discontinue using LDAP authentication, please contact Typing Quest tech support to disable
LDAP login from your Typing Quest account.
Once that is done, all users will need to reset their passwords to be able to continue using Typing Quest as
native users. Resetting the password is done using the ’Forgot login ID or Password’ link on the login page. Prerequisite for this is that user information includes a functioning email address that the user has access to.
If users do not have functioning email addresses in Typing Quest, teachers and account administrators can
change student passwords one by one manually. Mass updating passwords is not possible for security reasons.
If resetting passwords is not possible, as a workaround you can simply stop using the old user accounts. To do
this, first archive all users and next simply create new user accounts for everyone using a different login ID than
what is used in the Directory. In Typing Quest, the unique identifier for each user is their login ID, and new user
accounts can be created with the same first name, last name and email address but just a different login ID. This
way teachers can keep student study records in archive if they want to later revisit the progress reports.
© TypingMaster, Inc. 2016
Page | 9
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising