Search bases and filters – The user record is searched in the LDAP tree, based on the search base and search filter. For each of the three defined LDAP servers, it is possible to define up to five bases and filters. If the results of the search base/search filter are not unique (or a zero-size result), the search step is repeated for the next provided search base/search filter.
Following is an example of a search base and search filter for querying the LDAP server. The search base defines the LDAP base to be searched and the search filter defines the LDAP user.
Search base: o= City University, st=New York ,c=US Search filter: uid=johndoe
In the above example, if a user named johndoe is trying to log in to Alma, the LDAP server is searched on the base City University, filtering the results by uid= johndoe.
NOTE: The filter syntax can be any of the following: uid=, uid, or uid=USERNAME. In all three of these cases, Alma searches for uid=<the entered login user name>.
Match ID – For each of the three defined LDAP servers, the LDAP user needs to be mapped to a user that Alma recognizes. One of the user attributes that is returned by LDAP should be used as a matching point in Alma.
In order to authenticate users with LDAP, they must have an identifier, unique cross-institution, that matches this attribute. This identifier can be the primary identifier, or any other identifier that is unique cross-institution.
For example, the LDAP code can return:
cn: Becky Orange
If the cn attribute is defined as a matching point, a user in Alma with the Becky Orange identifier should exist. If a user is authenticated in LDAP, but no matching user is found in Alma, the user is logged in, but has permissions to access the default areas only.
For further details on configuring the LDAP profile, see Alma OLH.
The LDAP authentication workflow is illustrated in the following diagram: