LDAP/Secure LDAP Authentication

Owned by William Crane (Unlicensed)
Last updated: Sept 22, 2023 by Dean Levinson
3 min read

LDAP authentication can be used to connect to Active Directory and other LDAP-compliant directory services.

Most Vivi installations use Active Directory. This creates efficiencies for both administrators and users. The User can log in to Vivi using their existing credentials (username and password). Administrators do not need to maintain a separate user management system for Vivi.

When the user logs in they will inherit the appropriate roles depending upon the groups they are assigned to in your organisation's AD.

Please note: Enabling LDAP authentication will disable Vivi standard authentication.

Preparation steps

Vivi Administrator

A Vivi Administrator user will need to be created in the LDAP directory. The Vivi Administrator will need permission to search users and access basic user attributes, including group membership.

The full distinguished name of the Vivi Administrator is required, for example "cn=ViviAdmin,ou=Users,dc=example,dc=com".

IP Address Whitelisting

The Vivi administration server needs to be able to access the LDAP directory server.

The IP addresses of our administration server is 13.55.174.24 and 13.55.155.119 - you need to whitelist these so we can access your server. Please also ensure that there are no restrictions on IP addresses outside of your country.

Depending on the setup of your environment, this could require both a network firewall change, as well as the IP addresses being granted access (within the Directory server itself) to connect.

 

Groups to support Vivi roles

The following groups will need to be created within the LDAP Directory:

  • Presenter Group – users who are allowed to have the Presenter role.

  • Student Group – users who are allowed to access Vivi. If left un-set, everyone in the LDAP Directory will gain access. Please consider whether access to all users is suitable or not for your organisation before leaving this setting un-set.

  • Emergency Authorised Group – users who are allowed to trigger emergencies. This can be set manually within Vivi Central if a group is not provided.

  • IT Admin group – users who can have admin access to Vivi Central. This can be set manually within Vivi Central if a group is not provided. If the group is set, existing IT Admins will lose their admin access since the Vivi Central role will no longer be relevant.

  • E-Learning Admin group – users who can access metrics in Vivi Central. This can be set manually within Vivi Central if a group is not provided.

If any of these categories are covered by existing groups, the existing groups can be used. It is also possible to include more than one group for each of the above settings. This allows members of any of the listed groups to gain access to the relevant role.

The full distinguished name of each group is required, for example: "cn=ViviPresenters,ou=Users,dc=example,dc=com".

Please note: Nested groups are supported for the Presenter and Student groups.

Server settings

The following server settings are required.

Setting

Description

LDAP Hostname

The IP address or Hostname for the LDAP Directory server.

LDAP Port

This is usually 389 for LDAP, or 636 for secure LDAP. Secure LDAP is recommended.

LDAP Security

The connection security type to use. This can be:

  • "None" where all transactions will occur via plain text. This is not recommended.

  • "LDAPS" where LDAP is tunnelled through TLS.

  • "StartTLS" where TLS is used within LDAP.

LDAP Tree Base

This is the base distinguished name for the LDAP Directory hierarchy, for example "dc=example,dc=com".

About distinguished names

Please note, the distinguished names (DN) shown above are illustrative only. Yours will be different. The best way in Active Directory to find the actual DN you need is to:

  • Find the object in Active Directory

  • Right click on the object and select "Properties"

  • Navigate to the Attribute Editor and look for "distinguishedName" in the attributes

  • Copy and paste the value.

Enabling LDAP authentication

To enable LDAP or Secure LDAP authentication:

  • Select the "Organisation" link in Vivi Central.

  • Select the "Authentication" link in the menu at the top of the screen.

  • Click "Edit".

  • Select "LDAP" as the Authentication Type.

  • Enter the server connection settings: LDAP hostname, LDAP port, type of connection, LDAP Tree Base domain name.

  • Enter the Vivi admin details: LDAP Admin DN, LDAP Admin Password

  • Enter the Vivi groups: LDAP Presenter Group, LDAP Student Group, LDAP Emergency Authorised Group, LDAP IT Admin, LDAP E-Learning Group. To enter multiple groups for any of these, use the | (pipe) character to separate the groups.

  • Click on "Save Changes" to confirm the changes.

LDAP authentication should now be ready to test. Open the Vivi App (or restart if already open) and attempt to sign in with the username and password of an account in one of the appropriate groups.