Thursday, August 17, 2017

Quick Notes: SSL LDAP & Hosted PowerSchool

When I first setup PowerSchool to link with Active Directory, I set it up to use a non-SSL LDAP connection, which isn't exactly ideal.  Today I finally got around to fixing it, but some of the instructions from PowerSchool are vague (specifically what format it's looking for) and resulted in some trial and error on my part.

I'm adding notes regarding what worked for me for anyone who needs to do this, or for myself when I replace the DC I used.

You'll need to:

  • Get Active Directory to accept LDAPS Connections.  These two articles help with this if you don't know how to do it:
    • https://www.petri.com/enable-secure-ldap-windows-server-2008-2012-dc
    • https://www.petri.com/enable-secure-ldap-windows-server-2008-2012-dc-configuration
  • Dedicate an external static IP for your domain controller and setup an A record to point to it.  I used the internal FQDN for my A record, but there's a field in PowerSchool that may make this unnecessary.  I won't include instructions on this because it'll vary by ISP.
  • Setup a firewall rule to allow the PowerSchool server to communicate with your LDAP server.  Simply pinging the hostname of your hosted PowerSchool server won't give you the right IP--the complete list is available on PowerSource (Article 6687).
  • Create a service account in AD for PowerSchool to use to query Active Directory
  • Export the Certificate:
    • Launch MMC on the DC you are using.
    • Add the "Certificates" snapin and select "Computer" then "Local Computer"
    • Choose Personal > Certificates
    • Right-click the top level item in the left pane.  This should include the FQDN of your domain controller.  Click All Tasks > Export
    • Choose the Base-64 encoded X.509 format to export it.  I just named it with my domain controller's name.
  • Import the Certificate into PowerSchool:
    • Go to Setup System > System Settings > Digital Certificate Management
    • Select the User Trust Store tab and scroll to the bottom.
    • Choose your file, name it, and import it.
  • Setup LDAPS in PowerSchool:
    • Go to Setup System > LDAP Directory Setup
      • LDAP Server Hostname:  Use the hostname that you setup in DNS to point to the public static IP you used.
      • LDAP Port:  636
      • Enable SSL:  SSL Enabled (PowerSchool Keystore)
      • Active Directory FQDN:  FQDN of your DC.  I think the existence of this makes it so your LDAP server hostname doesn't necessarily need to match the FQDN, but I haven't tested to confirm.
      • LDAP Admin DN:  Service Account you are using to allow PowerSchool to query AD.
      • LDAP Admin Password:  Password for the above account.




Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)