Configuring Logins
All login configurations take place in the Site Settings. These can be accessed from the “Administration” tab, under the “Site Administration” heading, by clicking on the “Edit site settings” option. Once in the site settings, click on the “Security” section.
Login Security
The login security settings, found on the Administration tab, under Site Settings, are shown in the screenshot below.
The general settings are shown at the top. These control what happens to users who repeatedly get their passwords wrong. The “Failed login limit” is the number of times a user can get their password wrong before the lock-out time is imposed on their computer’s IP address.
During the “Lockout time”, they are unable to attempt any further logins.
The “Login time out” is the number of minutes that ADAM will keep a user logged in without them performing any functions on ADAM in that time. Note that as soon as they close their web browser, they will also be logged out.
Other settings, discussed later, are shown also.
Staff Logins
The staff login option is always available from the main login screen. Staff will enter their usernames and passwords here. ADAM will then consider how that staff member is to be authenticated and pass the login credentials to the authentication mechanism.
ADAM can either authenticate staff using its local database and a locally stored password, by sending the login details to an Active Directory LDAP server or to a POP3 mail server.
An internal password asks ADAM to manage a password for the teacher concerned. The other two options, “POP3 Mail Server” and “Active Directory LDAP Authentication” rely on other servers being available. If a staff member has one of these methods selected, then ADAM will simply use the specified server to perform a login using the details that the user provides. If the server accepts the login, then ADAM, in turn, allows the login.
This helps users by reducing the number of passwords that they need to remember. In the case of Active Directory, login policies that block users from after a number of incorrect attempts are also enforced. This increases the security of your data.
The authentication method for each staff member is set in his or her staff information page and the school can have any combination of the different authentication methods.
Setting an authentication method
Each staff member can use one of the three authentication methods. They are set individually.
To change a staff member’s authentication method, you will need to edit the staff member’s information (Staff > Staff Administration > Edit a teacher’s personal information). At the bottom of the page is an option to choose the authentication method:
Configuring Active Directory LDAP Authentication
In order for ADAM to process Active Directory LDAP authentication, it must be pointed to an Active Directory server. This set up is done in the class_config.php file which will be located in the ADAM install folder. The specific options to look for are:
- ad accsuf: This is set to the domain suffix. This is normally a string starting with “@” followed by the domain name. E.g. @myschool.local
- ad basedn: This is the base domain name. It consists of the same information as above, but given in the following format: DC=myschool,DC=local
- ad domcon: This is an array of IP addresses of domain servers which should be consulted.
In all cases, the files must obey strict PHP syntax and thus should be edited with care.
In order to associate an account on ADAM with a user account in Active Directory, the user must have the same username set in ADAM as they would use in Active Directory. The following procedure is followed on login:
- ADAM checks that the username entered matches a staff member in the database.
- Then ADAM will check that the staff member in question is “current” – that is, their start date is in the past, and their end date is in the future.
- Then ADAM takes the username and password that were provided and attempts a login on the Active Directory LDAP server. If the Active Directory LDAP server grants access, the username and password that were supplied must be correct and ADAM will grant the login.
Access is only granted if all three steps can be followed.
Configuring POP3 Authentication
In order for ADAM to process POP3 authentication, it must be given a POP3 server to use. This is done in the “Site Settings” page (Administration / Site Administration / Edit Site Settings) and clicking on the “Security” tab.
- Enter in the IP address of your POP3 Server into the first box.
- If your POP3 server requires use of a different port (it almost certainly will if SSL and TLS are implemented).
- Consult your POP3 server requirements to determine whether SSL and TLS should be enabled. If in doubt, try with both set to “No”.
- The POP3 user name suffix is useful if all your users need to authenticate to your POP3 server with their whole e-mail address.
- By adding in the domain portion of the email address (e.g. “@example.com”), ADAM will automatically append that to the end of the username that the users supply.
- Example: my POP3 server requires me to login with the full e-mail address bob@example.com. If I set “@example.com” as the domain suffix, then I can just enter the username “bob” on the front login screen, and as the staff login name, and ADAM will automatically send the login name “bob@example.com” when attempting to login to the service.
In order to associate an account on ADAM with a user account on a mail server, the user must have the same username set in ADAM as they would use to authenticate to the POP3 server. The following procedure is followed on login:
- ADAM checks that the username entered matches a staff member or pupil in the database.
- Then ADAM will check that the staff member or pupil in question is “current” – that is, their start date is in the past, and their end date is in the future.
- Then ADAM takes the username and password that were provided and attempts a login on the POP3 server. If the POP3 server grants access, the username and password that were supplied must be correct and ADAM will grant the login.
Access is only granted if all three steps can be followed.
Configuring Internal Passwords
Sometimes, especially for temporary staff members, it is easier to create an internal password within ADAM. This is generally NOT a good idea since by using your Active Directory authentication (see page ) and POP3 authentication (see page ), more sophisticated restrictions can apply to the passwords including lockout times if the password is guessed incorrectly after a certain amount of times. These features do not apply to internal passwords.
An internal password can be set when the staff member is created. Alternatively, a password can be set and changed using the “Change a teacher’s password” option on the “Staff” tab, under the “Security Administration” heading.
Note that ADAM irreversibly encrypts the passwords that it stores according to currently recommended guidelines. To this end, we encrypt the passwords and store them as “salted hashes”. This dramatically increases the difficulty of brute-force cracking the passwords. This does mean that it is essentially impossible to tell what the password is. More information here: Security Administration and here https://en.wikipedia.org/wiki/Salt_(cryptography)
Allowing staff to change their own passwords
If staff use internal passwords, administrators should ensure that they belong to a privilege group that gives them the ability to change their passwords (this is not needed with other login mechanisms, since ADAM never stores those passwords and thus cannot change them). For more information on changing privileges, see the section “Security Administration”.
Staff can change their passwords by clicking on the “Staff” tab and then looking under the “Security Administration” heading. An option should appear there to “Change your own password”
In the window that appears, the user will have to type in their existing password, and their new password twice for confirmation:
The password is finally changed by clicking on the “Change password” button.
Google Sign-In for Staff and Pupils
Schools that make use of Google’s Workspace for their email, can make use of Google’s Sign-In to authenticate staff and pupils to ADAM.
Requirements
- ADAM must be running on a Linux server. When a user completes the sign-in process, Google returns a signed token to the server. The server requires various cryptographic libraries to ensure that this token is genuine. Unfortunately, these libraries are not included in the Windows versions of PHP. There are lots of other good reasons to switch to Linux!
- Your server’s URL must be white-listed by us before you enable Google Sign-In. Failure to do this can delay final implementation since your URL then is temporarily blacklisted by Google.
- Your staff and pupils must have their Google Workspace addresses included as their work or school email addresses. This email address must match their Google Workspace account. Note that users who have email aliases stored in ADAM will not be able to sign on using Google Sign-In.
Parent Logins
If your ADAM website does not show “Parent Login” on the Login tab, then you will need to adjust the privileges assigned to the group “Logged Out”. These steps are not needed by most servers.
- On the “Administration” tab, under the “Staff Groups” heading, click on the option to “Manage staff groups”.
- Edit the privileges of the group “Logged Out” by clicking on the “privileges” option.
- On the “Login” tab, click on the check-box next to the “Parent Login” option.
Note that simply allowing the menu option to appear will not automatically allow parents to log in.
Parent logins can be enabled on the “Site Settings” page (Administration / Site Administration / Edit Site Settings) and clicking on the “Pupil & Family Login” section. Once there, the “Allow family logins?” option should be set to “Yes”.
The ADAM database requires three pieces of information to allow parent logins:
- Their ID or passport number
- Their cellphone number
- A valid email address that they can receive mail on.
The first time that a parent logs into ADAM, they will be required to enter the ID number (or passport number) and their cell numbers. If ADAM finds matching records in the database, it will send the parents an email with a link to reset their passwords.
Subsequent logins will require their ID number and their recently set password.
We have compiled a separate document with instructions for parents that you can modify for your needs.
Privileges for parents are determined by pupil login groups.
Pupil Logins
If your ADAM website does not show “Pupil Login” on the Login tab, then you will need to adjust the privileges assigned to the group “Logged Out”. These steps are not needed by most servers.
- On the “Administration” tab, under the “Staff Groups” heading, click on the option to “Manage staff groups”.
- Edit the privileges of the group “Logged Out” by clicking on the “privileges” option.
- On the “Login” tab, click on the check-box next to the “Pupil Login” option.
Note that simply allowing the menu option to appear will not automatically allow pupils to log in.
Pupil logins can be enabled and their authentication method set on the “Site Settings” page (Administration / Site Administration / Edit Site Settings) and clicking on the “Pupil & Family Login” section. Once there, the “Allow pupil logins?” option should be set to “Yes”.
The authentication method used for pupils is a global setting and cannot be controlled individually. They can either make use of the Active Directory LDAP Authentication or the POP3 Authentication as used and described in the Staff Logins section.
Privileges for pupils are determined by pupil login groups.
Login Notifications
ADAM can send a login notification to any user (staff, pupil or parent) to notify them of their login to the system. To prevent ADAM from notifying them of every login, ADAM can be configured to send notifications only when they log into a new computer.
To allow this to happen, ADAM stores a cookie on the computer with an expiry date set long into the future. At each login, the cookie is sent with the login request. ADAM can thus tell whether the user has logged onto that machine before or not.
ADAM sends a notification under the following circumstances:
- Login notifications must be turned on in the Site Settings; and
- The user has a valid email address configured; and
- Either:
- The user logs onto a computer that they have not logged into before; or
- It has been a set number of days (configured in Site Settings) since the user first logged into that computer.
Note that if a user clears all their browser cookies, ADAM will interpret this as the user logging on to a new computer. The only affect that this will have is that a notification will be sent warning them.
Changing Login Notification Settings
In the Site Settings, navigate to the Security tab and scroll down to the section Login Settings. Search for the setting Remember logged-in machines for and change the setting to any value other than disabled to enable the notifications.
Login Notification Emails
The login notification email appears as follows:
In the email, a link is presented that will allow the user to block their ADAM user. This will have the effect of logging out all currently logged in instances of their user account (throwing a possible intruder out of the system) as well as preventing any future logins.
An ADAM Administrator will be required to allow access for the user again. When a user account is blocked in this fashion, their Authentication Method in their profile is set to Disabled. It would thus need to be changed to reflect their actual authentication method (normally either Internal Password or Active Directory).