LDAP Authentication Settings

Use the LDAP Authentication page to configure a Lightweight Directory Access Protocol (LDAP) server to authenticate device (multifunction peripheral, digital copier, or digital sender) users. When LDAP authentication is enabled, the user at the device must supply valid credentials (a username and password) to gain access to the digital sending features.

Authentication consists of two interdependent parts. First, the device verifies the user's credentials with the LDAP server. After the device user has supplied valid credentials and has been authenticated, the device searches for the user's e-mail address and name. If either step fails, the user is denied access to the digital sending features.

Use the LDAP Authentication page to set up the parameters that are used to access the LDAP server and searches for the user's information. Note that this page only applies when the Authentication Method on the Authentication Manager page is set to Use internal LDAP.

Accessing the LDAP Server

LDAP Server Bind Method

The LDAP Server Bind Method setting determines how the device will access the LDAP server. Contact your LDAP server administrator to determine which method will work best for you.

Simple - The selected LDAP server does not support encryption. Note that the password, if any, will be sent unencrypted across the network.
Simple over SSL - The selected LDAP server supports encryption using the Secure Sockets Layer (SSL) protocol. All data, including the username and password, will be encrypted. The LDAP server must be set up to support SSL, including configuring a certificate that establishes its identity. Also, the device network interface must be configured with a Certificate Authority (CA) certificate to validate the LDAP server. The CA certificate is configured on the Networking tab of the Web interface. In some LDAP server configurations, a client certificate is also required and is configured on the same Networking tab.

LDAP Server

The LDAP Server setting is the host name or IP address of the LDAP server to be used to authenticate device users. When using SSL, the name or address typed here must match the name in the certificate that the server sends.

Multiple servers can be included in this field by separating their addresses with a vertical bar ('|', ASCII 0x7c) character. This feature can be used, for example, to specify primary and backup servers. The network interface only supports a single Certificate Authority (CA) certificate, so all the LDAP servers in the list must use the same CA.

Port

The Port setting refers to the TCP/IP port number on which the server is processing LDAP requests. Typically, this is port 389 for Simple binds or 636 for Simple over SSL binds.

Bind Prefix

The Bind Prefix setting is the LDAP attribute used to construct the user's Distinguished Name (DN) for authentication. This prefix is combined with the username typed at the control panel to form the Relative Distinguished Name (RDN). Commonly used prefixes are "CN" (for common name) or "UID" (for user identity).

Bind and Search Root

The Bind and Search Root value is used during both phases of authentication. During the credential verification phase, this value is combined with the RDN to construct the full Distinguished Name (DN) of the user. During the user information searching phase, this value is the DN of the LDAP entry where the search begins.

The string consists of "attribute=value" pairs, separated by commas. For example:

ou=engineering,o=Hewlett Packard,c=US

ou=marketing,o=Hewlett Packard,c=US

o=hp.com

ou=engineering,cn=users,dc=hp,dc=com

Multiple bind roots can be typed in this field by separating them with a vertical bar ('|', ASCII 0x7c) character. This can be used, for example, to specify alternate LDAP domains. The device will attempt to bind to the LDAP server using each root in the order listed. After successfully performing the binding, the same root is used to search for the device user's information.

Note:

On some LDAP servers, the Bind and Search Root can be left blank. In this case, its root node will be assumed.

Searching the LDAP Database

Match the name entered

When searching for the device user's information in the LDAP database, the contents of the attribute specified in this field are compared to the username that was typed during authentication. This attribute is usually the same as the Bind Prefix.

Retrieve the device user's e-mail address

After the device user has been located in the LDAP database, the user's e-mail address is retrieved from the database by using the LDAP attribute specified in the email address using attribute of field. The user's display name is obtained from the LDAP attribute that is specified in the name using attribute of field.

Test

Use the Test feature to test the validity of your settings before applying them. When you click this button, you are asked to provide user credentials as if you were logging in at the device control panel. If the credentials that you provide are authenticated and the user information is found in the LDAP database, a success message appears. Otherwise, an error message appears indicating why authentication failed.