LDAP Authentication Settings

Use the LDAP Authentication page to configure a Lightweight Directory Access Protocol (LDAP) server to authenticate device (multifunction peripheral, digital copier, or digital sender) users. When LDAP authentication is selected as the Log In Method for one or more Device Functions on the Authentication Manager page, the user at the device must enter valid credentials (username and password) to gain access to those functions.

Authentication consists of two interdependent parts. First, the device verifies the user's credentials with the LDAP server. After the device user has supplied valid credentials and has been authenticated, the device searches for the user's e-mail address and name. If either step fails, the user is denied access to the functions that have been configured to require LDAP authentication.

Use the LDAP Authentication page to set up the parameters that are used to access the LDAP server and searches for the user's information. Note that this page only applies when LDAP is selected as a Log In Method on the Authentication Manager page.

Accessing the LDAP Server

LDAP Server Bind Method

The LDAP Server Bind Method setting determines how the device will access the LDAP server. Contact your LDAP server administrator to determine which method will work best for you.

LDAP Server

The LDAP Server setting is the host name or IP address of the LDAP server to be used to authenticate device users. When using SSL, the name or address typed here must match the name in the certificate that the server sends.

Multiple servers can be included in this field by separating their addresses with a vertical bar ('|', ASCII 0x7c) character. This feature can be used, for example, to specify primary and backup servers. The network interface only supports a single Certificate Authority (CA) certificate, so all the LDAP servers in the list must use the same CA.

Port

The Port setting refers to the TCP/IP port number on which the server is processing LDAP requests. Typically, this is port 389 for Simple binds or 636 for Simple over SSL binds.

 

Search Credentials

LDAP Authentication uses two different methods to authenticate the user.

The first method, called Use Device User Credentials attempts to “construct” the user’s DN (Distinguished Name) for the purpose of authenticating (“binding”) to the LDAP directory. The DN Prefix is added to beginning of the information that the user enters at the control panel, and this string is added to the Bind and Search Root string. For example, a DN prefix of “CN” combined with the user entered string of john.doe@nasa.gov combined with the bind and search root of OU=Engineering,DC=NASA,DC=GOV will result in the user DN CN=john.doe@nasa.gov,OU=Engineering,DC=NASA,DC=GOV

The second method, called Use Administrator’s Credentials attempts to search for the user’s DN instead of trying to construct it. With this method, the administrator’s credentials (DN and password) are used for the initial bind, and a search for the DN of the user who is attempting to authenticate takes place. When this user DN is returned, the device will attempt to authenticate using the retrieved DN value and the password that the user entered at the device control panel. If this authentication is successful, the user’s email address is retrieved and the user is granted access to the device.

The Use Device User Credentials method should be used when all users are located in the same container in the LDAP directory, and when the first term in the user DN is something that the user would normally use to authenticate. Note that multiple bind and search roots may be entered if they are separated by the “|” character, and the device will iteratively attempt to authenticate the user using each of the bind and search root values. This method can be used if users are located in a few containers in the LDAP directory.

The Use Administrator’s Credentials method should be used when users are located in multiple user containers, or when the first term in the user DN is not something that each user is familiar with or uses to authenticate on other systems. With this method, a user can be prompted to enter any unique LDAP attribute, for example, SAMAccountName or even the user’s phone number, the TelephoneNumber attribute.

Use Device User Credentials

This method uses the Bind Prefix, the string that the user enters at the control panel, and the Bind and Search Root to construct the User DN. The constructed User DN is used to authenticate the user.

Bind Prefix

The Bind Prefix setting is the LDAP attribute used to construct the user's Distinguished Name (DN) for authentication. This prefix is combined with the username typed at the control panel to form the Relative Distinguished Name (RDN). Commonly used prefixes are "CN" (for common name) or "UID" (for user identity).

Use Administrator Credentials

Administrator DN

This is the DN (Distinguished Name) of a user who has read access to the LDAP directory. The account entered here does not have to have administrative access to the directory. Read access is sufficient.

Administrator Password

The password of the user who’s user DN was entered in the Administrator DN field.

Searching the LDAP Database

Bind and Search Root

When the Use Device User’s Credentials method is selected, the Bind and Search Root value is used during both phases of authentication. During the credential verification phase, this value is combined with the RDN to construct the full Distinguished Name (DN) of the user. During the user information searching phase, this value is the DN of the LDAP entry where the search begins.

When the Use Administrator Credentials method is selected, the Bind and Search Root is only used as a search root. The Search Root of the base of the LDAP directory can be specified, and the device will search the entire LDAP tree for the user object corresponding to the username entered at the device. 

The string consists of "attribute=value" pairs, separated by commas. For example:

ou=engineering,o=Hewlett Packard,c=US

ou=marketing,o=Hewlett Packard,c=US

o=hp.com

ou=engineering,cn=users,dc=hp,dc=com

When the Use Device User’s Credentials method is selected, multiple bind roots can be typed in this field by separating them with a vertical bar ('|', ASCII 0x7c) character. This can be used, for example, to specify alternate LDAP domains. The device will attempt to bind to the LDAP server using each root in the order listed. After successfully performing the binding, the same root is used to search for the device user's information.

LDAP Attribute that Matches Login ID

When searching for the device user's information in the LDAP database, the contents of the attribute specified in this field are compared to the username that was typed during authentication. This attribute is usually the same as the Bind Prefix.

Retrieve the device user's

e-mail address using attribute of

After the device user has been located in the LDAP database, the user's e-mail address is retrieved from the database by using the LDAP attribute specified in the e-mail address using attribute of field.

and name using the attribute of

The user's display name is obtained from the LDAP attribute that is specified in the name using attribute of field.

Test

Use the Test feature to test the validity of your settings before applying them. When you click this button, you are asked to provide user credentials as if you were logging in at the device control panel. If the credentials that you provide are authenticated and the user information is found in the LDAP database, a success message appears. Otherwise, an error message appears indicating why authentication failed.