Employing the LDAP authentication
Overview
When you use the LDAP server for user management, you can restrict users of this machine by authentication using LDAP.
Employing the user authentication enables security- and cost-conscious advanced operations such as restricting users from accessing this machine, restricting users from using the functions by user, and managing the use status of this machine.
When employing the LDAP authentication function, follow the below procedure to configure the settings.
Configure settings for connecting to the network such as setting of the IP address of this machine
For details on configuring the setting, refer to [Configuring network environment settings] .
Configure basic settings for the LDAP authentication
For details on configuring the setting, refer to [Configure basic settings for the LDAP authentication] .
Set the following options according to your environment
Purpose
Reference
Communicate with the LDAP server using SSL
Send original data scanned by this machine easily to the login user's own address using E-mail (Scan to Me)
Notify the login user's own address of the URL of the original data scanned by this machine by E-mail (Scan to URL)
Construct a single sign-on environment for the SMB transmission
[Constructing a single sign-on environment for the SMB transmission]
Restrict available functions by user
Restrict the access to destinations by user
Change function keys displayed in the Touch Panel by user
[Changing the function key display pattern by user or account]
Specify the operations of the ID & Print function
Specify the operations of this machine when you log out
[Configuring common settings when using the authentication function]
Restrict print jobs without authentication information
Print data from the printer driver without using the password
Configure basic settings for the LDAP authentication
Register your authentication server on this machine. In addition, change the authentication method of this machine so that authentication is performed using the registered authentication server.
In the administrator mode, select [User Auth/Account Track] - [External Server Settings] - [External Server Settings] - [Edit].
Click [Edit] in [1st Server], then configure the following settings.
Settings
Description
[External Server Name]
Enter the name of your LDAP server (using up to 32 characters).
Assign an easy-to-understand name to the LDAP server to be registered.
[External Server Type]
Select [LDAP].
[Server Address]
Enter your LDAP server address.
Use one of the following formats.
Example of host name entry: "host.example.com"
Example of IP address (IPv4) entry: "192.168.1.1"
Example of IP address (IPv6) entry: "fe80::220:6bff:fe10:2f16"
[Port No.]
If necessary, change the LDAP server port number.
In normal circumstances, you can use the original port number.
[389] is specified by default.
[Search Base 1] to [Search Base 3]
Specify the starting point and range to search for a user to be authenticated.
[Search Base]: Specify the starting point to search for a target (using up to 255 characters).
Example of entry: "cn=users,dc=example,dc=com"[Search Range]: Select a tree search range. [Full Tree] is specified by default.
Selecting [Full Tree] makes a search, including the tree structure under the entered starting point. Selecting [Next hierarchy only] searches for only one level directly beneath the entered starting point. In this case, the level at the starting point is not included as a search target.
[Timeout]
If necessary, change the time-out time to limit a communication with the LDAP server.
[60] sec. is specified by default.
[General Settings]
Select the authentication method to log in to the LDAP server.
Select one appropriate for the authentication method used for your LDAP server.
[Simple] is specified by default.
[Search Attribute]
Enter the search attribute to be used for search of user account (using up to 64 characters, including a symbol mark -).
The attribute must start with an alphabet character.
[uid] is specified by default.
[Search Attributes Authentication]
Select this check box to enable the attribute-base authentication when [Simple] is selected for [General Settings].
If this check box is selected, the user does not need to enter all of the DN (Distinguished Name) when performing authentication via the LDAP server.
On this screen, enter authentication information to be used when you log in to the LDAP server to search for the user ID ([Login Name] and [Password]).
[OFF] (not selected) is specified by default.
[Search Directory Service]
If you select [Active Directory], you can limit a search target for authentication to users. However, when a search target for authentication is limited to users, search target identification processing occurs on the server side, so the authentication time may be delayed. This function is available when the authentication server is set to Active Directory (Windows Server 2008 or later).
[Other] is specified by default.
Click [Edit] in [2nd Server] as needed, then configure the following settings.
Settings
Description
[2nd Server Setting]
Select whether to use the secondary server.
If you group two servers, you can switch to another server to perform authentication when a server shuts down.
[OFF] is specified by default.
[Round Robin function]
Select whether to alternately connect to the primary and secondary servers.
If you select [Enable], you can alternately connect the primary and secondary servers to distribute the server load.
[Disable] is specified by default.
[Reconnection Settings]
Configure a setting to connect to the secondary server when the machine cannot be connected to the primary server. When the round-robin function is enabled, this setting can also be used to connect to the primary server when the machine cannot be connected to the secondary server.
[Reconnect for every login]: Connects to the primary server each time authentication is carried out on this machine. If the primary server is shutting down, this machine is connected to the secondary server.
[Set Reconnect Interval]: Connects to the secondary server when the primary server is shutting down at the time the machine is being authenticated. After this, this machine is connected to the secondary server when machine authentication is occurring until the time specified in [Reconnection Time] lapses. After the time specified in [Reconnection Time] has lapsed, this machine is reconnected to the primary server when machine authentication is occurring.
[Set Reconnect Interval] is specified by default.
[External Server Type]
Select the type of the authentication server and set required information.
For details on settings, refer to step 2.
In the administrator mode, select [User Auth/Account Track] - [General Settings], then configure the following settings.
Settings
Description
[User Authentication]
When performing authentication using an external authentication server, select [ON (External Server)] or [ON (MFP + External Server)].
If you want to configure setting so that you can log in to this machine using its authentication function in consideration of an occurrence of some sort of problem on the external authentication server, select [ON (MFP + External Server)].
[Overwrite User Info]
When the external server authentication is used, authenticated user information is also managed on this machine. If the number of users who have executed the external server authentication reaches the maximum number of users this machine can manage, authentication of any new users will not be permitted. Select whether to allow the user to overwrite registered user information for that case.
If you select [Allow], the oldest authenticated user information is erased and the new user is registered.
[Restrict] is specified by default.
[Default Authentication Method]
If you have selected [ON (MFP + External Server)] at [User Authentication], select the authentication method you use normally.
[ON (External Server)] is specified by default.
[When Number of Jobs Reach Maximum]
Sets the maximum number of sheets that each user can print. Here, select an operation if the number of sheets exceeds the maximum number of sheets that can be printed.
[Skip Job]: Stops the job currently running, and starts printing the next job.
[Stop Job]: Stops all jobs.
[Delete Job]: Deletes the active job.
[Skip Job] is specified by default.
[Temporarily Save Authentication Information]
To temporarily save authentication information in the main unit against a case where an external authentication server shuts down, select [Enable].
[Disable] is specified by default.
[Reconnection Settings]
If necessary, change the time to reconnect to the authentication server.
[Reconnect for every login]: Connects to the authentication server at the time authentication is carried out on this machine. If the authentication server is in the shutdown state at the time authentication is carried out on this machine, first confirm that the authentication server is down, and use the temporarily saved authentication information to log in to this machine.
[Set Reconnect Interval]: Connect to the authentication server at the time specified in [Reconnection Time], and check the status of the authentication server. If the authentication server is in the shutdown state, use the authentication information temporarily saved in the main unit to log in.
[Set Reconnect Interval] is specified by default.
[Expiration Date Settings]
Select [Enable] to set the expiration date to the temporarily saved authentication information. If [Enable] is selected, enter the expiration date.
[Disable] is specified by default.
[External Server DN Cache]
To save DN (Distinguished Name) information on the machine when authentication succeeds in the LDAP server, select [ON].
At the next authentication, you can use the saved information to search for a user, realizing high-speed authentication.
[OFF] is specified by default.
To check the status of the connection of the primary authentication server and the secondary authentication server, select [User Auth/Account Track] - [Authentication Server Connection status] - [External Server Authentication] in the administrator mode. If [Connection Enabled] is displayed, you can connect to both the primary and secondary authentication servers.
Using SSL communication
Communication between this machine and the LDAP server is encrypted with SSL.
Configure the setting if your environment requires SSL encryption communication with the LDAP server.
In the administrator mode, select [User Auth/Account Track] - [External Server Settings] - [Edit], then configure the following settings.
Settings | Description |
---|---|
[Enable SSL] | Select this check box to use SSL communication. [OFF] (not selected) is specified by default. |
[Port No.(SSL)] | If necessary, change the SSL communication port number. In normal circumstances, you can use the original port number. [636] is specified by default. |