Authenticating in the LDAP server using the authentication card (LDAP-IC Card Authentication)

Overview

You can configure settings so that authentication is performed in the LDAP server using the card ID registered in the authentication card (LDAP-IC Card Authentication).

Authentication is completed only by placing the IC card. This enhances security without damaging users' ability to easily operate the machine.

To perform authentication using the authentication card, follow the below procedure to configure the settings.

  1. Enabling use of Authentication Unit (IC card type) in this machine

    supplementary explanationAuthentication Unit (IC card type) must be configured by your service representative. For details, contact your service representative.

  2. Configuring basic settings for the LDAP-IC card authentication

  3. Set the following options according to your environment

    Purpose

    Reference

    Communicate with the LDAP server using SSL

    [Using SSL communication]

Configuring basic settings for the LDAP-IC card authentication

  1. In the administrator mode, select [User Auth/Account Track] - [LDAP-IC Card Authentication Setting] - [LDAP-IC Card Authentication Setting], set [LDAP-IC Card Authentication Setting] to [ON] (Default: [OFF]).

  2. In the administrator mode, select [User Auth/Account Track] - [LDAP-IC Card Authentication Setting] - [Server Registration], then click [Edit].

  3. Click [Edit] in [1st Server], then configure the following settings.

    Settings

    Description

    [LDAP-IC Card Authentication Server Name]

    Enter the name of your authentication server group (using up to 32 characters).

    Assign a name that helps you easily identify the authentication server group.

    [External Authentication Server]

    Select the external authentication server group used to associate the LDAP-IC card authentication.

    When LDAP-IC card authentication succeeds, user authentication information is registered on the machine to manage users on the machine. This authentication information includes the user name and external authentication server name. The external authentication server name selected here is registered on the machine together with the user name.

    [No Selection] is specified by default.

    [Card Information Registration Settings]

    When authentication is performed on the machine using an IC card not registered in the LDAP server, select whether to register the IC card in the LDAP server.

    If [ON] is selected, configure the following settings.

    • [Sequential Server Card Registration]: Specify the server to register card information in. If you select [Primary Server for Card Registration], card information is registered in the server with authentication succeeded among the primary and secondary servers.

    • [User Name Attribute]: Specify the attribute to be searched as the user name.

    [OFF] is specified by default.

    [Card Information Character Type During Search]

    Select the search string conversion method to search for the card ID via the LDAP server.

    When the target card attribute information on the server is unified into upper and lower case letters, in some cases, you can convert the character type of the search string and subsequently reduce the search speed.

    • [Uppercase Letters/ Lowercase Letters]: Converts the card ID into upper or lower case letters to carry out a search.

    • [Uppercase Letters]: Converts the card ID to uppercase letters to carry out a search.

    • [Lowercase Letters]: Converts the card ID to lowercase letters to carry out a search.

    [Uppercase Letters/ Lowercase Letters] is specified by default.

    [Server Address]

    Enter the address of the LDAP server to be used for authenticating the user ID of the IC card.

    Use one of the following formats.

    • Example of host name entry: "host.example.com"

    • Example of IP address (IPv4) entry: "192.168.1.1"

    • Example of IP address (IPv6) entry: "fe80::220:6bff:fe10:2f16"

    [Port No.]

    If necessary, change the LDAP server port number.

    In normal circumstances, you can use the original port number.

    [389] is specified by default.

    [Search Base 1] to [Search Base 3]

    Specify the starting point and range to search for a user to be authenticated.

    • [Search Base]: Specify the starting point to search for a target (using up to 255 characters).
      Example of entry: "cn=users,dc=example,dc=com"

    • [Search Range]: Select a tree search range. [Full Tree] is specified by default.
      Selecting [Full Tree] makes a search, including the tree structure under the entered starting point. Selecting [Next hierarchy only] searches for only one level directly beneath the entered starting point. In this case, the level at the starting point is not included as a search target.

    [Timeout]

    If necessary, change the time-out time to limit a communication with the LDAP server.

    [60] sec. is specified by default.

    [General Settings]

    Select the authentication method to log in to the LDAP server.

    Select one appropriate for the authentication method used for your LDAP server.

    • [Simple]

    • [Digest-MD5]

    • [GSS-SPNEGO]

    • [NTLM v1]

    • [NTLM v2]

    [Simple] is specified by default.

    [Login Name]

    Log in to the LDAP server, and enter the user name to search for a user (using up to 64 characters).

    In this step, enter the user (name) that belongs to a specific administrator group on the LDAP server.

    [Password]

    Enter the password of the user you entered into [Login Name] (using up to 64 characters, excluding ").

    To enter (change) the password, select the [Password is changed.] check box, then enter a new password.

    [Domain Name]

    Enter the domain name to log in to the LDAP server (using up to 64 characters).

    If [GSS-SPNEGO] is selected for [General Settings], enter the domain name of Active Directory.

    [Use Referral]

    Select whether to use the referral function, if necessary.

    Make an appropriate choice to fit the LDAP server environment.

    [ON] is specified by default.

    [Search Attribute]

    Enter the attribute for the location where the IC card information is registered (using up to 63 characters, including a symbol mark -).

    The attribute must start with an alphabet character.

    [uid] is specified by default.

    [User Name]

    Select how to obtain the user name when logging in to this machine.

    • [Use Card ID]: Select this option when only IC card information is registered on the server. Uses the card ID in the IC card as the user name.

    • [Acquiring]: Select this option when user information other than IC card information is registered on the server. Uses the user name obtained from the server. Enter the attribute to be searched as the user name ("uid") at [User Name Attribute].
      If [ON] is selected in [Card Information Registration Settings], [Acquiring] is selected, and any change cannot be made. Then, the attribute specified in [Card Information Registration Settings] is displayed in [User Name Attribute].

    [Use Card ID] is specified by default.

    [Search Directory Service]

    If you select [Active Directory], you can limit a search target for authentication to users. However, when a search target for authentication is limited to users, search target identification processing occurs on the server side, so the authentication time may be delayed. This function is available when the authentication server is set to Active Directory (Windows Server 2008 or later).

    [Other] is specified by default.

  4. Click [Edit] in [2nd Server] as needed, then configure the following settings.

    Settings

    Description

    [2nd Server Setting]

    Select whether to use the secondary server.

    If you group two servers, you can switch to another server to perform authentication when a server shuts down.

    [OFF] is specified by default.

    [Round Robin function]

    Select whether to alternately connect to the primary and secondary servers.

    If you select [Enable], you can alternately connect the primary and secondary servers to distribute the server load.

    [Disable] is specified by default.

    [Reconnection Settings]

    Configure a setting to connect to the secondary server when the machine cannot be connected to the primary server. When the round-robin function is enabled, this setting can also be used to connect to the primary server when the machine cannot be connected to the secondary server.

    • [Reconnect for every login]: Connects to the primary server each time authentication is carried out on this machine. If the primary server is shutting down, this machine is connected to the secondary server.

    • [Set Reconnect Interval]: Connects to the secondary server when the primary server is shutting down at the time the machine is being authenticated. After this, this machine is connected to the secondary server when machine authentication is occurring until the time specified in [Reconnection Time] lapses. After the time specified in [Reconnection Time] has lapsed, this machine is reconnected to the primary server when machine authentication is occurring.

    [Set Reconnect Interval] is specified by default.

    [Card Information Registration Settings]

    When authentication is performed on the machine using an IC card not registered in the LDAP server, select whether to register the IC card in the LDAP server.

    • [Same as 1st Server]: Select [Enable] when using the same setting as for the primary server. When using a setting different from that of the primary server, select [Disable], then specify the attribute that is to be searched as the user name in [User Name Attribute].

    Secondary Server Information

    Specify the required information.

    For details on settings, refer to step 3.

  5. On the Control Panel, select [Utility] - [Administrator Settings] - [User Authentication/Account Track] - [Authentication Device Settings] - [General Settings] - [Card Authentication] - [IC Card type setting]. Then, allow the IC card you want to use, and assign the LDAP server as the authentication server.

    supplementary explanationFor details on [IC Card type setting], refer to [General Settings] .

Tips
  • To check the status of the connection of the primary authentication server and the secondary authentication server, select [User Auth/Account Track] - [Authentication Server Connection status] - [LDAP-IC Card Authentication] in the administrator mode. If [Connection Enabled] is displayed, you can connect to both the primary and secondary authentication servers.

Using SSL communication

Communication between this machine and the LDAP server is encrypted with SSL.

Configure the setting if your environment requires SSL encryption communication with the LDAP server.

In the administrator mode, select [User Auth/Account Track] - [LDAP-IC Card Authentication Setting] - [Server Registration] - [Edit], then configure the following settings.

Settings

Description

[Enable SSL]

Select this check box to use SSL communication.

[OFF] (not selected) is specified by default.

[Port No.(SSL)]

If necessary, change the SSL communication port number.

In normal circumstances, you can use the original port number.

[636] is specified by default.

[Certificate Verification Level Settings]

To verify the certificate, select items to be verified.

If you select [Confirm] at each item, the certificate is verified for each item.

[Expiration Date]

Confirm whether the certificate is still valid.

[Confirm] is specified by default.

[CN]

Confirm whether CN (Common Name) of the certificate matches the server address.

[Do Not Confirm] is specified by default.

[Key Usage]

Confirm whether the certificate is used according to the intended purpose approved by the certificate issuer.

[Do Not Confirm] is specified by default.

[Chain]

Confirm whether there is a problem in the certificate chain (certificate path).

The chain is validated by referencing the external certificates managed on this machine.

[Do Not Confirm] is specified by default.

[Expiration Date Confirmation]

Confirm whether the certificate has expired.

Confirm for expiration of the certificate in the following order.

  • OCSP (Online Certificate Status Protocol) service

  • CRL (Certificate Revocation List)

[Do Not Confirm] is specified by default.