HomeWeb Management ToolLDAP authentication setting

LDAP authentication setting

Setting flow

When you use the LDAP server for user management, you can restrict users of this machine by authentication using LDAP.

Employing the user authentication enables security- and cost-conscious advanced operations such as restricting users from accessing this machine, restricting users from using the functions by user, and managing the usage status of this machine.

When employing the LDAP authentication function, follow the below procedure to configure the settings.

  1. Configuring network settings of this machine (Here)

  2. Configuring basic settings for LDAP authentication (Here)

  3. Configuring settings to suit your environment

    • Establishing SSL communication (Here)

Configure basic settings for the LDAP authentication

Register your authentication server on this machine. In addition, change the authentication method of this machine so that authentication is performed using the registered authentication server.

  1. Select [User Auth/Account Track] - [External Server Settings] - [External Server Settings] - [Edit] in administrator mode of Web Connection (or in [Utility] - [Administrator] of this machine).

  2. Click [Edit] of [1st Server], and configure the following settings.

    Setting

    Description

    [External Server Name]

    Enter the name of the authentication server (using up to 32 characters).

    [External Server Type]

    Select [LDAP].

    [LDAP]

    Register server information when LDAP is used as the authentication server.

    • [Server Address]: Enter your LDAP server address.

    • [Port No.]: If necessary, change the LDAP server port number (default: [389]).

    • [Search Base 1] to [Search Base 3]: Specify the starting point and range to search a user to be authenticated.
      [Search Base]: Specify the starting point to search for a target (using up to 255 characters).
      Example of entry: "cn=users,dc=example,dc=com"
      [Search Range]: Select a tree search range (default: [Full Tree]).
      [Full Tree]: Makes a search, including the tree structure under the entered starting point.
      [Next hierarchy only]: Searches for only one level directly beneath the entered starting point. In this case, the level at the starting point is not included as a search target.

    • [Timeout]: Change the timeout interval for communication with the LDAP server, if required (default: [60] sec.).

    • [Authentication Type]: Select the authentication method to log in to the LDAP server depending on your environment (default: [Simple]).

    • [Search Attribute]: Enter the search attribute used in user account search (using up to 64 characters). The attribute must start with an alphabet character (default: [uid]).

    • [Search Attributes Authentication]: To automatically generate DN (Distinguished Name) required for authentication by the LDAP server on this machine when [Simple] is selected for [Authentication Type], set this option to ON (default: OFF). Also, enter authentication information used for logging in to the LDAP server in order to search for the user ID.

    [Search Directory Service]

    If you select [Active Directory], you can limit a search target for authentication to users (default: [Other]). However, when a search target for authentication is limited to users, search target identification processing occurs on the server side, so the authentication time may be delayed. This function is available when the authentication server is set to Active Directory (Windows Server 2008 or later).

  3. Click [Edit] of [2nd Server] as needed, and configure the following settings.

    Setting

    Description

    [2nd Server Setting]

    When using the secondary server, set this option to ON (default: OFF).

    [Round Robin function]

    When using the round-robin function, set this option to ON (default: OFF).

    If you select round-robin function, you can alternately connect the primary and secondary servers to distribute the server load.

    [Reconnection Settings]

    Configure a setting to connect to the secondary server when the machine cannot be connected to the primary server (default: [Set Reconnect Interval]). When the round-robin function is enabled, this setting can also be used to connect to the primary server when the machine cannot be connected to the secondary server.

    • [Reconnect for every login]: Connects to the primary server each time authentication is carried out on this machine. If the primary server is shutting down, this machine is connected to the secondary server.

    • [Set Reconnect Interval]: Connects to the secondary server when the primary server is shutting down at the time the machine is being authenticated. After this, this machine is connected to the secondary server when machine authentication is occurring until the time specified in [Reconnection Time] lapses. After the time specified in [Reconnection Time] has lapsed, this machine is reconnected to the primary server when machine authentication is occurring.

    [External Server Type]

    Select the type of the authentication server and set required information.

    For details, refer to the registration contents of the primary server.

  4. Select [User Auth/Account Track] - [Authentication Type] in administrator mode of Web Connection (or in [Utility] - [Administrator] of this machine), and configure the following settings.

    Setting

    Description

    [User Authentication]

    When performing authentication using an external authentication server, select [ON (External Server)] or [ON (MFP + External Server)].

    If you want to configure setting so that you can log in to this machine using its authentication function in consideration of an occurrence of some sort of problem on the external authentication server, select [ON (MFP + External Server)].

    [Default Authentication Method]

    If [User Authentication] is set to [ON (MFP + External Server)], select the preferential authentication method (default: [ON (External Server)]).

    [Ticket Hold Time Setting (Active Directory)]

    Change the retention time for a Kerberos authentication ticket if Active Directory is used as an authentication server (default: [5] min.).

    [When Number of Jobs Reach Maximum]

    Sets the maximum number of sheets that each user can print. Here, select an operation if the number of sheets exceeds the maximum number of sheets that can be printed (default: [Skip Job]).

    • [Skip Job]: Stops the job currently running, and starts printing the next job.

    • [Stop Job]: Stops all jobs.

    • [Delete Job]: Deletes the active job.

    [External Authentication server setting]

    Set server authentication operations.

    • [Temporarily Save Authentication Information]: To temporarily save authentication information in the main unit against a case where an external authentication server shuts down, set this option to ON (default: OFF).

    • [Reconnection Settings]: Specify the timing to reconnect to the authentication server (default: [Set Reconnect Interval]).
      [Reconnect for every login]: Connects to the authentication server at the time authentication is carried out on this machine. If the authentication server is in the shutdown state at the time authentication is carried out on this machine, first confirm that the authentication server is down, and use the temporarily saved authentication information to log in to this machine.
      [Set Reconnect Interval]: Connect to the authentication server at the time specified in [Reconnection Time], and check the status of the authentication server. If the authentication server is in the shutdown state, use the authentication information temporarily saved in the main unit to log in.

    • [Expiration Date Settings]: When specifying the validity period to the temporarily saved authentication information, set this option to ON (default: OFF). Also, enter the expiration date.

    • [Overwrite User Info]: When the external server authentication is used, authenticated user information is also managed on this machine. If the number of users who have executed the external server authentication reaches the maximum number of users this machine can manage, authentication of any new users will not be permitted. Select whether to allow the user to overwrite registered user information for that case (default: [Restrict]). If you select [Allow], the oldest authenticated user information is erased and the new user is registered.

    [External Server DN Cache]

    Select whether to save DN (Distinguished Name) information on the machine to speed up the LDAP server authentication (default: [OFF]).

    If [ON] is selected, information related to the user’s DN is saved on the machine when authentication succeeds in the LDAP server. At the next authentication, a user search is performed using the saved information.

  • To check the status of the connection of the primary authentication server and the secondary authentication server, select [User Auth/Account Track] - [Authentication Server Connection status] - [External Server Authentication]. If [Connection Enabled] is displayed, you can connect to both the primary and secondary authentication servers.

Using SSL communication

If SSL is installed in your environment, enable SSL.

Select [User Auth/Account Track] - [External Server Settings] - [External Server Settings] - [Edit] in administrator mode of Web Connection (or in [Utility] - [Administrator] of this machine), and configure the following settings.

Setting

Description

[LDAP]

Configure settings to establish a communication via SSL.

  • [Enable SSL]: When using SSL communications, set this option to ON (default: OFF).
    [Port No.(SSL)]: If necessary, change the port number for SSL communication (default: [636]).