Authenticating in the LDAP server using the authentication card (LDAP-IC Card Authentication)

Overview

You can configure settings so that authentication is performed in the LDAP server using the card ID registered in the authentication card (LDAP-IC Card Authentication).

Authentication is completed only by placing the IC card. This enhances security without damaging users' ability to easily operate the machine.

To perform authentication using the authentication card, follow the below procedure to configure the settings.

  1. Enabling use of Authentication Unit (IC card type) in this machine

    supplementary explanationAuthentication Unit (IC card type) must be configured by your service representative. For details, contact your service representative.

  2. Configuring basic settings for the LDAP-IC card authentication

  3. Set the following options according to your environment

    Purpose

    Reference

    Communicate with the LDAP server using SSL

    [Using SSL communication]

    Provide against shutdown of the LDAP server

    [Setting a secondary authentication server against shutdown of the LDAP server]

    Allow the user to register the ID of the IC card in the LDAP server

    [Setting to allow the user to register the IC card in the LDAP server]

Configuring basic settings for the LDAP-IC card authentication

  1. In the administrator mode, select [User Auth/Account Track] - [LDAP-IC Card Authentication Setting] - [LDAP-IC Card Authentication Setting], set [LDAP-IC Card Authentication Setting] to [ON] (Default: [OFF]).

  2. In the administrator mode, select [User Auth/Account Track] - [LDAP-IC Card Authentication Setting] - [Server Registration] - [Edit], then register information of the LDAP server to be used for authenticating the user ID of the IC card.

    Settings

    Description

    [Server Address]

    Enter the address of the LDAP server to be used for authenticating the user ID of the IC card.

    Use one of the following formats.

    • Example of host name entry: "host.example.com"

    • Example of IP address (IPv4) entry: "192.168.1.1"

    • Example of IP address (IPv6) entry: "fe80::220:6bff:fe10:2f16"

    [Port No.]

    If necessary, change the LDAP server port number.

    In normal circumstances, you can use the original port number.

    [389] is specified by default.

    [Search Base 1] to [Search Base 3]

    Specify the starting point and range to search for a user to be authenticated.

    • [Search Base]: Specify the starting point to search for a target (using up to 255 characters).
      Example of entry: "cn=users,dc=example,dc=com"

    • [Search Range]: Select a tree search range. [Full Tree] is specified by default.
      Selecting [Full Tree] makes a search, including the tree structure under the entered starting point. Selecting [Next hierarchy only] searches for only one level directly beneath the entered starting point. In this case, the level at the starting point is not included as a search target.

    [Timeout]

    If necessary, change the time-out time to limit a communication with the LDAP server.

    [60] sec. is specified by default.

    [General Settings]

    Select the authentication method to log in to the LDAP server.

    Select one appropriate for the authentication method used for your LDAP server.

    • [Simple]

    • [Digest-MD5]

    • [GSS-SPNEGO]

    • [NTLM v1]

    • [NTLM v2]

    [Simple] is specified by default.

    [Login Name]

    Log in to the LDAP server, and enter the login name to search for a user (using up to 64 characters).

    [Password]

    Enter the password of the user name you entered into [Login Name] (using up to 64 characters, excluding ").

    To enter (change) the password, select the [Password is changed.] check box, then enter a new password.

    [Domain Name]

    Enter the domain name to log in to the LDAP server (using up to 64 characters).

    If [GSS-SPNEGO] is selected for [General Settings], enter the domain name of Active Directory.

    [Use Referral]

    Select whether to use the referral function, if necessary.

    Make an appropriate choice to fit the LDAP server environment.

    [ON] is specified by default.

    [Search Attribute]

    Enter the attribute for the location where the IC card information is registered (using up to 63 characters, including a symbol mark -).

    The attribute must start with an alphabet character.

    [uid] is specified by default.

    [User Name]

    Select how to obtain the user name when logging in to this machine.

    • [Use Card ID]: Select this option when only IC card information is registered on the server. Uses the card ID in the IC card as the user name.

    • [Acquiring]: Select this option when user information other than IC card information is registered on the server. Uses the user name obtained from the server. Enter the attribute to be searched as the user name ("uid") at [User Name Attribute].
      If [ON] is selected in [Card Information Registration Settings], [Acquiring] is selected, and any change cannot be made. Then, the attribute specified in [Card Information Registration Settings] is displayed in [User Name Attribute]. For details on [Card Information Registration Settings], refer to [Setting to allow the user to register the IC card in the LDAP server] .

    [Use Card ID] is specified by default.

    [External Server Connection]

    Select the name of the external server to be used as authentication information saved on this machine.

    The authentication information is saved on this machine when the LDAP-IC card authentication is successfully completed. This authentication information includes the user name and the external server name.

    As authentication information to be saved on this machine, the name of external server registered on this machine can be registered.

    [No Selection] is specified by default.

Using SSL communication

Communication between this machine and the LDAP server is encrypted with SSL.

Configure the setting if your environment requires SSL encryption communication with the LDAP server.

In the administrator mode, select [User Auth/Account Track] - [LDAP-IC Card Authentication Setting] - [Server Registration] - [Edit], then configure the following settings.

Settings

Description

[Enable SSL]

Select this check box to use SSL communication.

[OFF] (not selected) is specified by default.

[Port No.(SSL)]

If necessary, change the SSL communication port number.

In normal circumstances, you can use the original port number.

[636] is specified by default.

[Certificate Verification Level Settings]

To verify the certificate, select items to be verified.

If you select [Confirm] at each item, the certificate is verified for each item.

[Expiration Date]

Confirm whether the certificate is still valid.

[Confirm] is specified by default.

[CN]

Confirm whether CN (Common Name) of the certificate matches the server address.

[Do Not Confirm] is specified by default.

[Key Usage]

Confirm whether the certificate is used according to the intended purpose approved by the certificate issuer.

[Do Not Confirm] is specified by default.

[Chain]

Confirm whether there is a problem in the certificate chain (certificate path).

The chain is validated by referencing the external certificates managed on this machine.

[Do Not Confirm] is specified by default.

[Expiration Date Confirmation]

Confirm whether the certificate has expired.

Confirm for expiration of the certificate in the following order.

  • OCSP (Online Certificate Status Protocol) service

  • CRL (Certificate Revocation List)

[Do Not Confirm] is specified by default.

Setting a secondary authentication server against shutdown of the LDAP server

When the LDAP server is installed, you can set a secondary authentication server to prepare for a case in which the primary authentication server has shut down.

Setting a secondary authentication server automatically changes to the secondary authentication server even if the primary authentication server used for normal operations has shut down, thereby, enabling the LDAP-IC authentication to be continued.

  1. In the administrator mode, select [User Auth/Account Track] - [LDAP-IC Card Authentication Setting] - [Secondary Authentication Server Settings], then configure the following settings.

    Settings

    Description

    [Secondary Authentication Server Settings]

    Select [ON] to use the secondary authentication server.

    [OFF] is specified by default.

    [Reconnection Settings]

    Specify the timing at which to reconnect to the primary authentication server.

    [Set Reconnect Interval] is specified by default.

    • [Reconnect for every login]: Connects to the primary authentication server each time authentication is carried out on this machine. If the primary authentication server is shutting down, this machine is connected to the secondary authentication server.

    • [Set Reconnect Interval]: Connects to the secondary authentication server when the primary authentication server is shutting down when machine authentication is occurring. After this, this machine is connected to the secondary authentication server when machine authentication is occurring until the time specified in [Reconnection Time] lapses. After the time specified in [Reconnection Time] has lapsed, this machine is reconnected to the primary authentication server when machine authentication is occurring.

  2. In the administrator mode, select [User Auth/Account Track] - [LDAP-IC Card Authentication Setting] - [Register Secondary Authentication Server], then click [Edit] to configure the following settings.

    Settings

    Description

    [Server Address]

    Enter the LDAP server address.

    Use one of the following formats.

    • Example of host name entry: "host.example.com"

    • Example of IP address (IPv4) entry: "192.168.1.1"

    • Example of IP address (IPv6) entry: "fe80::220:6bff:fe10:2f16"

    [Port No.]

    If necessary, change the LDAP server port number.

    In normal circumstances, you can use the original port number.

    [389] is specified by default.

    [Search Base 1] to [Search Base 3]

    Specify the starting point and range to search for a user to be authenticated.

    • [Search Base]: Specify the starting point to search for a target (using up to 255 characters).
      Example of entry: "cn=users,dc=example,dc=com"

    • [Search Range]: Select a tree search range. [Full Tree] is specified by default.
      Selecting [Full Tree] makes a search, including the tree structure under the entered starting point. Selecting [Next hierarchy only] searches for only one level directly beneath the entered starting point. In this case, the level at the starting point is not included as a search target.

    [Timeout]

    If necessary, change the time-out time to limit a communication with the LDAP server.

    [60] sec. is specified by default.

    [General Settings]

    Select the authentication method to log in to the LDAP server.

    Select one appropriate for the authentication method used for your LDAP server.

    • [Simple]

    • [Digest-MD5]

    • [GSS-SPNEGO]

    • [NTLM v1]

    • [NTLM v2]

    [Simple] is specified by default.

    [Login Name]

    Log in to the LDAP server, and enter the login name to search for a user (using up to 64 characters).

    [Password]

    Enter the password of the user name you entered into [Login Name] (using up to 64 characters, excluding ").

    To enter (change) the password, select the [Password is changed.] check box, then enter a new password.

    [Domain Name]

    Enter the domain name to log in to the LDAP server (using up to 64 characters).

    If [GSS-SPNEGO] is selected for [General Settings], enter the domain name of Active Directory.

    [Use Referral]

    Select whether to use the referral function, if necessary.

    Make an appropriate choice to fit the LDAP server environment.

    [ON] is specified by default.

    [Search Attribute]

    Enter the attribute for the location where the IC card information is registered (using up to 63 characters, including a symbol mark -).

    The attribute must start with an alphabet character.

    [uid] is specified by default.

    [User Name]

    Select how to obtain the user name when logging in to this machine.

    • [Use Card ID]: Select this option when only IC card information is registered on the server. Uses the card ID in the IC card as the user name.

    • [Acquiring]: Select this option when user information other than IC card information is registered on the server. Uses the user name obtained from the server. Enter the attribute to be searched as the user name ("uid") at [User Name Attribute].
      If [ON] is selected in [Card Information Registration Settings], [Acquiring] is selected, and any change cannot be made. Then, the attribute specified in [Card Information Registration Settings] is displayed in [User Name Attribute]. For details on [Card Information Registration Settings], refer to [Setting to allow the user to register the IC card in the LDAP server] .

    [Use Card ID] is specified by default.

  3. If a communication with the LDAP server is encrypted using SSL, select [User Auth/Account Track] - [LDAP-IC Card Authentication Setting] - [Register Secondary Authentication Server] in the administrator mode, then click [Edit] to configure the following settings.

    Settings

    Description

    [Enable SSL]

    Select this check box to use SSL communication.

    [OFF] (not selected) is specified by default.

    [Port No.(SSL)]

    If necessary, change the SSL communication port number.

    In normal circumstances, you can use the original port number.

    [636] is specified by default.

    [Certificate Verification Level Settings]

    To verify the certificate, select items to be verified.

    If you select [Confirm] at each item, the certificate is verified for each item.

    [Expiration Date]

    Confirm whether the certificate is still valid.

    [Confirm] is specified by default.

    [CN]

    Confirm whether CN (Common Name) of the certificate matches the server address.

    [Do Not Confirm] is specified by default.

    [Key Usage]

    Confirm whether the certificate is used according to the intended purpose approved by the certificate issuer.

    [Do Not Confirm] is specified by default.

    [Chain]

    Confirm whether there is a problem in the certificate chain (certificate path).

    The chain is validated by referencing the external certificates managed on this machine.

    [Do Not Confirm] is specified by default.

    [Expiration Date Confirmation]

    Confirm whether the certificate has expired.

    Confirm for expiration of the certificate in the following order.

    • OCSP (Online Certificate Status Protocol) service

    • CRL (Certificate Revocation List)

    [Do Not Confirm] is specified by default.

Tips

  • To check the status of the connection of the primary authentication server and the secondary authentication server, select [User Auth/Account Track] - [Primary/Secondary Server Connection Status] - [LDAP-IC Card Authentication] in the administrator mode. If [Connection Allowed] is displayed, you can connect to both the primary and secondary authentication servers.

Setting to allow the user to register the IC card in the LDAP server

When authentication is performed on the machine using an IC card not registered in the LDAP server, configure a setting to allow the user to register the IC card in the LDAP server.

The user can register information of a new IC card in the LDAP server, thereby, enabling the reduction of the user or administrator load.

In the administrator mode, select [User Auth/Account Track] - [LDAP-IC Card Authentication Setting] - [Card Information Registration Settings] - [Card Information Registration Settings], then configure the following settings.

Settings

Description

[Card Info. Registration Settings]

To register the IC card in the LDAP server when authentication is performed on the machine using an IC card not registered in the LDAP server, select [ON].

If [ON] is selected, enter the attribute such as "uid" to be searched as the user name in [User Name Attribute].

[OFF] is specified by default.

If [ON] is selected in [Card Info. Registration Settings], the setting of [LDAP-IC Card Authentication Setting] is changed as shown below.

When the secondary authentication server is not specified to be used:

  • [User Name] of [Server Registration] is set to [Acquiring].

  • The same attribute as that specified in [User Name Attribute] of this setting is set to [User Name Attribute] of [Server Registration].

When the secondary authentication server is specified to be used:

  • [User Name] of [Server Registration] is set to [Acquiring].

  • The same attribute as that specified in [User Name Attribute] of this setting is set to [User Name Attribute] of [Server Registration].

  • [User Name] of [Register Secondary Authentication Server] is set to [Acquiring].

  • The same attribute as that specified in [User Name Attribute] of this setting is set to [User Name Attribute] of [Register Secondary Authentication Server].

Tips

  • To use this function, you need to pre-configure a setting so that a user can register IC card information. On the Control Panel of this machine, select [Administrator Settings] - [System Settings] - [Restrict User Access] - [Restrict Access to Job Settings], then set [Biometric/IC Card Info. Registration] to [Allow] (default: [Restrict]).