Previous
Specify this authentication method when using the LDAP server to authenticate users who have their accounts on the LDAP server. Users cannot be authenticated if they do not have their accounts on the LDAP server. The Address Book stored in the LDAP server can be registered to the printer, so that user authentication can be enabled without first using the printer to register individual settings in the Address Book. When using LDAP authentication, to prevent the password information being sent over the network unencrypted, it is recommended that communication between the printer and the LDAP server be encrypted using SSL. You can specify on the LDAP server whether or not to enable SSL. To do this, you must create a server certificate for the LDAP server. For details about creating a server certificate, see Creating the Server Certificate. The setting for using SSL can be specified in the LDAP server setting.
When you select Cleartext authentication, LDAP Simplified authentication is enabled. Simplified authentication can be performed with a user attribute (such as cn, or uid), instead of the DN.
Using Web Image Monitor, you can enable a function to check whether the SSL server is trustworthy when you connect to the server. For details about specifying LDAP authentication using Web Image Monitor, see Web Image Monitor Help.
During LDAP authentication, the data registered to the LDAP server is automatically registered to the printer. If user information on the server is changed, information registered to the printer may be overwritten when authentication is performed.
Under LDAP authentication, you cannot specify access limits for groups registered to the directory server.
Do not use double-byte Japanese, Traditional Chinese, Simplified Chinese, or Hangul characters when entering the login user name or password. If you use double-byte characters, you cannot authenticate using Web Image Monitor.
If using Active Directory in LDAP authentication when Kerberos authentication and SSL are set at the same time, e-mail addresses cannot be obtained.
Under LDAP authentication, if "Anonymous Authentication" in the LDAP server's settings is not set to Prohibit, users who do not have an LDAP server account might still be able to gain access.
If the LDAP server is configured using Windows Active Directory, "Anonymous Authentication" might be available. If Windows authentication is available, we recommend you use it.
Operational requirements for LDAP authentication
To specify LDAP authentication, the following requirements must be met:
The network configuration must allow the printer to detect the LDAP server.
When SSL is being used, TLSv1 or SSLv3 can function on the LDAP server.
The LDAP server must be registered to the printer.
When registering the LDAP server, specify the following:
Server Name
Search Base
Port Number
SSL communication
Authentication
Select either Kerberos, DIGEST, or Cleartext authentication.
User Name
You do not need to enter the user name if the LDAP server supports "Anonymous Authentication".
Password
You do not need to enter the password if the LDAP server supports "Anonymous Authentication".
For details about registering an LDAP server, see Web Image Monitor Help.
For the characters that can be used for login user names and passwords, see Usable characters for user names and passwords.
In LDAP simple authentication mode, authentication will fail if the password is left blank. To allow blank passwords, contact your service representative.
The first time an unregistered user accesses the printer after LDAP authentication has been specified, the user is registered to the printer and can use the functions available under the available functions during LDAP authentication. To limit the available functions for each user, register each user and corresponding the available functions setting in the Address Book, or specify the available functions for each registered user. The available functions setting becomes effective when the user accesses the printer subsequently.
To enable Kerberos for LDAP authentication, a realm must be registered beforehand. The realm must be registered using capital letters. For details about registering a realm, see Web Image Monitor Help.
Data transmission between the printer and the KDC server is encrypted if Kerberos authentication is enabled. For details about specifying encrypted transmission, see Kerberos Authentication Encryption Setting.
Before beginning to configure the printer, make sure that administrator authentication is properly configured under "Administrator Authentication Management".
Log in as the machine administrator from Web Image Monitor.
Point to [Device Management], and then click [Configuration].
Click [User Authentication Management] under "Device Settings".
Select [LDAP Authentication] in the "User Authentication Management" list.
Select the "Printer Job Authentication" level.
For details about the printer job authentication levels, see p.47 "Printer Job Authentication".
If you select [Entire] or [Simple (All)], proceed to Step 7.
If you select [Simple (Limitation)], proceed to Step 6.
Specify the range in which [Simple (Limitation)] is applied to "Printer Job Authentication".
You can specify the IP address range to which this setting is applied. Also, you can specify whether or not to apply the setting to the parallel and USB interfaces.
Select the LDAP server to be used for LDAP authentication.
Enter the login name attribute.
Use the login name attribute as a search criterion to obtain information about an authenticated user. You can create a search filter based on the login name attribute, select a user, and then retrieve the user information from the LDAP server so it is transferred to the printer's Address Book.
To specify multiple login attributes, place a comma (,) between them. The search will return hits for either or both attributes.
Also, if you place an equals sign (=) between two login attributes (for example: cn=abcde, uid=xyz), the search will return only hits that match the attributes. This search function can also be applied when Cleartext authentication is specified.
When authentication is performed using the DN format, login attributes do not need to be registered.
The method for selecting the user name depends on the server environment. Check the server environment and enter the user name accordingly.
Enter the unique attribute.
Specify a unique attribute on the printer to match the user information in the LDAP server with that in the printer. By doing this, if the unique attribute of a user registered to the LDAP server matches that of a user registered to the printer, the two instances are treated as referring to the same user. You can enter an attribute such as "serialNumber" or "uid". Additionally, you can enter "cn" or "employeeNumber", provided it is unique. If you do not specify the unique attribute, an account with the same user information but with a different login user name will be created in the printer.
In "Available Functions", select the printer's functions you want to permit.
LDAP authentication will be applied to the selected functions.
Users can use the selected functions only.
For details about specifying available functions for individuals or groups, see Limiting Available Functions.
Click [OK].
Log out.
