Configuring LDAP Authentication and LDAP Addressing

Transcription

1 Configuring LDAP Authentication and LDAP Addressing What information do I need? 1.) LDAP server Bind Method (Simple or Simple over SSL) 2.) LDAP server 3.) LDAP server port number (389, 636, or 3268) 4.) LDAP bind credentials (If using a service or administrator account) 5.) LDAP bind and search root 6.) LDAP attributes for matching the name entered, retrieving the address, how the name will be displayed on the front panel of the mfp What LDAP server do I use? In most cases the administrator has an IP address or hostname of an LDAP server. If the LDAP server IP address or hostname is unknown, you may be able to use echo %logonserver% to find a domain controller or Active Directory logon server (in most cases the domain controller will contain a replicated version of the LDAP database) or nslookup to find domain controllers on the network.

2 Using echo %logonserver%: 1.) Open a command window. This can be done a couple of different ways: a. By selecting Start All Programs Accessories Command prompt OR b. Start Run type in cmd.exe in the dialog box press Enter or click OK. 2.) Type echo %logonserver% at the command prompt. 3.) To find the FQDN (fully qualified domain name) for the server returned perform an nslookup on the returned name. Type in nslookup <name of the server returned> i.e. nslookup idbgcam01 Notice the response from the nslookup the first server and IP address is the DNS server responding to our nslookup request. The second set of responses is the FQDN and IP address of the server name we entered. The FQDN for the server is idbgcam01.americas.cpqcorp.net and the IP address is NOTE: When entering hostname values for digital sending, for example and LDAP server hostname, it is best to enter the FQDN rather than the hostname of the server. For example, for the LDAP server put in idbgcam01.americas.cpqcorp.net NOT: idbgcam01. Using nslookup: 1.) Open a command window. This can be done a couple of different ways: a. By selecting Start All Programs Accessories Command prompt OR b. Start Run type in cmd.exe in the dialog box press Enter or click OK. 2.) Type nslookup <domain name> at the command prompt. i.e. nslookup americas.cpqcorp.net

3 What if I don t know my domain name? At a command prompt type in ipconfig /all

4 What LDAP port number do I use? Port 389 is the standard LDAP port number and will be used the majority of the time. Port 636 ia used when simple over SSL is selected for the LDAP server bind method. Port 3268 is the LDAP port used when the LDAP server is a Global Catalog server. A global catalog server is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers. Because a domain controller that acts as a global catalog server stores objects for all domains in the forest, users and applications can use the global catalog to locate objects in any domain within a multidomain Active Directory forest without a referral to a different server. What is my search root? The search root is what defines which part of the LDAP database to search. Search roots may have different syntaxes depending on the OS or NOS that they reside on. For example: o=hp.com or ou=people,o=hp.com (Format normally seen on Lotus notes, Exchange 5.5, or UNIX databases) DC=americas,DC=cpqcorp,DC=net or ou=accounts,dc=americas,dc=cpqcorp,dc=net (Format normally seen for Active Directory (AD) databases) When the Use Device User s Credentials method is selected, the Bind and Search Root value is used during both phases of authentication. During the credential verification phase, this value is combined with the RDN to construct the full Distinguished Name (DN) of the user. During the user information searching phase, this value is the DN of the LDAP entry where the search begins. When the Use Administrator Credentials method is selected, the Bind and Search Root is only used as a search root. The Search Root of the base of the LDAP directory can be specified, and the device will search the entire LDAP tree for the user object corresponding to the username entered at the device. When the Use Device User s Credentials method is selected, multiple bind roots can be typed in this field by separating them with a vertical bar (' ', ASCII 0x7c) character. This can be used, for example, to specify alternate LDAP domains. The device will attempt to bind to the LDAP server using each root in the order listed. After successfully performing the binding, the same root is used to search for the device user's information. How do I find my search root? Use an LDAP browser tool, the easiest tool is to use LDP.exe. Most administrators will have LDP.exe installed. Microsoft LDP is a support tool that ships with the Windows Support Tools contained on the Windows OS media. To install go to support on the CD, select Tools, select suptools.msi and follow the prompts to install. Using LDP.exe

5 1.) Open LDP by selecting Start Run type in ldp.exe press Enter or click OK. 2.) From the LDP menu, select Connection Connect 3.) Type in the IP address or hostname (FQDN) of the LDAP server. The port number should be 389 unless you know that the LDAP server is a Global Catalog server. Leave Connectionless and SSL unchecked.

6 4.) The following information will be displayed. The results contain the default naming context (sometimes called the base DN). Depending on the environment and how digital sending will be implemented the default naming context may be used for LDAP addressing (so that you can find the names of people in the LDAP database), or a specific container or search root may be required for authentication. In this case the default naming context is DC=americas,DC=cpqcorp,DC=net What do I use for the bind credentials? When using Simple or Simple over SSL for binding to an LDAP server use the distinguished name or DN attribute to bind to the LDAP server. How do I find the distinguished name or DN? 1.) From the LDP menu, select Connection Bind 2.) In the Bind window, input the username, password, and domain, select OK.

7 Note: When you bind you are binding using NTLM/Kerberos. Once you find the DN, you should test logging on using Simple to make sure that simple is enabled. On Win2000 & Win2003 AD simple and anonymous bind are disabled by default. 3.) I can verify that I am logged on by the messaging returned from LDP: 4.) To find the DN, I need to find the attributes associated with my name. To do this select Browse Search from the LDP menu. a. Type in the search root or base DN (default naming context). b. For the filter, we want to search for our name. Most users in the LDAP database are tagged with an objectclass of person or organizationalperson or both. The name used to login via Kerberos is normally the samaccountname. To discover just our name we can create a filter to look for only our name: (&(objectclass=person)(samaccountname=cpicker*)) This filter says to look for an objectclass of person and samaccountname of cpicker*. The * is a wild card. c. Select Subtree for the Scope.

8 d. Select Options. Clear all entries in Attributes: click OK. NOTE: If you do not clear the Attributes: field then the name will most likely not be found. e. Click Run from the Search window. You should see information scrolling in the background (this means that the name was found), select Close to close the Search window. The information in the screenshot below are the results from my search. Note that there is a scroll bar to search through the information. Scroll up to the successful bind message. The next line shows my LDAP search filter and the number of matches. The first attribute listed is my DN: which is CN=carol.pickering@hp.com,OU=US,OU=Users,OU=Accounts,DC=americas,D C=cpqcorp,DC=net Another common format for the DN is: CN=Pickering\, Carol,OU=US,OU=Users,OU=Accounts,DC=americas,DC=cpqcorp,DC=net

9 If you are using this for Use LDAP Administrator s credentials: you must put in the \ when typing in the DN. The \ is a symbol telling the database (usually AD) that there is a special character coming, in this case a comma. With current firmware, if you have a cn that is lastname\, firstname you do NOT need to put in the \ from the front panel or for testing in the EWS or DSS. The \ is entered for you. If you enter the \ you end up with lastname\\, firstname as the user name which would not be valid and would give you an error message LDAP verification failed for the following reason(s): The user lastname\\, firstname does not have access rights to the LDAP server attribute: I can scroll through the list and find my address, it will be in the format attribute name: address (i.e. mail: carol.pickering@hp.com). In this example mail is the attribute that has my address, however so does cn, name, and userprincipalname.

10 Match the name entered attribute: When a user types in their name to authenticate, we will take the attribute they select and append that to the search root or base DN to identify the user and authenticate them. Note: Other attributes may be used, for example, samaccountname, however you may need to use the option Use LDAP Administrator s credentials rather than using the Use device credentials. Because of the nature of simple LDAP authentication, we need to be provided with a user to bind to the LDAP database fist before it can then search the LDAP database for the user. The LDAP administrator can create a service account that has browse rights to the LDAP database and use this account. When using Simple bind the username and password are passed in clear text. And name using the attribute of: The from: field after authenticating will be in the format of this attribute. For example if I use the displayname attribute, which is in the format of lastname, firstname, then when I am authenticated the from: field with be populated with Pickering, Carol. There is no specification that says what attributes must be used and what information each attribute must be populated with. The LDAP administrator or whoever created the LDAP database makes this decision. An LDAP database is simply a flat database that has information associated to an attribute. The MFP and DSS pull the information that is associated with the specified attribute. If the customer does not want to use the information in that attribute, they should look at the LDAP database entries to see what the attributes are populated with and select what works best in their environment. The information in LDP can be exported to an ldif file. To save this to a file, select connection save as name the file with an ldif extension. The customer can then send this file via for analysis, if needed. How do I log onto LDP using simple bind? 1.) From the LDP menu, select Connection Bind

11 2.) In the Bind window, select Advanced. Select Simple for Function Type and Method. Select OK. 3.) In the Bind window, type in the user DN, password, and deselect Domain (NTLM/Kerberos). Click OK. User: 4.) Verify the simple bind is successful. Configuring the EWS for LDAP Authentication: Plug in the values we gathered:

12 Test our settings by typing in cn and password. Select OK: Reminder: when you test you do not have to put in the cn= since you specified that you would be using the cn. You also do not have to put in the search root since we have already specified a starting point.

13 If the test is unsuccessful, obtain screenshots of the error, LDAP configuration, Test LDAP Authentication screen, and ldif export if possible.

14 LDAP Addressing via Simple bind (using public credentials) In this example I am selecting simple for the LDAP bind method and Use public credentials. The username should be specified by the DN, NOT domain\username or samaccountname. In this example I am using the same DN that I found using LDP.exe (cn=carol.pickering@hp.com,ou=us,ou=users,ou=accounts,dc=americas,dc=cpqcorp,dc=net) I am using the FQDN for the LDAP server (idbgcam01.americas.cpqcorp.net), but you could also use the IP address of the LDAP server. I m narrowing my search root to ou=us,ou=users,ou=accounts,dc=americas,dc=cpqcorp,dc=net, but I could also use DC=americas,DC=cpqcorp,DC=net, however my searches may take longer. I select displayname for Match the name entered with the LDAP attribute of because in looking through my attributes in LDP.exe the displayname attribute is populated with lastname, firstname. When I look up my name from the front panel I would start typing in lastname, firstname and then I would see my name backfill. See screenshot below. Reminder: This particular LDAP database has the displayname populated by lastname, firstname, however the customer s LDAP database may have a different value. Verify the LDAP attribute if the names are not auto-backfilling correctly.

15 I selected mail for Retrieve the recipient s address using attribute of for the address because in looking through LDP.exe I can see that my address is populated under the mail attribute. Select Apply to save the settings. Select Advanced.

16 Maximum LDAP addresses: this is the maximum number of addresses returned in a search. Smaller values will typically result in faster search times, but may not provide the user with all matching addresses. Max Search Time this is the maximum amount of time that the mfp will wait for the LDAP search to complete. Smaller values will typically result in faster search times, but may not provide the user with all matching addresses. LDAP Filter Condition - An additional search parameter supported by your LDAP server. This parameter must be in the form of a valid LDAP filter. For example, the filter (l=boise, id, usa) limits searches to addresses of individuals who are located in Boise, Idaho. Entries in the Database are Alphabetized - Check this box if your entries in your LDAP database are alphabetized. If the database is not alphabetized and this box is selected names may not be found in an LDAP lookup. Find entries in the Database... - These settings dictate how LDAP search queries are to be performed. When an mfp user enters a partial name and performs an address book search operation, the LDAP query can either return only those entries that begin with the partial name or return all entries that contain the partial name anywhere within the entry's name. The latter method does a more thorough search of the entries in the LDAP database and will generally return more possible choices. And although the former method will generally return less choices, but does so in a shorter amount of time.