Configuring LDAP Authentication and LDAP Addressing

Similar documents
Active Directory LDAP Quota and Admin account authentication and management

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

Skyward LDAP Launch Kit Table of Contents

Installation and Configuration Guide

Configuring Sponsor Authentication

PriveonLabs Research. Cisco Security Agent Protection Series:

Active Directory 2008 Implementation. Version 6.410

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

Configuring and Using the TMM with LDAP / Active Directory

IIS, FTP Server and Windows

Configuring User Identification via Active Directory

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

Using LDAP Authentication in a PowerCenter Domain

1 Introduction. Windows Server & Client and Active Directory.

Smart Card Authentication. Administrator's Guide

LDAP User Guide PowerSchool Premier 5.1 Student Information System

To enable an application to use external usernames and passwords, you need to first configure CA EEM to use external directories.

Managing Identities and Admin Access

For details for obtaining this later version; see the Known issues & Limitations, section at the end of this document.

LDAP Directory Integration with Cisco Unity Connection

Introduction Installing and Configuring the LDAP Server Configuring Yealink IP Phones Using LDAP Phonebook...

Security Provider Integration LDAP Server

The following gives an overview of LDAP from a user's perspective.

eprism Enterprise Tech Notes

Integration Guide. SafeNet Authentication Service. Integrating Active Directory Lightweight Services

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

Summary. How-To: Active Directory Integration. April, 2006

StarTeam/CaliberRM LDAP QuickStart Manager Administration Guide

Content Filtering Client Policy & Reporting Administrator s Guide

EVERYTHING LDAP. Gabriella Davis

HP Access Control Smartcard Solution

Integrating LANGuardian with Active Directory

VMware Identity Manager Administration

How To Search For An Active Directory On Goprint Ggprint Goprint.Org (Geoprint) (Georgos4) (Goprint) And Gopprint.Org Gop Print.Org

Integrating Webalo with LDAP or Active Directory

BlackShield ID. QUICKStart Guide. Integrating Active Directory Lightweight Services

LDaemon. This document is provided as a step by step procedure for setting up LDaemon and common LDaemon clients.

Central Security Server

Created by Hotline Support Konica Minolta Hotline Support (UK) V1.2

Integrating PISTON OPENSTACK 3.0 with Microsoft Active Directory

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

How To Authenticate On An Xtma On A Pc Or Mac Or Ipad (For A Mac) On A Network With A Password Protected (For An Ipad) On An Ipa Or Ipa (For Mac) With A Log

Embedded Web Server Security

NSi Mobile Installation Guide. Version 6.2

Configure Directory Integration

Embedded Web Server Security

Verify LDAP over SSL/TLS (LDAPS) and CA Certificate Using Ldp.exe

Smart Card Authentication Client. Administrator's Guide

Basic Configuration. Key Operator Tools older products. Program/Change LDAP Server (page 3 of keyop tools) Use LDAP Server must be ON to work

Authorized Send Installation and Configuration Guide Version 4.0

LDAP Authentication and Authorization

User-ID Best Practices

Integrating WebSphere Portal V8.0 with Business Process Manager V8.0

Directory Configuration Guide

Alcatel-Lucent Extended Communication Server Active directory synchronization : installation and administration

ProxySG TechBrief LDAP Authentication with the ProxySG

Administrator Quick Start Guide

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

Siteminder Integration Guide

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Cloud & Web Security. Administrator Quick Start Guide

VMware Identity Manager Administration

Version 9. Active Directory Integration in Progeny 9

Discovery Guide. Secret Server. Table of Contents

Using RADIUS Agent for Transparent User Identification

SINGLE SIGN-ON FOR MTWEB

LISTSERV LDAP Documentation

WirelessOffice Administrator LDAP/Active Directory Support

1 Introduction. Ubuntu Linux Server & Client and Active Directory. Page 1 of 14

Version 1.0 January Xerox Phaser 3635MFP Extensible Interface Platform

Configuring MailArchiva with Insight Server

EMR Link Server Interface Installation

NeoMail Guide. Neotel (Pty) Ltd

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

Basic Exchange Setup Guide

Managing Users and Identity Stores

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

How To Authenticate An Ssl Vpn With Libap On A Safeprocess On A Libp Server On A Fortigate On A Pc Or Ipad On A Ipad Or Ipa On A Macbook Or Ipod On A Network

Here, we will discuss step-by-step procedure for enabling LDAP Authentication.

Quality Center LDAP Guide

Active Directory Integration

Getting Started Guide

Deploying ModusGate with Exchange Server. (Version 4.0+)

Click Studios. Passwordstate. Installation Instructions

Address Synchronization Tool Administrator Guide

CA Performance Center

Authorized Send Installation and Configuration Guide for imagerunner ADVANCE Machines Version 4.1

Configuration Guide. BES12 Cloud

Avatier Identity Management Suite

Adeptia Suite LDAP Integration Guide

Getting Started with Clearlogin A Guide for Administrators V1.01

Configuring idrac6 for Directory Services

Password Manager. Version Password Manager Quick Guide

Click Studios. Passwordstate. Installation Instructions

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

SecureAware on IIS8 on Windows Server 2008/- 12 R2-64bit

Adobe Connect LMS Integration for Blackboard Learn 9

Transcription:

Configuring LDAP Authentication and LDAP Addressing What information do I need? 1.) LDAP server Bind Method (Simple or Simple over SSL) 2.) LDAP server 3.) LDAP server port number (389, 636, or 3268) 4.) LDAP bind credentials (If using a service or administrator account) 5.) LDAP bind and search root 6.) LDAP attributes for matching the name entered, retrieving the email address, how the name will be displayed on the front panel of the mfp What LDAP server do I use? In most cases the administrator has an IP address or hostname of an LDAP server. If the LDAP server IP address or hostname is unknown, you may be able to use echo %logonserver% to find a domain controller or Active Directory logon server (in most cases the domain controller will contain a replicated version of the LDAP database) or nslookup to find domain controllers on the network.

Using echo %logonserver%: 1.) Open a command window. This can be done a couple of different ways: a. By selecting Start All Programs Accessories Command prompt OR b. Start Run type in cmd.exe in the dialog box press Enter or click OK. 2.) Type echo %logonserver% at the command prompt. 3.) To find the FQDN (fully qualified domain name) for the server returned perform an nslookup on the returned name. Type in nslookup <name of the server returned> i.e. nslookup idbgcam01 Notice the response from the nslookup the first server and IP address is the DNS server responding to our nslookup request. The second set of responses is the FQDN and IP address of the server name we entered. The FQDN for the server is idbgcam01.americas.cpqcorp.net and the IP address is 16.88.97.243 NOTE: When entering hostname values for digital sending, for example and LDAP server hostname, it is best to enter the FQDN rather than the hostname of the server. For example, for the LDAP server put in idbgcam01.americas.cpqcorp.net NOT: idbgcam01. Using nslookup: 1.) Open a command window. This can be done a couple of different ways: a. By selecting Start All Programs Accessories Command prompt OR b. Start Run type in cmd.exe in the dialog box press Enter or click OK. 2.) Type nslookup <domain name> at the command prompt. i.e. nslookup americas.cpqcorp.net

What if I don t know my domain name? At a command prompt type in ipconfig /all

What LDAP port number do I use? Port 389 is the standard LDAP port number and will be used the majority of the time. Port 636 ia used when simple over SSL is selected for the LDAP server bind method. Port 3268 is the LDAP port used when the LDAP server is a Global Catalog server. A global catalog server is a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory forest. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Searches that are directed to the global catalog are faster because they do not involve referrals to different domain controllers. Because a domain controller that acts as a global catalog server stores objects for all domains in the forest, users and applications can use the global catalog to locate objects in any domain within a multidomain Active Directory forest without a referral to a different server. What is my search root? The search root is what defines which part of the LDAP database to search. Search roots may have different syntaxes depending on the OS or NOS that they reside on. For example: o=hp.com or ou=people,o=hp.com (Format normally seen on Lotus notes, Exchange 5.5, or UNIX databases) DC=americas,DC=cpqcorp,DC=net or ou=accounts,dc=americas,dc=cpqcorp,dc=net (Format normally seen for Active Directory (AD) databases) When the Use Device User s Credentials method is selected, the Bind and Search Root value is used during both phases of authentication. During the credential verification phase, this value is combined with the RDN to construct the full Distinguished Name (DN) of the user. During the user information searching phase, this value is the DN of the LDAP entry where the search begins. When the Use Administrator Credentials method is selected, the Bind and Search Root is only used as a search root. The Search Root of the base of the LDAP directory can be specified, and the device will search the entire LDAP tree for the user object corresponding to the username entered at the device. When the Use Device User s Credentials method is selected, multiple bind roots can be typed in this field by separating them with a vertical bar (' ', ASCII 0x7c) character. This can be used, for example, to specify alternate LDAP domains. The device will attempt to bind to the LDAP server using each root in the order listed. After successfully performing the binding, the same root is used to search for the device user's information. How do I find my search root? Use an LDAP browser tool, the easiest tool is to use LDP.exe. Most administrators will have LDP.exe installed. Microsoft LDP is a support tool that ships with the Windows Support Tools contained on the Windows OS media. To install go to support on the CD, select Tools, select suptools.msi and follow the prompts to install. Using LDP.exe

1.) Open LDP by selecting Start Run type in ldp.exe press Enter or click OK. 2.) From the LDP menu, select Connection Connect 3.) Type in the IP address or hostname (FQDN) of the LDAP server. The port number should be 389 unless you know that the LDAP server is a Global Catalog server. Leave Connectionless and SSL unchecked.

4.) The following information will be displayed. The results contain the default naming context (sometimes called the base DN). Depending on the environment and how digital sending will be implemented the default naming context may be used for LDAP addressing (so that you can find the names of people in the LDAP database), or a specific container or search root may be required for authentication. In this case the default naming context is DC=americas,DC=cpqcorp,DC=net What do I use for the bind credentials? When using Simple or Simple over SSL for binding to an LDAP server use the distinguished name or DN attribute to bind to the LDAP server. How do I find the distinguished name or DN? 1.) From the LDP menu, select Connection Bind 2.) In the Bind window, input the username, password, and domain, select OK.

Note: When you bind you are binding using NTLM/Kerberos. Once you find the DN, you should test logging on using Simple to make sure that simple is enabled. On Win2000 & Win2003 AD simple and anonymous bind are disabled by default. 3.) I can verify that I am logged on by the messaging returned from LDP: 4.) To find the DN, I need to find the attributes associated with my name. To do this select Browse Search from the LDP menu. a. Type in the search root or base DN (default naming context). b. For the filter, we want to search for our name. Most users in the LDAP database are tagged with an objectclass of person or organizationalperson or both. The name used to login via Kerberos is normally the samaccountname. To discover just our name we can create a filter to look for only our name: (&(objectclass=person)(samaccountname=cpicker*)) This filter says to look for an objectclass of person and samaccountname of cpicker*. The * is a wild card. c. Select Subtree for the Scope.

d. Select Options. Clear all entries in Attributes: click OK. NOTE: If you do not clear the Attributes: field then the name will most likely not be found. e. Click Run from the Search window. You should see information scrolling in the background (this means that the name was found), select Close to close the Search window. The information in the screenshot below are the results from my search. Note that there is a scroll bar to search through the information. Scroll up to the successful bind message. The next line shows my LDAP search filter and the number of matches. The first attribute listed is my DN: which is CN=carol.pickering@hp.com,OU=US,OU=Users,OU=Accounts,DC=americas,D C=cpqcorp,DC=net Another common format for the DN is: CN=Pickering\, Carol,OU=US,OU=Users,OU=Accounts,DC=americas,DC=cpqcorp,DC=net

If you are using this for Use LDAP Administrator s credentials: you must put in the \ when typing in the DN. The \ is a symbol telling the database (usually AD) that there is a special character coming, in this case a comma. With current firmware, if you have a cn that is lastname\, firstname you do NOT need to put in the \ from the front panel or for testing in the EWS or DSS. The \ is entered for you. If you enter the \ you end up with lastname\\, firstname as the user name which would not be valid and would give you an error message LDAP verification failed for the following reason(s): The user lastname\\, firstname does not have access rights to the LDAP server Email attribute: I can scroll through the list and find my email address, it will be in the format attribute name: email address (i.e. mail: carol.pickering@hp.com). In this example mail is the attribute that has my email address, however so does cn, name, and userprincipalname.

Match the name entered attribute: When a user types in their name to authenticate, we will take the attribute they select and append that to the search root or base DN to identify the user and authenticate them. Note: Other attributes may be used, for example, samaccountname, however you may need to use the option Use LDAP Administrator s credentials rather than using the Use device credentials. Because of the nature of simple LDAP authentication, we need to be provided with a user to bind to the LDAP database fist before it can then search the LDAP database for the user. The LDAP administrator can create a service account that has browse rights to the LDAP database and use this account. When using Simple bind the username and password are passed in clear text. And name using the attribute of: The from: field after authenticating will be in the format of this attribute. For example if I use the displayname attribute, which is in the format of lastname, firstname, then when I am authenticated the from: field with be populated with Pickering, Carol. There is no specification that says what attributes must be used and what information each attribute must be populated with. The LDAP administrator or whoever created the LDAP database makes this decision. An LDAP database is simply a flat database that has information associated to an attribute. The MFP and DSS pull the information that is associated with the specified attribute. If the customer does not want to use the information in that attribute, they should look at the LDAP database entries to see what the attributes are populated with and select what works best in their environment. The information in LDP can be exported to an ldif file. To save this to a file, select connection save as name the file with an ldif extension. The customer can then send this file via email for analysis, if needed. How do I log onto LDP using simple bind? 1.) From the LDP menu, select Connection Bind

2.) In the Bind window, select Advanced. Select Simple for Function Type and Method. Select OK. 3.) In the Bind window, type in the user DN, password, and deselect Domain (NTLM/Kerberos). Click OK. User: cn=carol.pickering@hp.com,ou=us,ou=users,ou=accounts,dc=americas,dc=cpqcorp,dc=net 4.) Verify the simple bind is successful. Configuring the EWS for LDAP Authentication: Plug in the values we gathered:

Test our settings by typing in cn and password. Select OK: Reminder: when you test you do not have to put in the cn= since you specified that you would be using the cn. You also do not have to put in the search root since we have already specified a starting point.

If the test is unsuccessful, obtain screenshots of the error, LDAP configuration, Test LDAP Authentication screen, and ldif export if possible.

LDAP Addressing via Simple bind (using public credentials) In this example I am selecting simple for the LDAP bind method and Use public credentials. The username should be specified by the DN, NOT domain\username or samaccountname. In this example I am using the same DN that I found using LDP.exe (cn=carol.pickering@hp.com,ou=us,ou=users,ou=accounts,dc=americas,dc=cpqcorp,dc=net) I am using the FQDN for the LDAP server (idbgcam01.americas.cpqcorp.net), but you could also use the IP address of the LDAP server. I m narrowing my search root to ou=us,ou=users,ou=accounts,dc=americas,dc=cpqcorp,dc=net, but I could also use DC=americas,DC=cpqcorp,DC=net, however my searches may take longer. I select displayname for Match the name entered with the LDAP attribute of because in looking through my attributes in LDP.exe the displayname attribute is populated with lastname, firstname. When I look up my name from the front panel I would start typing in lastname, firstname and then I would see my name backfill. See screenshot below. Reminder: This particular LDAP database has the displayname populated by lastname, firstname, however the customer s LDAP database may have a different value. Verify the LDAP attribute if the names are not auto-backfilling correctly.

I selected mail for Retrieve the recipient s email address using attribute of for the email address because in looking through LDP.exe I can see that my email address is populated under the mail attribute. Select Apply to save the settings. Select Advanced.

Maximum LDAP addresses: this is the maximum number of addresses returned in a search. Smaller values will typically result in faster search times, but may not provide the user with all matching addresses. Max Search Time this is the maximum amount of time that the mfp will wait for the LDAP search to complete. Smaller values will typically result in faster search times, but may not provide the user with all matching addresses. LDAP Filter Condition - An additional search parameter supported by your LDAP server. This parameter must be in the form of a valid LDAP filter. For example, the filter (l=boise, id, usa) limits searches to addresses of individuals who are located in Boise, Idaho. Entries in the Database are Alphabetized - Check this box if your entries in your LDAP database are alphabetized. If the database is not alphabetized and this box is selected names may not be found in an LDAP lookup. Find entries in the Database... - These settings dictate how LDAP search queries are to be performed. When an mfp user enters a partial name and performs an address book search operation, the LDAP query can either return only those entries that begin with the partial name or return all entries that contain the partial name anywhere within the entry's name. The latter method does a more thorough search of the entries in the LDAP database and will generally return more possible choices. And although the former method will generally return less choices, but does so in a shorter amount of time.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information