Active Directory LDAP Quota and Admin account authentication and management Version 4.1 Updated July 2014 GoPrint Systems 2014 GoPrint Systems, Inc, All rights reserved. One Annabel Lane, Suite 105 San Ramon, CA 94583 (925)790-0070 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 1
Table of Contents Overview... 1 Create the LDAP Connector Profile... 3 Base DN... 6 Search User Account... 8 Search Filter... 9 Attributes... 10 Authentication Test... 11 Multiple Connectors... 14 Understanding Authentication... 14 Search Directory Option... 15 Integrated Authentication... 15 LDAP-Driven Accounts by Group Membership... 16 Troubleshooting... 22 LDAP Over SSL... 24 Additional Resources... 28 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 2
Active Directory LDAP Configuration Overview GoPrint incorporates the LDAP protocol to authenticate and import users into a GoPrint database to create Quota and Admin accounts based on Organization Unit or Group Membership. Things to know! 1. Multiple LDAP profiles can be created when it s desired to authenticate users based on different OU s and Groups. 2. The user account (Quota account) does NOT get created until the user logs in to and authenticates either at the Web Client Popup or Print Release Station. At that point, an LDAP query is performed and if a match exists successful authentication occurs and the account created. 3. Prior to configuration, you need the name of the domain controller, search user domain account id and password, and a test account (student) and password. GoPrint provides options for the following Active Directory attributes: 1. Account ID 2. FirstName 3. LastName 4. Department (optional field named reference no) 5. Email 6. Card Number to valid against a campus OneCard system 7. Reference Number (optional field for custom attributes) 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 3
Creating the LDAP Profile To access the GoPrint Active Directory LDAP profile configuration section select: Accounts Authentication Connectors Standard Authentication and Card Swipe Authentication GoPrint provides two connector options, Standard Authentication and Card Swipe Authentication. The card swipe authentication is used when the students Login ID is programmed on a university campus card and is used to release print jobs when swiped at a Print Release Station. Step 1 - Click Add a Standard Authentication Connector 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 4
Step 2 - Select Microsoft Active Directory Step 3 Enter Connector Information Connector Name: create a friendly name to identify the group of users being authenticated. The name is also used for administration purses and comes in handy when creating multiple LDAP profiles. Active: check to enable LDAP Server Server Name: enter the fully qualified DNS name of the domain controller. Do NOT enter the IP Address. If you cannot resolve to the FQDN then network/dns issues exist and they must be resolve!!! Security: leave the default of Simple (no network privacy) Note: by default GoPrint issues level MD5 encryption access the network for all User Logon and password attempts. If your environment requires an additional level of security using LDAPS, and a trusted SSL certificate has been installed in the domain controller s certificate store and replicated to Active Director Domain Services, then you may enable LDAP over SSL. This certificate must then be imported into the Java JRE cacerts Keystore found under the GS4\jre\lib\security directory. For additional information refer to the Control Center Advanced HELP topics. 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 5
Search Target Base DN (Distinguished Name): This field specifies the DN of the node where the search for a user would start. For performance reasons, this DN should be as specific as possible and must contain commas without spaces. Active Directory is not case sensitive. Example #1 - Basic root search Starting a search at the root level of a domain scans the entire directory tree including all subordinate OUs. Using the Active Directory domain campus.edu the base DN may look like: DC=campus,DC=edu. 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 6
Example #2 Organization Unit (OU) Limiting the search To reduce system overhead and to intentionally exclude or include only a specific group of users, (multiple LDAP GoPrint LDAP profiles) you can start the search at the OU level. To start your search at the students OU of the campus.edu domain, you might use a search base as follows: OU=students,DC=campus,DC=edu Example #2 Nested Organization Level When the group of users is nested below one or more OU s then the following string is set: Note: GoPrint will not search for users in the higher level OU s only in the specific OU set in the DN!!! Hint: a common mistake is to set the DN from the higher OU level down but it must be from the start point up. In this case, our start point is the medical OU. OU=medical,OU=main campus,ou-gradstudents, DC=campus,DC=EDU 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 7
Example #3 - User Container Level Search: CN=Users,DC=campus,DC=edu Windows Active Directory provides a default container called Users. It s important to note this is NOT an Organization Unit but a built-in container. Creating a search starting at the Users container the common name (CN) must be used and not OU. Note: not a common scenario in most environments but important to note. Search User Account Search User DN: LDAP requires a domain user account to bind and search against the Active Directory database. Permissions Required: only standard user Read permissions are necessary Append Base DN: DO NOT CHECK!!! 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 8
Step 4 - Configure Search Filter The default LDAP search filter is set to use the samaccountname (users Account ID). Leave the Default unless your environment users custom search path. Example Search Filter with CN: Example: Search Filter limiting search to users ONLY in the Business Department 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 9
Step 5 Define Attributes Sample of common Windows attributes: Account Profile Account tab User Logon: samaccountname userprincipalname Account Profile General tab givenname SN CN First and Last Name email 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 10
The Account ID corresponds to the user domain logon, which typically is the samaccountname. This will be the Quota ID logon. Note: the user s domain password is automatically created at first login and is automatically updated whenever the password is changed. Attributes Account ID: samaccountname (change to cn if used in the search filter) Card Number: optional field used with OneCard integration First Name: givename Last Name: sn User Class: Select the User Class you which to add the authenticated users to Note: The User Class selected here is used to associate the users with either an Admin level Class or Payment Method such as a Scheduled Quota, One Card system, Credit Allowance, or Cash to Account. Ensure the correct Payment Method is designated for the select LDAP users. 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 11
Ref Number: optional field (Could be a department name or number) Email: mail (optional doesn t provide any functionally other to help provide contact information when needed by system administrators. Authentication Test Once the LDAP settings are configured, an authentication test should be performed to ensure a successful connection and user search can be established. Select an authentication profile and enter a username and password to search 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 12
Common Authentication Errors 1. Failed: User doesn t exist in the search path or password incorrect 2. Base DN is incorrect. Check for typo s or incorrect search path 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 13
Multiple LDAP Profiles Multiple profiles can be created when desired to support users by individual OU s commonly when different Quota amounts are given based on credit hours, department, or graduate levels: also can be used when specifying Admin levels. Hint: The profiles are searched in the order that they appear from the main list. The same account ID cannot be associated with multiple profiles. How does authentication and Account Creation happen? The user account (Quota account) does NOT get created until the user logs in to and authenticates either at the Web Client Popup or Print Release Station. At this point, an LDAP query is performed, and if a match exists, successfully authentication occurs and the account created. 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 14
Creating Accounts using the Search Directory tab Optionally, it may be necessary to manually create a Quota or Admin account. To do so, the Search Directory option can be used. Important: unless absolutely necessary it s recommended to allow users to authenticate themselves and create their account because their domain password is not captured and a temporary password must be generated to create the account. Hint: The user will not need this password to login because during the logon attempt when entering their domain password the account is updated. Accounts Manage Users Integrated Authentication Once the account gets created, a query to the GoPrint database happens first. To require a LDAP search at each login, check Always Authenticate, Authorize, & do not cache passwords under SYSTEM SYSTEM POLICY security tab. 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 15
LDAP-Driven Accounts Using Group Membership Authentication and assigning users to User Classes can be filter down to their group membership level. This offers greater flexibility with filtering users when they may exist in the same Organization Unit or Container and allows you to grant users to multiple Class Definitions and their assigned payment methods. Note: the following steps pertain to managing both end-users, as well as users who can be assigned to Administrative Classes and granted various levels of system administration. Accounts Authentication Connectors: 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 16
Sample: LDAP Connector Step 1 Select NONE at the LDAP Connector Attribute section From the Default Class drop down menu select NONE Important: Setting the Default Class level to None forces the LDAP search to first authenticate Users then if a group membership exists at the Class Definition level, then users are granted access to the payment method. 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 17
Step 2 Select LDAP Options Navigate to Accounts Class Definitions Select the desired User Class and select LDAP Options Step 3 Enter the corresponding group membership syntax Option 1 - Group membership Accounts Using Distinguished Names Every entry in the directory has a distinguished name (DN). The DN is the name that uniquely identifies an entry in the directory. A DN is made up of attribute=value pairs, separated by commas. This is the easiest way to drive Class membership based on data in the LDAP Simply provide the full DN of the group container that is associated with this Class of users. Example: When it s not necessary specify a complex memberof string; you can use the built-in distinguished name of the group. Note: Nestled OU s are supported. 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 18
Option 2 Group Membership LDAP String using MemberOf Attribute Note: Each argument must exist in its own set of parentheses. The entire LDAP statement must be encompassed in a main set of parentheses. Scenario #1 Single group membership (MemberOf=CN=students,DC=goprintcorp,DC=dyndns,DC=org) Scenario #2 Matching Multiple Groups & (logical AND) - More than one condition, and you want all conditions in the series to be true. ( (memberof=cn=medstudents,dc=goprintcorp,dc=dyndns,dc=org)(memberof=cn=law students,dc=goprintcorp,dc=dyndns,dc=org)) The & operator states that all Arguments must be true, or match. In this case, the matching users MUST be a member of BOTH groups, ITS and staff. 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 19
Scenario #3 Matching Multiple Groups (logical or) either condition is true ( (memberof=cn=med students,dc=goprintcorp,dc=dyndns,dc=org)(memberof=cn=law students,dc=goprintcorp,dc=dyndns,dc=org)) The Operator states that EITHER Argument can be true. In this case, users can be a member of either group med students or law students. Scenario #4 Excluding Multiple Groups! (logical NOT) - exclude objects that have a certain attribute (!(memberof=cn=med students,dc=goprintcorp,dc=dyndns,dc=org)(memberof=cn=law students,dc=goprintcorp,dc=dyndns,dc=org)) The! Operator states that the first Argument must be true and NOT the second. In this case, the Argument MUST match the users in the group med students, and exclude users in the group students. 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 20
Optionally operators used to refine searches: Operator Description = Equal to ~= Approximately equal to <= Lexicographically less than or equal to >= Lexicographically greater than or equal to & AND OR! NOT LDAP PORTS The network ports that are used by Active Directory searches are listed in the following table. Port Assignments for Active Directory Searches Service Name UDP TCP LDAP None 389 LDAP SSL None 636 Global Catalog LDAP None 3268 Global Catalog LDAP SSL None 3269 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 21
Troubleshooting Bind and searching Issues Whenever an unsuccessful test result is generated, it s important to understand how the search and authenticate process is initiated. The best point of reference is the GoPrint RUN.log file found under GS4\Logs. To Display Debug Logging: edit the GS4\Goprint.cfg file and enter the line verbose=true A successful Bind and Search A search attempt first looks for the authenticated user. If successful, the LDAP Auth users Distinguish name is returned as follows: ] LDAP Auth for CN=goprintldap,CN=Users,DC=goprint,DC=com Once authenticated an attempt is made to find the specific User entered during the test. In this case, a successful attempt was made to find the user Steve under the IT Staff OU. 2008-11-17 16:07:28,265 DEBUG [btpool1-4:ldap.ldapconnector ] LDAP Auth for CN=Steve,OU=IT STAFF,DC=goprint,DC=com Failed to find auhenticated user An error code 525 is returned when the account cannot be found. The results could be caused by a number of things: The authenticated user account is not located in the search path Authenticated username may be misspelled DisplayName may be required Incorrect search filter path typos exist Incorrect servername was provided. ] LDAP authentication for CN=goprintldap,cn=Users,DC=goprint,DC=com failed: [LDAP: error code 49-80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ] 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 22
Wrong password provided by authenticated user Incorrect passwords are represented by a 52e error LDAP authentication for CN=goprintldap,CN=Users,DC=goprint,DC=com failed: [LDAP: error code 49-80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece ] 525 - user not found 52e - invalid credentials Authenticated user and end-user accounts are found but invalid password was entered LDAP Auth for CN=goprintldap,CN=Users,DC=goprint,DC=com User account Fred is found but an error 52e is returned, representing invalid credentials were entered. 2008-11-20 01:00:43,609 INFO [btpool1-3:ldap.ldapconnector ] LDAP authentication for CN=fred,CN=Users,DC=goprint,DC=com failed: [LDAP: error code 49-80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece ] End user account does not exist LDAP Auth for CN=goprintldap,CN=Users,DC=goprint,DC=com 2008-11-20 01:23:06,562 DEBUG [btpool1-3:authentication.authenticationmanager] Authentication failed: null [Root exception is javax.naming.communicationexception: goprint.com:389 [Root exception is java.net.sockettimeoutexception: connect timed 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 23
Import Domain SSL Certificate for LDAP over SSL Authentication Using Java Keytool C:\GS4\jre\bin>keytool -import -keystore C:\gs4\jre\lib\security\cacerts -alias anyname -file c:\domaincert.cer Enter keystore password: Owner: CN=goprnsrv, OU=goprint, O=it, L=san ramon, ST=California, C=us Issuer: CN=goprnsrv, OU=goprint, O=it, L=san ramon, ST=California, C=us Serial number: 49b591b2 Valid from: Mon Mar 09 15:01:22 GMT-07:00 2009 until: Sat Dec 03 15:01:22 GMT-07 :00 2011 Certificate fingerprints: MD5: 93:03:47:C3:65:EA:C8:D2:D5:1C:E9:46:25:6C:CC:CE SHA1: 60:B6:C8:81:98:D1:53:8B:20:55:12:B7:3E:89:FB:89:99:A0:51:C5 Signature algorithm name: SHA1withRSA Version: 3 Trust this certificate? [no]: y Certificate was added to keystore 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 24
Import Using SSL Certificates Tool 1. System - SSL Certificates 2. Select Authorities 3. Enter a hostname and port 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 25
4. Enter Server s Hostname or IP address and Port 636 and select Snag Certificate 5. Confirm import 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 26
6. Restart the GS-4 Services 7. Enable SSL over LDAP 8. Save Common error Check with your system administrator to ensure SSL is enabled for the domain 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 27
Additional Resources Global catalog search base For an LDAP search, you must supply a valid search base. For a global catalog search, the search base can be any value, including the value NULL ( ). A search base of NULL effectively scopes the search on the search computer to the global catalog. If you use a NULL search base with a scope of one level or subtree and specify port 389 (the default LDAP port), the search fails. Therefore, if you submit a NULL search to the global catalog port and then change the port to the LDAP port, you must change the search base for the search to succeed. Characteristics of a global catalog search The following additional characteristics differentiate a global catalog search from a standard LDAP search: A global catalog search crosses directory partition boundaries. The extent of an LDAP search is the directory partition. A global catalog search does not return subordinate referrals. If you use port 3268 to request an attribute that is not in the global catalog, you do not receive a referral to it. Subordinate referrals are an LDAP response. When you query a server over port 3268, you receive global catalog responses, which are based solely on the contents of the global catalog. If you query the same server over port 389, you receive referrals for objects that are in the forest but whose attributes are not referenced in the global catalog. 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 28
Anonymous queries By default, anonymous LDAP operations to Active Directory, other than rootdse searches and binds, are not permitted in Windows Server 2003. (Active Directory in Windows 2000 Server accepts anonymous requests; a successful result depends on objects having correct user permissions in Active Directory.) To enable anonymous binding to Active Directory in Windows Server 2003, you must change the seventh character of the dsheuristics attribute on the following directory object: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,Root domain in forest Valid values for the dsheuristics attribute are 0 and 2. By default, the dsheuristics attribute does not exist, but its internal default is 0. If you set the seventh character to 2, anonymous clients can perform any operation that is permitted by the access control list (ACL). If the attribute is already set, do not modify any bits in the dsheuristics string other than the seventh bit. If the value is not set, make sure that you provide the leading zeros up to the seventh bit. You can use Adsiedit.msc to make the change to the dsheuristics attribute. After you set the dsheuristics attribute, if you want anonymous users to be able to query Active Directory, you can enable anonymous access to specific directory objects. Users gain anonymous access to Active Directory objects through Anonymous Logon, which is a special security identifier (SID) that is used to represent anonymous network callers that perform an LDAP bind with NULL credentials. 2014 GoPrint Systems, Inc. All rights reserved. Active Directory LDAP 29