LDAP Configuration

Created by Michael Anastassiou

Document Solutions Centre

AR-M550/620/700U Training

LDAP Admin Guide For

ARM236/ARM276 And

ARM550/620/700U

LDAP Admin Setup Guide

Draft ii

Preface This document provides information to help system administrators with the LDAP Global Address Book and User Authentication features of the Multi-function peripheral (MFP). With this information, the administrator will ??Better understand how the LDAP Global Address Book and User Authentication features interact on the MFP. ??Have a foundation to conduct basic troubleshooting for issues surrounding the LDAP global address search and user

authentication. This document assumes general knowledge of LDAP and its components, as well as basic understanding of directory concepts. The LDAP configuration and troubleshooting guide in this document are not exhaustive. The multitude of variables in supported environments means that problems encountered may require more time and expertise to implement and troubleshoot than simple network printing. As well, cooperation between different support personnel at the user’s installation site is often required.


Draft iii

Table of Contents

PREFACE............................................................................................................................................................ II

LIST OF FIGURES ..........................................................................................................................................IV

LIST OF TABLES.............................................................................................................................................IV

1. OVERVIEW..................................................................................................................................................... 1

2. LDAP DIRECTORY BASICS ...................................................................................................................... 2 2.1. SEARCH ROOT FOR DIRECTORY ENTRIES .................................................................................................. 2 2.2. MICROSOFT EXCHANGE 5.5 ....................................................................................................................... 2

2.2.1. MS Exchange 5.5 Objects................................................................................................................... 2 2.3. ACTIVE DIRECTORY.................................................................................................................................... 3

2.3.1. Active Directory Objects .................................................................................................................... 3 2.3.2. Case 1: A Simple Case ....................................................................................................................... 3 2.3.3. Case 2: A More Complex Case......................................................................................................... 5

2.4. NOVELL EDIRECTORY 8.7 .......................................................................................................................... 7 2.4.1. Novell eDirectory 8.7 Objects............................................................................................................ 7

3. BASIC SERVER CONFIGURATION ........................................................................................................ 9 3.1. KERBEROS KDC ......................................................................................................................................... 9 3.2. DNS SERVER .............................................................................................................................................. 9 3.3. MICROSOFT EXCHANGE 5.5 ....................................................................................................................... 9

3.3.1. Maximum Number of Search Results Returned ................................................................................ 9 3.4. ACTIVE DIRECTORY / EXCHANGE 2000 CONFIGURATION ..................................................................... 10

3.4.1. Enable Anonymous LDAP Access.................................................................................................... 10 3.4.2. Maximum Number of Search Results Returned .............................................................................. 10

3.5. ACTIVE DIRECTORY / EXCHANGE 2003 CONFIGURATION ..................................................................... 11 3.5.1. Enable Anonymous LDAP Access.................................................................................................... 11 3.5.2. Maximum Number of Search Results Returned .............................................................................. 11

3.6. LINUX/OPENLDAP................................................................................................................................... 11 3.7. NOVELL EDIRECTORY 8.7 ........................................................................................................................ 11

4. BASIC MFP CONFIGURATION.............................................................................................................. 13 4.1. DNS SETUP ............................................................................................................................................... 13 4.2. KERBEROS AUTHENTICATION SETUP ...................................................................................................... 13 4.3. CLOCK SETUP............................................................................................................................................ 15 4.4. GLOBAL ADDRESS BOOK SETUP .............................................................................................................. 16

4.4.1. Global Address Book Setup Example for Case 2............................................................................ 18 4.4.2. Global Address Book Setup Example for MS Exchange................................................................ 18 4.4.3. Global Address Book Setup Example for Novell eDirectory 8.7................................................... 19 4.4.4. User Name Entry .............................................................................................................................. 20 4.4.5. Additional Notes................................................................................................................................ 22

4.5. USER AUTHENTICATION ........................................................................................................................... 22 5. BASIC TROUBLESHOOTING ................................................................................................................. 25

5.1. LDAP CONFIGURATION PROBLEMS ........................................................................................................ 25 5.2. AUTHENTICATION PROBLEMS .................................................................................................................. 25

6. GLOSSARY ................................................................................................................................................... 27


Draft iv

1. List of Figures FIGURE 1. GLOBAL ADDRESS SEARCH.................................................................................................................. 1 FIGURE 2. ACTIVE DIRECTORY USERS AND COMPUTERS FOR CASE 1 ................................................................ 4 FIGURE 3. USER PROPERTIES FOR MARY SMITH .................................................................................................. 5 FIGURE 4. ACTIVE DIRECTORY USERS AND COMPUTERS FOR CASE 2 ................................................................ 6 FIGURE 5. USER PROPERTIES FOR JOHN DOE........................................................................................................ 7 FIGURE 6. NOVELL EDIRECTORY CONFIGURATION USING NOVELL CONSOLEONE ........................................... 8 FIGURE 7. DNS SETUP WEB PAGE...................................................................................................................... 13 FIGURE 8. KERBEROS SETUP WEB PAGE ............................................................................................................ 14 FIGURE 9. ACTIVE DIRECTORY USERS AND COMPUTERS TOOL ........................................................................ 14 FIGURE 10. TIME ZONE SETUP ............................................................................................................................ 15 FIGURE 11. MFP CLOCK ADJUST........................................................................................................................ 15 FIGURE 12. GLOBAL ADDRESS BOOK SETUP WEB PAGE FOR CASE 1............................................................... 16 FIGURE 13. GLOBAL ADDRESS BOOK SETUP WEB PAGE FOR CASE 2............................................................... 18 FIGURE 14. GLOBAL ADDRESS BOOK SETUP WEB PAGE FOR MS EXCHANGE 5.5........................................... 18 FIGURE 15. GLOBAL ADDRESS BOOK SETUP WEB PAGE FOR NOVELL EDIRECTORY 8.7 ................................ 19 FIGURE 16. NETWORK SCANNING SETUP WEB PAGE ........................................................................................ 23 FIGURE 17. SENDER MANAGEMENT WEB PAGE ................................................................................................. 23

List of Tables TABLE 1. CHANGE NOTIFICATION LIST .................................................... ERROR! BOOKMARK NOT DEFINED. TABLE 2. CHANGE HISTORY ...................................................................... ERROR! BOOKMARK NOT DEFINED. TABLE 3. REVIEW HISTORY....................................................................... ERROR! BOOKMARK NOT DEFINED. TABLE 4. AUTHENTICATION TYPES ................................................................................................................... 17 TABLE 5. USER NAME ENTRY FORMATS ........................................................................................................... 20 TABLE 6. USER NAME ENTRY FOR MS EXCHANGE 5.5 .................................................................................... 20 TABLE 7. USER NAME ENTRY FOR ACTIVE DIRECTORY 2000.......................................................................... 21 TABLE 8. USER NAME ENTRY FOR ACTIVE DIRECTORY 2003.......................................................................... 21 TABLE 9. USER NAME ENTRY FOR OPENLDAP................................................................................................ 21 TABLE 10. USER NAME ENTRY FOR NOVELL EDIRECTORY 8.7 ....................................................................... 22


Draft 1

2. Overview The LDAP protocol is used for accessing the global address book for selecting e-mail recipients and for user authentication [1]. The User Authentication feature on the MFP requires users to log into the network at the MFP front panel before using the network scanning function. User authentication via LDAP provides great flexibility because the server handles verification of the user name and password. The Global Address Book and User Authentication features are configured using the MFP web interface. This document will describe basic operation setup with the following LDAP servers: ?? Microsoft Exchange 5.5 ?? Microsoft Active Directory 2000 ?? Microsoft Active Directory 2003 ?? OpenLDAP ?? Novell eDirectory 8.7

To use the global address book, the MFP behaves as an LDAP client to an LDAP server as shown in Figure 1. The client performs a request for a service whereas the server carries out the task. A typical LDAP session between the MFP and the LDAP server is as follows:

1. The MFP sends a bind request to the server. The bind request is the first packet that flows during an LDAP session. The bind request can be an anonymous bind, a simple bind or one of the Simple Authentication and Security Layer (SASL) mechanisms [5]. Section 5.4 provides more details on the different authentication types.

2. The server receives the bind request and is willing to provide service to the MFP. Authentication of the device may be required. The server responds to the bind request with an acknowledgement called the bind response.

3. Upon receiving the bind response, the MFP sends the details of the desired service (i.e. search request) to the server. The MFP uses a search filter to define the search request. As part of the search request, the MFP specifies that the common name and e-mail address attributes be returned in the search results.

4. The server executes the required search and replies with the desired response. The retrieved common name attribute(s) is displayed on the global address search web page or the front panel. The e-mail address attribute of the selected entry is used as the recipient’s e-mail address.

5. At this point the MFP may continue with another search request or may terminate the session.

Figure 1. MFP Global Address Search

LDAP Server(e.g. Windows Active Directory)Sharp

Andromeda MFP

Search the Global Address Book


Draft 2

3. LDAP Directory Basics A directory is a specialized database that is designed to retrieve information quickly and securely. It is optimized for read access because the type of information in the directory is searched often, but changes infrequently. For example, a user name that you add for a new employee is not likely to change for the entire period of employment. Information about services, resources, users and other objects that are accessible from the application is organized as a collection of individual entries that contain information about each resource. To make accessing these entries as efficient as possible, they are organized in a hierarchy called the Directory Information Tree (DIT). The root of the tree is typically the country (C) followed by an organization (O). One or more organizational units (OU) typically appear below the root. These are container objects in that they can contain other directory entries. Directory entries that store information about a specific resource are added to the tree under an existing container object. The path to each entry in the tree is called its distinguished name (DN), and each DN in the tree is unique.

3.1. Search Root for Directory Entries Adding names of the root and each subsequent branch of the tree until reaching the point where a search should commence forms a search root. The search root should be the branch of the tree closest to the data being searched. In most instances, all data being sought will be in one branch of the LDAP tree. The form of the search root is different for Microsoft Exchange 5.5, Active Directory (2000 and 2003) and other LDAP servers. Specific information is given below for help in finding the correct search root for Microsoft Exchange 5.5, Microsoft Active Directory 2000 and 2003 and Novell eDirectory 8.7. For more detailed information, as well as information on other databases, such as Lotus Notes, please refer to the product documentation for that server.

3.2. Microsoft Exchange 5.5 This section describes the LDAP structure for the standard installation of Microsoft’s Exchange 5.5.

3.2.1. MS Exchange 5.5 Objects MS Exchange 5.5 uses the following directory object keywords.

Keyword Meaning in a DN Description

O Organization Part of the DNS name of the domain OU Organizational Unit Unit within an organization. One of the containers

in Exchange 5.5 that holds other objects. CN Common Name Full name of a person or object defined by the entry. Exchange 5.5 will usually have a search root beginning with “cn=Recipients.” The root of the tree can be determined by reading the registry using “regedit” on the server where Exchange is installed. Browse to the following key: HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/MSExchangeCCMC/Parameters/SiteDN

Take the value in the above key and create the search root. For example, if you see the following “/o=sec/ou=slacamas” you would create as the search root:

cn=Recipients,ou=slacamas,o=sec


Draft 3

Note that the parameters for the search root are listed in reverse order from what is displayed in Exchange, and that commas separate the records rather than forward slashes. See Exchange administrator if there is any difficulty.

3.3. Active Directory This section describes the LDAP structure for the standard installation of Microsoft’s Active Directory (AD). The information in this section applies to AD in both Windows 2000 and Windows Server 2003.

3.3.1. Active Directory Objects In Active Directory, objects can be stored in a hierarchical folder-like structure. Additionally, objects can be stored down several layers of Organizational Units (OU). Active Directory keeps track of these objects by using LDAP naming paths. These naming paths can take different forms: Distinguished Names and Relative Distinguished Names. Each AD object has a distinguished name (DN). By distinguished, we mean that the name itself distinguishes the exact location of the object in the directory. There are several object keywords that are used in the distinguished name:


DC Domain Component Part of the DNS name of the domain. This keyword is typically used at the top levels of AD.

OU Organizational Unit One of the containers in AD that holds other objects.

CN Common Name Objects in AD, such as Users, Computers, Printers. These keywords can be used more than once in a distinguished name, if necessary, to accurately name the path to the object. For instance, the user John Doe in the West department of Sales in the domain Surfnet.local might have a DN like this:

CN=John Doe,OU=West,OU=Sales,DC=Surfnet,DC=local In this example, there are two OU components and two DC components. The Relative Distinguished Name is simply the portion of the Distinguished Name that uniquely identifies an object within the object’s parent container. For instance, John’s RDN from the above example, would be:

CN=John Doe A RDN does not have to be unique. User John Doe in the East department might also have the exact same RDN, though his DN would, of course, indicate that his account was in a different OU.

3.3.2. Case 1: A Simple Case In the default configuration of Active Directory, AD provides a “Users” container under the domain. The default “Users” container can be used to add user accounts. A simple directory structure is illustrated below:


Draft 4

The user, Mary Smith, in this directory has the following DN:

CN=Mary Smith,CN=Users,DC=Surfnet,DC=local The user, John Smith, in this directory has the following DN:

CN=John Smith,CN=Users,DC=Surfnet,DC=local A tool such as Microsoft’s Active Directory Users and Computers MMC snap-in can be used to view directory objects. Figure 2 shows the Active Directory Users and Computers tool’s view of the above directory structure. Figure 3 details the user properties for Mary Smith.

Figure 2. Active Directory Users and Computers for Case 1

DC=Surfnet, DC=local

CN=Mary Smith CN=John Smith

CN=Users


Draft 5

Figure 3. User Properties for Mary Smith

This case will be referred to through out this document as an example for setting up the LDAP global address book feature.

3.3.3. Case 2: A More Complex Case In addition, administrators can use the Active Directory enrollment features to create new organizational units, users and groups. Administrators can use Organizational Units (OU) to match their corporate structure. Organizational units can be created for each location, division, etc. Organizational units can further be broken down into groups who have similar settings. An example is illustrated below:


Draft 6

Figure 4 shows the Active Directory Users and Computers tool’s view of the directory structure for Case 2. Figure 5 details the user properties for John Doe.

Figure 4. Active Directory Users and Computers for Case 2

DC=Surfnet, DC=local

OU=Sales OU=Imaging OU=Administration

OU=East

CN=John Doe CN=Cathy Jones

OU=West


Draft 7

Figure 5. User Properties for John Doe

This case will also be referenced through out this document as an example for setting up the LDAP global address book feature. To create an address book for the West department, the following search root would be used:

OU=West,OU=Sales,DC=Surfnet,DC=local Address books can be created to look for recipients anywhere in the directory – from the top of the tree (DC=Surfnet, DC=local) down to a specific container (OU=West, OU=Sales, DC=Surfnet, DC=local).

3.4. Novell eDirectory 8.7 This section describes the LDAP structure for the standard installation of Novell eDirectory 8.7.

3.4.1. Novell eDirectory 8.7 Objects Novell eDirectory 8.7 uses the following directory object keywords.


O Organization Organization name. OU Organizational Unit Unit within an organization. One of the containers

in eDirectory that holds other objects. CN Common Name Full name of a person or object defined by the entry. A Novell eDirectory tree should be organized according to the following rules: ?? Use a pyramid design. ?? Create a single Organization object.


Draft 8

?? Create first-level Organizational Units that represent the physical network infrastructure. A sample directory is shown below: The corresponding Novell ConsoleOne view of the above directory is shown in Figure 6.

Figure 6. Novell eDirectory Configuration Using Novell ConsoleOne

O=slahb

CN=tjones CN=cjenkins

OU=Users


Draft 9

4. Basic Server Configuration The Sharp MFP should interoperate with basic LDAP server configurations. No special configuration should be necessary except as noted in the next sections.

4.1. Kerberos KDC ?? It is recommended that the Kerberos system administrator add a user principal name for the MFP.

4.2. DNS Server ?? The MFP must be installed in a working DNS environment for Kerberos authentication. ?? The KDC host name must be resolvable using a forward DNS lookup. ?? The LDAP server name must be resolvable using a forward DNS lookup. For Kerberos

authentication, if an IP address is used for the LDAP server, the IP address must be resolvable using a reverse DNS lookup.

4.3. Microsoft Exchange 5.5

4.3.1. Maximum Number of Search Results Returned If more than the maximum number of specified results are found in an LDAP search, MS Exchange 5.5 does not return any results for the search. MS Exchange 5.5 default value for the maximum number of search results returned is 100 entries. Use the Microsoft Exchange Server Administrator Tool to set properties for LDAP at either the site or server level.

4.3.1.1. Getting to the Administrator Window

?? From the Start menu, choose Programs, choose Microsoft Exchange, and then choose Microsoft Exchange Administrator.

?? Type or select the name of the Microsoft Exchange Server to which you want to connect.

4.3.1.2. Getting to the Site and Server property pages

?? In the Administrator window, choose a site or server, and then choose Protocols. ?? Double-click LDAP (Directory) Site Defaults to configure site LDAP defaults, or LDAP

(Directory) Settings to configure a server’s LDAP settings.

4.3.1.3. Getting to the Searches property page

?? Select the search tab. ?? Use the Search property page to specify how LDAP will perform directory searches on client

requests. ?? The Maximum number of search results returned specifies the maximum number of entries

that will be returned for all searches. Performance decreases as the number increases.


Draft 10

4.4. Active Directory / Exchange 2000 Configuration The MFP Global Address Book and User Authentication features should work with the standard installation of Active Directory / Exchange 2000. Use of the Global Address Book and User Authentication features does not require anonymous access.

4.4.1. Enable Anonymous LDAP Access Anonymous authentication is turned off by default on Windows 2000 Active Directory. Although not recommended, to enable anonymous access: ?? On your Windows 2000 Active Directory server, run the Active Directory Users and Groups

administration tool. ?? Select the top level of the directory from the tree view in the left hand panel, and right click. A

menu will appear. Select the first item, which should be "Delegate Control..." ?? Click "Next" ?? In the next window, titled "Users or Groups", click "Add..." ?? In the next list, select "Anonymous Logon" and click "Add". You may also need to select

"Everyone" and the "Guests" group, depending on how you have AD configured. Click "OK" when this is done.

?? Click "Next" ?? Select "Create a custom task to delegate" and click "Next". ?? Click "Next" ?? In the next list, select "Read". "Read All Properties" will be selected at the same time. Click

"Next" when this is done. ?? Click "Finish". ?? On the MFP, "Global Address Book Setup" webpage enter all required information. In addition,

enter "User Name'" of "anonymous", enter no password and select "Authentication Type" of "SIMPLE"

?? Click "Submit"

4.4.2. Maximum Number of Search Results Returned Active Directory will enforce by default a maximum LDAP query page size of 1000. To change the maximum page size for LDAP queries use the command line tool, ntdsutil. However, it is not recommended to set this limit very high. A very large page size will introduce performance issues.

4.4.2.1. Changing the page size

?? Login as Administrator. ?? Open a Command Prompt. ?? Enter commands (in bold) replacing SERVERNAME with the appropriate server name.

C:> ntdsutil ntdsutil: ldap policies ldap policy: connections server connections: connect to server SERVERNAME Binding to SERVERNAME …

Connected to SERVERNAME using credentials of locally logged on user server connections: q ldap policy: show values


Draft 11

4.5. Active Directory / Exchange 2003 Configuration The MFP Global Address Book and User Authentication features should work with the standard installation of Active Directory / Exchange 2003. Use of the Global Address Book and User Authentication features does not require anonymous access.

4.5.1. Enable Anonymous LDAP Access See Section 4.4.1.

4.5.2. Maximum Number of Search Results Returned See Section 4.4.2.

4.6. Linux/OpenLDAP The “uid” or user ID attribute may need to be added to the LDAP schema for the User Authentication feature. “uid” is an attribute for uniquely identifying computer system login names. To determine the existence of the “uid” attribute on your LDAP server, you may need to refer to an LDAP administrator or product documentation for that server.

4.7. Novell eDirectory 8.7 Novell eDirectory uses the password stored in the simplePassword attribute to perform Simple and Digest-MD5 binds. This value must be stored as clear text in order for the bind to succeed. The simplePassword attribute can be set by using the ICE import-export tool or through the SimplePassword ConsoleOne snap-in, or using an LDAP control in your userpassword modification code. Since the MFP does not support a secure transport layer such as TLS, during installation of eDirectory, deselect the option “Require TLS for Simple Bind with Password.” After installation, the option can be deselected using the Novell ConsoleOne snap-in tool by selecting the General tab in the LDAP Group

Policy Current(New) MaxPoolThreads 4 MaxDatagramRecv 1024 MaxReceiveBuffer 10485760 InitRecvTimeout 120 MaxConnections 5000 MaxConnIdleTime 900 MaxActiveQueries 20 MaxPageSize 1000 MaxQueryDuration 120 MaxTempTableSize 10000 MaxResultsSetSize 262144 MaxNotificationPerConn 5 ldap policy: set maxpagesize to #### (for example, 2000) ldap policy: commit changes ldap policy: q ntdsutil: q Disconnecting from SERVERNAME …

C:>


Draft 12

Properties page. In addition, using ConsoleOne, the “Require TLS for All Operations” option must be deselected in the SSL/TLS Configuration tab in the LDAP Server Properties page.


Draft 13

5. Basic MFP Configuration This section describes how to configure the MFP to use the Global Address Book and User Authentication features.

5.1. DNS Setup Configure the DNS Setup web page. See Figure 7.

Figure 7. DNS Setup Web Page

Name Definition Type / Input Limitations

Default Value

Primary DNS Server

IP address of primary Domain Name Service (DNS) server.

IP address format Blank

Secondary DNS Server

IP address of secondary Domain Name Service (DNS) server.

IP address format Blank

Timeout DNS server timeout 0 to 60 seconds 20 Domain Name Full name of the domain 64 characters text Blank

5.2. Kerberos Authentication Setup For Kerberos authentication, configure Kerberos Setup web page. See Figure 8.


Draft 14

Figure 8. Kerberos Setup Web Page


Default Value

KDC Server An IP address or resolvable host name for the Key Distribution Center (KDC).

IP address format or 127 characters text

Blank

Port Number LDAP server port number. 5 digit 88 Realm The logical network served by the Kerberos

database. Kerberos realm names are case-sensitive. By convention, realm names are generally all uppercase letters. However, the user should refer to the Kerberos administrator for the correct realm name. Typically for Active Directory, the Kerberos realm name is the full DNS name of the domain in uppercase letters. From our example, the domain, “surfnet.local”, maps to a Kerberos realm name of “SURFNET.LOCAL”. The Active Directory domain name can be obtained from the Active Directory Users and Computers administrative tool (see Figure 9).

127 characters text Blank

Figure 9. Active Directory Users and Computers Tool


Draft 15

5.3. Clock Setup For Kerberos authentication, time synchronization between the MFP and the KDC is critical. The maximum clock skew is usually specified by the KDC. The default value is typically 300 sec. To synchronize time with the Kerberos KDC, the user needs to select the corresponding Time Zone on the SMTP Setup web page [2,3] (see Figure 10).

Figure 10. Time Zone Setup

Set the date and time to current local date and time via the Custom Settings Mode. Select “Daylight Saving Time Setting” if applicable (see Figure 11).

Figure 11. MFP Clock Adjust

Rebooting of the MFP is required after an MFP clock adjustment.


Draft 16

5.4. Global Address Book Setup Use the Global Address Book Setup web page to configure LDAP access on MFP [2]. Up to seven address books can be configured to point at different LDAP servers or break one LDAP server down into several subdirectories. The Global Address Book Setup for Case 1, Section 3.3.2, is shown in Figure 12.

Figure 12. Global Address Book Setup Web Page for Case 1


Default Value

Name Name of the address book. Users will select which address book to search by the name.


Search Root The base or root of the directory where the LDAP server will start the search for names. Allows user(s) to limit the LDAP search. The form of the search root is server and installation specific. Check with LDAP system administrator for specific information. Using the examples in Section 3, a typical search root for MS Exchange 5.5: “cn=Recipients,ou=slacamas,o=sec”. Active Directory Case 1: “cn=Users,dc=surfnet,dc=local” Active Directory Case 2: “ou=west,ou=sales,dc=surfnet,dc=local”.


LDAP Server An IP address or resolvable host name for the LDAP server

IP address format or 127 characters text

Blank

Port Number LDAP server port number. Some LDAP implementations require a different port number

5 digits 389


Draft 17

other than the default port number. Timeout LDAP server connection and search request

timeout. 0 to 60 seconds 5

User Name The name of a user authorized to search entries in the user directory. Format may be user logon name or distinguished name. Section 5.4.4 provides more details on the format for this entry. Note: It is recommended that the LDAP administrator create a user name for the MFP itself.


Password The password for the user specified by the User Name.


Authentication Type

Authentication type for address book. See Table 1 for more information. Note: Microsoft Active Directory does not support the standard Anonymous authentication type. To use anonymous access with Active Directory, select Simple authentication, enter “anonymous” as the username, and leave password blank.

Drop down list (Anonymous, Simple, NTLM, Digest-MD5, Kerberos)

Anonymous

Default Address Book

Sets the current address book as the default. The default address book is used for user authentication and is pre-selected as the address book for searches (user can select an alternative address book at search time).

Checkbox Unchecked

Table 1. Authentication Types

Authentication Type Description

Anonymous No user name or password is provided. The User Name and Password fields are not passed to the LDAP server in the bind request operation. A NULL user name and password are used in place of these values.

Simple User name and password are provided, but are sent over the network in clear-text.

Digest-MD5 A challenge/response authentication method using MD5 algorithm. The mandatory-to-implement default authentication mechanism for LDAPv3.

NTLM NTLM is a authentication protocol used in Windows NT environments. The password is hashed and then encrypted with a challenge from the server before being sent over the network. In NT environments, user information is stored in and verified by the SAM database (Security Accounts Manager) on the domain controller.

Kerberos Kerberos is a trusted-third party authentication system developed by MIT. Kerberos is the default authentication protocol for Windows 2000 environments. Kerberos utilizes a Key Distribution Center (KDC) that authenticates users and grants tickets to use services on a network.


Draft 18

5.4.1. Global Address Book Setup Example for Case 2 Figure 13. Global Address Book Setup Web Page for Case 2

5.4.2. Global Address Book Setup Example for MS Exchange Figure 14. Global Address Book Setup Web Page for MS Exchange 5.5


Draft 19

5.4.3. Global Address Book Setup Example for Novell eDirectory 8.7 Figure 15. Global Address Book Setup Web Page for Novell eDirectory 8.7


Draft 20

5.4.4. User Name Entry The User Name and Password entries can have different formats based on the authentication type selected. The different formats the User Name entry can have are described in Table 2. The Anonymous authentication type does not use the User Name and Password entries. These entries are left as NULL during the LDAP bind request. The Simple authentication type uses the LDAP directory to authenticate the user and usually requires the Display name, DN or RDN format. NTLM is a Microsoft proprietary authentication mechanism and uses the User Logon Name format. The Digest-MD5 and Kerberos authentication types use the SASL protocol and generally, use the User Logon Name format.

Table 2. User Name Entry Formats

Format Description Examples

Distinguished Name (DN)

A unique identifier of an entry in an LDAP directory. In effect, it is the path to the object in a directory information tree (DIT). Components are comma-separated.

Case 1: cn=Mary Smith,cn=Users,dc=surfnet,dc=local Case 2: cn=John Doe,ou=West,ou=Sales,dc=surfnet,dc=local

Relative Distinguished Name (RDN)

The individual components of a distinguished name.

Case 1: cn=Mary Smith Case 2: cn=John Doe

User Logon Name The user’s logon name. Case 1: msmith Case 2: jdoe

Display Name The user’s display name Case 1: Mary Smith Case 2: John Doe

5.4.4.1. MS Exchange 5.5 Authentication Support

MS Exchange 5.5 supports the Anonymous, Simple and NTLM authentication types. The User Name to be entered is described in Table 3.

Table 3. User Name Entry for MS Exchange 5.5

Authentication Type User Name Entry Examples

Anonymous No entry in User Name is required. Simple Distinguished name (DN) or relative

distinguished name (RDN) cn=jdoe

NTLM User logon name jdoe Digest-MD5 Not supported. Kerberos Not supported.

5.4.4.2. Active Directory / Exchange 2000 Authentication Support

Windows 2000 with Active Directory supports the Simple, NTLM and Kerberos authentication types. Anonymous access to Active Directory is turned off by default. The User Name to be entered is described in Table 4.


Draft 21

Table 4. User Name Entry for Active Directory 2000


Anonymous Not supported. Note: If anonymous access is enabled, use Simple Authentication type with User Name of “Anonymous” and no password.

Simple Active Directory Display name Case 1: Mary Smith Case 2: John Doe

NTLM Active Directory User logon name Case 1: msmith Case 2: jdoe

Digest-MD5 Not supported. Kerberos Active Directory User logon name Case 1: msmith

Case 2: jdoe

5.4.4.3. Active Directory / Exchange 2003 Authentication Support

Windows Server 2003 with Active Directory supports the Simple, NTLM, Digest-MD5 and Kerberos authentication types. Anonymous access to Active Directory is turned off by default. The User Name to be entered is described in Table 5.

Table 5. User Name Entry for Active Directory 2003

Authentication Type User Name Entry Examples Anonymous Not supported.

Note: If anonymous access is enabled, use Simple Authentication type with User Name of “Anonymous” and no password.

Simple Active Directory Display name Case 1: Mary Smith Case 2: John Doe

NTLM Active Directory User logon name Case 1: msmith Case 2: jdoe

Digest-MD5 Active Directory User logon name Case 1: msmith Case 2: jdoe

Kerberos Active Directory User logon name Case 1: msmith Case 2: jdoe

5.4.4.4. Linux/OpenLDAP Authentication Support

OpenLDAP supports the Anonymous, Simple, Digest-MD5 and Kerberos authentication types. The User Name to be entered is described in Table 6.

Table 6. User Name Entry for OpenLDAP


Anonymous No entry in User Name is required. Simple Distinguished name (DN) cn=jlum,dc=sharplabs,dc=com NTLM Not supported.


Draft 22

Digest-MD5 OpenLDAP user name in sasldb or other database

jlum

Kerberos User principal name jlum

5.4.4.5. Novell eDirectory 8.7 Authentication Support

Novell eDirectory 8.7 supports Anonymous, Simple and Digest-MD5 authentication types. The User Name to be entered is described in Table 7.

Table 7. User Name Entry for Novell eDirectory 8.7


Anonymous No entry in User Name is required. Simple Distinguished name (DN) cn=tjones,ou=Users,o=slahb NTLM Not supported. Digest-MD5 Distinguished name (DN) must be

preceded by “dn:”. dn:cn=tjones,ou=Users,o=slahb

Kerberos Not supported.

5.4.5. Additional Notes The system administrator can set the user name for the different formats to be the same text characters. In Active Directory 2000, the system administrator can set the display name, the user logon name and relative distinguished name to be the same text characters. Using Case 2 as an example, the sys admin can set the ?? Display name: jdoe ?? User logon name: jdoe ?? Distinguished name: cn=jdoe,ou=west,ou=sales,dc=surfnet,dc=local

In Active Directory, the Display name is automatically generated from the First and Last names. The Display name can be replaced with one of your choosing. The Display name must be unique from all other Display names in the directory. The Sharp MFP LDAP client creates a search filter using the common name or “cn” attribute. The Sharp MFP LDAP client queries the LDAP server to retrieve the common name or “cn” and “mail” attributes. These items cannot be configured. The wildcard character, an asterisk (*), can be used for wildcard comparisons. For NTLM, the user logon name must be in the same network domain as the copier.

5.5. User Authentication User authentication is enabled on the Network Scanning Setup web page. See Figure 16.


Draft 23

Figure 16. Network Scanning Setup Web Page

Items used for authentication may be login name, password, and e-mail address or login name and password only. If e-mail address is included, authentication will only succeed if the e-mail address setup for the sender matches the one in the LDAP server. User authentication is performed using the LDAP server configured for the default address book. Each user that will be authenticated needs to be setup as a sender on the device using the Sender Management web page. See Figure 17.

Figure 17. Sender Management Web Page

When users access the scan function at the MFP front panel they will be prompted to select a sender name and enter their password. The “login name” configured for that sender and the entered password will be sent to the LDAP server for authentication. Upon successful authentication, the e-mail address configured for the sender will be placed in the e-mail “From” field. Authentication of login name, password, and e-mail address can be used to ensure that the e-mail address configured for the sender matches the one on the LDAP server. The login name for the sender can have different formats based on the authentication type of the default Global Address Book. It may be necessary to enter the distinguished name, relative distinguished name, or user login name. See Table 2 in Section 5.4.4 for details.


Draft 24

The “uid” and “samaccountname” attributes are used for user authentication. Therefore, in order for the user authentication to be successful, the LDAP server must contain either the “uid” or “samaccountname” attribute. The “uid” is typically used in Unix/Linux systems. The “samaccountname” is used in Windows 2000 / 2003 Active Directory.


Draft 25

6. Basic Troubleshooting This section provides basic troubleshooting to help the user diagnose problems with the configuration of the Global Address Book and User Authentication features. Due to the large number of possible network environments, an exhaustive troubleshooting guide is beyond the scope of this document.

6.1. LDAP Configuration Problems

Problem Solution or Cause

Error message on web page: LDAP Server connection failed.

Incorrect LDAP configuration. Review the LDAP settings for port number, search root, and user name and password. The LDAP server is down. Check with appropriate network administration personnel. Make sure that TCP/IP is installed and enabled on the server for network protocols. Verify the LDAP server is resolvable using forward and reverse DNS lookups.

Error message on web page: NIC is not ready.

Make sure that TCP/IP is installed and enabled on the MFP for network protocols.

Error message on web page: To resolve the name of LDAP Server failed.

Verify the LDAP server is resolvable using forward and reverse DNS lookups. Use IP address of LDAP server instead of hostname.

Error message on web page: Timeouted.

Increase the LDAP server timeout value setting using the MFP web interface.

Error message on web page: Authentication of LDAP Server failed.

See Section 6.2.

Front panel user authentication failed.

Ensure “uid” or “samaccountname” attributes are accessible in directory. MFP searches for a user name using the “uid” or “samaccountname” attribute in the directory. If either of these attributes is not accessible for LDAP queries, the search fails even if a valid user name and password are provided.

6.2. Authentication Problems

Problem Solution or Cause

Anonymous access fails. Ensure LDAP server is configured for anonymous access. Verify search root. Note: Microsoft Active Directory (2000 and 2003) does not support anonymous binds. See Sections 5.4.4.2 and 5.4.4.3.

Simple authentication fails.

Verify entered user name and password are correct. Capture network trace to ensure correct user name and password.

NTLM authentication fails.

Verify entered user name and password are correct.

Digest-MD5 authentication fails.

Check the user name and password entered are correct.


Draft 26

Kerberos authentication fails.

Verify user name is user principal name. Verify entered user name and password are correct. Create a test user principal and password to use with the MFP. Test with a desktop system on the same network as the MFP and KDC. Check time synchronization between MFP and KDC is within limits specified by the KDC. Make sure KDC is running. Ensure Kerberos realm name is correct. Kerberos realm name is case-sensitive. Verify the KDC is resolvable using DNS.


Draft 27

7. Glossary This glossary defines terms used in the LDAP User’s Guide. LDAP The Lightweight Directory Access Protocol used by clients to locate

entries in a directory. Commonly used by e-mail servers to make global address books available to clients. LDAP is used in Sharp MFPs to search the global address e-mail address book at the front panel and for completing e-mail fields on the device web pages.

MD5 A message digest algorithm [4]. NTLM Refers to NT LAN Manager security. Also referred to as “Windows NT

challenge/response” in Microsoft’s “Exchange Server Administrator” tool.

SASL Simple Authentication and Security Layer is a protocol used in LDAP to provide authentication, data integrity and data confidentiality

LDAP Configuration

Documents

global address

key distribution

reverse dns

cnjohn doe

cnjohn smith

computers

ou cn meaning

mfp clock