Created by Michael Anastassiou

Document Solutions Centre AR-M550/620/700U Training

LDAP Admin Guide For ARM236/ARM276 And ARM550/620/700U

LDAP Admin Setup Guide

Preface
This document provides information to help system administrators with the LDAP Global Address Book and User Authentication features of the Multi-function peripheral (MFP). With this information, the administrator will ??Better understand how the LDAP Global Address Book and User Authentication features interact on the MFP. ??Have a foundation to conduct basic troubleshooting for issues surrounding the LDAP global address search and user authentication. This document assumes general knowledge of LDAP and its components, as well as basic understanding of directory concepts. The LDAP configuration and troubleshooting guide in this document are not exhaustive. The multitude of variables in supported environments means that problems encountered may require more time and expertise to implement and troubleshoot than simple network printing. As well, cooperation between different support personnel at the users installation site is often required.

Draft

ii

LDAP Admin Setup Guide

Table of Contents
PREFACE............................................................................................................................................................ II LIST OF FIGURES ..........................................................................................................................................IV LIST OF TABLES.............................................................................................................................................IV 1. OVERVIEW..................................................................................................................................................... 1 2. LDAP DIRECTORY BASICS ...................................................................................................................... 2 2.1. SEARCH ROOT FOR DIRECTORY ENTRIES .................................................................................................. 2 2.2. MICROSOFT EXCHANGE 5.5 ....................................................................................................................... 2 2.2.1. MS Exchange 5.5 Objects................................................................................................................... 2 2.3. ACTIVE DIRECTORY.................................................................................................................................... 3 2.3.1. Active Directory Objects .................................................................................................................... 3 2.3.2. Case 1: A Simple Case ....................................................................................................................... 3 2.3.3. Case 2: A More Complex Case......................................................................................................... 5 2.4. N OVELL E DIRECTORY 8.7 .......................................................................................................................... 7 2.4.1. Novell eDirectory 8.7 Objects............................................................................................................ 7 3. BASIC SERVER CONFIGURATION ........................................................................................................ 9 3.1. KERBEROS KDC ......................................................................................................................................... 9 3.2. DNS SERVER .............................................................................................................................................. 9 3.3. MICROSOFT EXCHANGE 5.5 ....................................................................................................................... 9 3.3.1. Maximum Number of Search Results Returned ................................................................................ 9 3.4. ACTIVE DIRECTORY / EXCHANGE 2000 CONFIGURATION ..................................................................... 10 3.4.1. Enable Anonymous LDAP Access.................................................................................................... 10 3.4.2. Maximum Number of Search Results Returned .............................................................................. 10 3.5. ACTIVE DIRECTORY / EXCHANGE 2003 CONFIGURATION ..................................................................... 11 3.5.1. Enable Anonymous LDAP Access.................................................................................................... 11 3.5.2. Maximum Number of Search Results Returned .............................................................................. 11 3.6. LINUX/OPEN LDAP................................................................................................................................... 11 3.7. N OVELL E DIRECTORY 8.7 ........................................................................................................................ 11 4. BASIC MFP CONFIGURATION .............................................................................................................. 13 4.1. DNS SETUP ............................................................................................................................................... 13 4.2. KERBEROS AUTHENTICATION SETUP ...................................................................................................... 13 4.3. CLOCK SETUP............................................................................................................................................ 15 4.4. GLOBAL ADDRESS BOOK SETUP .............................................................................................................. 16 4.4.1. Global Address Book Setup Example for Case 2............................................................................ 18 4.4.2. Global Address Book Setup Example for MS Exchange................................................................ 18 4.4.3. Global Address Book Setup Example for Novell eDirectory 8.7................................................... 19 4.4.4. User Name Entry .............................................................................................................................. 20 4.4.5. Additional Notes................................................................................................................................ 22 4.5. U SER AUTHENTICATION ........................................................................................................................... 22 5. BASIC TROUBLESHOOTING ................................................................................................................. 25 5.1. LDAP CONFIGURATION P ROBLEMS ........................................................................................................ 25 5.2. AUTHENTICATION PROBLEMS .................................................................................................................. 25 6. GLOSSARY ................................................................................................................................................... 27

Draft

iii

LDAP Admin Setup Guide

1. List of Figures
FIGURE 1. GLOBAL ADDRESS S EARCH .................................................................................................................. 1 FIGURE 2. ACTIVE DIRECTORY USERS AND COMPUTERS FOR CASE 1 ................................................................ 4 FIGURE 3. USER PROPERTIES FOR MARY S MITH .................................................................................................. 5 FIGURE 4. ACTIVE DIRECTORY USERS AND COMPUTERS FOR CASE 2 ................................................................ 6 FIGURE 5. USER PROPERTIES FOR JOHN DOE........................................................................................................ 7 FIGURE 6. NOVELL EDIRECTORY CONFIGURATION USING NOVELL CONSOLE ONE ........................................... 8 FIGURE 7. DNS SETUP WEB PAGE ...................................................................................................................... 13 FIGURE 8. KERBEROS SETUP WEB P AGE ............................................................................................................ 14 FIGURE 9. ACTIVE DIRECTORY USERS AND COMPUTERS TOOL ........................................................................ 14 FIGURE 10. TIME ZONE SETUP ............................................................................................................................ 15 FIGURE 11. MFP CLOCK ADJUST ........................................................................................................................ 15 FIGURE 12. GLOBAL ADDRESS BOOK SETUP WEB P AGE FOR CASE 1............................................................... 16 FIGURE 13. GLOBAL ADDRESS BOOK SETUP WEB P AGE FOR CASE 2............................................................... 18 FIGURE 14. GLOBAL ADDRESS BOOK SETUP WEB P AGE FOR MS EXCHANGE 5.5........................................... 18 FIGURE 15. GLOBAL ADDRESS BOOK SETUP WEB P AGE FOR NOVELL EDIRECTORY 8.7 ................................ 19 FIGURE 16. NETWORK S CANNING S ETUP WEB PAGE ........................................................................................ 23 FIGURE 17. SENDER MANAGEMENT WEB PAGE ................................................................................................. 23

List of Tables
TABLE 1. CHANGE NOTIFICATION LIST .................................................... ERROR! BOOKMARK NOT DEFINED. TABLE 2. CHANGE HISTORY ...................................................................... ERROR! BOOKMARK NOT DEFINED. TABLE 3. REVIEW HISTORY ....................................................................... ERROR! BOOKMARK NOT DEFINED. TABLE 4. AUTHENTICATION TYPES ................................................................................................................... 17 TABLE 5. USER NAME ENTRY FORMATS ........................................................................................................... 20 TABLE 6. USER NAME ENTRY FOR MS EXCHANGE 5.5 .................................................................................... 20 TABLE 7. USER NAME ENTRY FOR ACTIVE DIRECTORY 2000.......................................................................... 21 TABLE 8. USER NAME ENTRY FOR ACTIVE DIRECTORY 2003.......................................................................... 21 TABLE 9. USER NAME ENTRY FOR OPENLDAP................................................................................................ 21 TABLE 10. USER N AME ENTRY FOR NOVELL EDIRECTORY 8.7 ....................................................................... 22

Draft

iv

LDAP Admin Setup Guide

2. Overview
The LDAP protocol is used for accessing the global address book for selecting e-mail recipients and for user authentication [1]. The User Authentication feature on the MFP requires users to log into the network at the MFP front panel before using the network scanning function. User authentication via LDAP provides great flexibility because the server handles verification of the user name and password. The Global Address Book and User Authentication features are configured using the MFP web interface. This document will describe basic operation setup with the following LDAP servers: ? Microsoft Exchange 5.5 ? ? Microsoft Active Directory 2000 ? ? Microsoft Active Directory 2003 ? ? OpenLDAP ? ? Novell eDirectory 8.7 ? To use the global address book, the MFP behaves as an LDAP client to an LDAP server as shown in Figure 1. The client performs a request for a service whereas the server carries out the task. A typical LDAP session between the MFP and the LDAP server is as follows: 1. The MFP sends a bind request to the server. The bind request is the first packet that flows during an LDAP session. The bind request can be an anonymous bind, a simple bind or one of the Simple Authentication and Security Layer (SASL) mechanisms [5]. Section 5.4 provides more details on the different authentication types. 2. The server receives the bind request and is willing to provide service to the MFP. Authentication of the device may be required. The server responds to the bind request with an acknowledgement called the bind response. 3. Upon receiving the bind response, the MFP sends the details of the desired service (i.e. search request) to the server. The MFP uses a search filter to define the search request. As part of the search request, the MFP specifies that the common name and e-mail address attributes be returned in the search results. 4. The server executes the required search and replies with the desired response. The retrieved common name attribute(s) is displayed on the global address search web page or the front panel. The e-mail address attribute of the selected entry is used as the recipients e-mail address. 5. At this point the MFP may continue with another search request or may terminate the session.
Figure 1. MFP Global Address Search

Search the Global Address Book

Sharp Andromeda MFP

LDAP Server (e.g. Windows Active Directory)

Draft

LDAP Admin Setup Guide

3. LDAP Directory Basics

A directory is a specialized database that is designed to retrieve information quickly and securely. It is optimized for read access because the type of information in the directory is searched often, but changes infrequently. For example, a user name that you add for a new employee is not likely to change for the entire period of employment. Information about services, resources, users and other objects that are accessible from the application is organized as a collection of individual entries that contain information about each resource. To make accessing these entries as efficient as possible, they are organized in a hierarchy called the Directory Information Tree (DIT). The root of the tree is typically the country (C) followed by an organization (O). One or more organizational units (OU) typically appear below the root. These are container objects in that they can contain other directory entries. Directory entries that store information about a specific resource are added to the tree under an existing container object. The path to each entry in the tree is called its distinguished name (DN), and each DN in the tree is unique.

3.1. Search Root for Directory Entries

Adding names of the root and each subsequent branch of the tree until reaching the point where a search should commence forms a search root. The search root should be the branch of the tree closest to the data being searched. In most instances, all data being sought will be in one branch of the LDAP tree. The form of the search root is different for Microsoft Exchange 5.5, Active Directory (2000 and 2003) and other LDAP servers. Specific information is given below for help in finding the correct search root for Microsoft Exchange 5.5, Microsoft Active Directory 2000 and 2003 and Novell eDirectory 8.7. For more detailed information, as well as information on other databases, such as Lotus Notes, please refer to the product documentation for that server.

3.2. Microsoft Exchange 5.5

This section describes the LDAP structure for the standard installation of Microsofts Exchange 5.5.

3.2.1. MS Exchange 5.5 Objects

MS Exchange 5.5 uses the following directory object keywords. Keyword O OU CN Meaning in a DN Organization Organizational Unit Common Name Description Part of the DNS name of the domain Unit within an organization. One of the containers in Exchange 5.5 that holds other objects. Full name of a person or object defined by the entry.

Exchange 5.5 will usually have a search root beginning with cn=Recipients. The root of the tree can be determined by reading the registry using regedit on the server where Exchange is installed. Browse to the following key:
HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/MSExchangeCCMC/Parameters/SiteDN

Take the value in the above key and create the search root. For example, if you see the following /o=sec/ou=slacamas you would create as the search root: cn=Recipients,ou=slacamas,o=sec

Draft

LDAP Admin Setup Guide Note that the parameters for the search root are listed in reverse order from what is displayed in Exchange, and that commas separate the records rather than forward slashes. See Exchange administrator if there is any difficulty.

3.3. Active Directory

This section describes the LDAP structure for the standard installation of Microsofts Active Directory (AD). The information in this section applies to AD in both Windows 2000 and Windows Server 2003.

3.3.1. Active Directory Objects

In Active Directory, objects can be stored in a hierarchical folder-like structure. Additionally, objects can be stored down several layers of Organizational Units (OU). Active Directory keeps track of these objects by using LDAP naming paths. These naming paths can take different forms: Distinguished Names and Relative Distinguished Names. Each AD object has a distinguished name (DN). By distinguished, we mean that the name itself distinguishes the exact location of the object in the directory. There are several object keywords that are used in the distinguished name: Keyword DC OU CN Meaning in a DN Domain Component Organizational Unit Common Name Description Part of the DNS name of the domain. This keyword is typically used at the top levels of AD. One of the containers in AD that holds other objects. Objects in AD, such as Users, Computers, Printers.

These keywords can be used more than once in a distinguished name, if necessary, to accurately name the path to the object. For instance, the user John Doe in the West department of Sales in the domain Surfnet.local might have a DN like this: CN=John Doe,OU=West,OU=Sales,DC=Surfnet,DC=local In this example, there are two OU components and two DC components. The Relative Distinguished Name is simply the portion of the Distinguished Name that uniquely identifies an object within the objects parent container. For instance, Johns RDN from the above example, would be: CN=John Doe A RDN does not have to be unique. User John Doe in the East department might also have the exact same RDN, though his DN would, of course, indicate that his account was in a different OU.

3.3.2. Case 1: A Simple Case

In the default configuration of Active Directory, AD provides a Users container under the domain. The default Users container can be used to add user accounts. A simple directory structure is illustrated below:

Draft

LDAP Admin Setup Guide

DC=Surfnet, DC=local

CN=Users

CN=Mary Smith

CN=John Smith

The user, Mary Smith, in this directory has the following DN: CN=Mary Smith,CN=Users,DC=Surfnet,DC=local The user, John Smith, in this directory has the following DN: CN=John Smith,CN=Users,DC=Surfnet,DC=local A tool such as Microsofts Active Directory Users and Computers MMC snap-in can be used to view directory objects. Figure 2 shows the Active Directory Users and Computers tools view of the above directory structure. Figure 3 details the user properties for Mary Smith.

Figure 2. Active Directory Users and Computers for Case 1

Draft

LDAP Admin Setup Guide

Figure 3. User Properties for Mary Smith

This case will be referred to through out this document as an example for setting up the LDAP global address book feature.

3.3.3. Case 2: A More Complex Case

In addition, administrators can use the Active Directory enrollment features to create new organizational units, users and groups. Administrators can use Organizational Units (OU) to match their corporate structure. Organizational units can be created for each location, division, etc. Organizational units can further be broken down into groups who have similar settings. An example is illustrated below:

Draft

LDAP Admin Setup Guide

DC=Surfnet, DC=local

OU=Sales

OU=Imaging

OU=Administration

OU=East

OU=West

CN=John Doe

CN=Cathy Jones

Figure 4 shows the Active Directory Users and Computers tools view of the directory structure for Case 2. Figure 5 details the user properties for John Doe.

Figure 4. Active Directory Users and Computers for Case 2

Draft

LDAP Admin Setup Guide

Figure 5. User Properties for John Doe

This case will also be referenced through out this document as an example for setting up the LDAP global address book feature. To create an address book for the West department, the following search root would be used: OU=West,OU=Sales,DC=Surfnet,DC=local Address books can be created to look for recipients anywhere in the directory from the top of the tree (DC=Surfnet, DC=local) down to a specific container (OU=West, OU=Sales, DC=Surfnet, DC=local).

3.4. Novell eDirectory 8.7

This section describes the LDAP structure for the standard installation of Novell eDirectory 8.7.

3.4.1. Novell eDirectory 8.7 Objects

Novell eDirectory 8.7 uses the following directory object keywords. Keyword O OU CN Meaning in a DN Organization Organizational Unit Common Name Description Organization name. Unit within an organization. One of the containers in eDirectory that holds other objects. Full name of a person or object defined by the entry.

A Novell eDirectory tree should be organized according to the following rules: ? Use a pyramid design. ? ? Create a single Organization object. ?

Draft

LDAP Admin Setup Guide ? Create first-level Organizational Units that represent the physical network infrastructure. ? A sample directory is shown below:

O=slahb

OU=Users

CN=tjones

CN=cjenkins

The corresponding Novell ConsoleOne view of the above directory is shown in Figure 6.
Figure 6. Novell eDirectory Configuration Using Novell ConsoleOne

Draft

LDAP Admin Setup Guide

4. Basic Server Configuration

The Sharp MFP should interoperate with basic LDAP server configurations. No special configuration should be necessary except as noted in the next sections.

4.1. Kerberos KDC

? It is recommended that the Kerberos system administrator add a user principal name for the MFP. ?

4.2. DNS Server

? The MFP must be installed in a working DNS environment for Kerberos authentication. ? ? The KDC host name must be resolvable using a forward DNS lookup. ? ? The LDAP server name must be resolvable using a forward DNS lookup. For Kerberos ? authentication, if an IP address is used for the LDAP server, the IP address must be resolvable using a reverse DNS lookup.

4.3. Microsoft Exchange 5.5

4.3.1. Maximum Number of Search Results Returned
If more than the maximum number of specified results are found in an LDAP search, MS Exchange 5.5 does not return any results for the search. MS Exchange 5.5 default value for the maximum number of search results returned is 100 entries. Use the Microsoft Exchange Server Administrator Tool to set properties for LDAP at either the site or server level.

4.3.1.1. Getting to the Administrator Window

? From the Start menu, choose Programs, choose Microsoft Exchange, and then choose ? Microsoft Exchange Administrator. ? Type or select the name of the Microsoft Exchange Server to which you want to connect. ?

4.3.1.2. Getting to the Site and Server property pages

? In the Administrator window, choose a site or server, and then choose Protocols. ? ? Double-click LDAP (Directory) Site Defaults to configure site LDAP defaults, or LDAP ? (Directory) Settings to configure a servers LDAP settings.

4.3.1.3. Getting to the Searches property page

? Select the search tab. ? ? Use the Search property page to specify how LDAP will perform directory searches on client ? requests. ? The Maximum number of search results returned specifies the maximum number of entries ? that will be returned for all searches. Performance decreases as the number increases.

Draft

LDAP Admin Setup Guide

4.4. Active Directory / Exchange 2000 Configuration

The MFP Global Address Book and User Authentication features should work with the standard installation of Active Directory / Exchange 2000. Use of the Global Address Book and User Authentication features does not require anonymous access.

4.4.1. Enable Anonymous LDAP Access

Anonymous authentication is turned off by default on Windows 2000 Active Directory. Although not recommended, to enable anonymous access: ? On your Windows 2000 Active Directory server, run the Active Directory Users and Groups ? administration tool. ? Select the top level of the directory from the tree view in the left hand panel, and right click. A ? menu will appear. Select the first item, which should be "Delegate Control..." ? Click "Next" ? ? In the next window, titled "Users or Groups", click "Add..." ? ? In the next list, select "Anonymous Logon" and click "Add". You may also need to select ? "Everyone" and the "Guests" group, depending on how you have AD configured. Click "OK" when this is done. ? Click "Next" ? ? Select "Create a custom task to delegate" and click "Next". ? ? Click "Next" ? ? In the next list, select "Read". "Read All Properties" will be selected at the same time. Click ? "Next" when this is done. ? Click "Finish". ? ? On the MFP, "Global Address Book Setup" webpage enter all required information. In addition, ? enter "User Name'" of "anonymous", enter no password and select "Authentication Type" of "SIMPLE" ? Click "Submit" ?

4.4.2. Maximum Number of Search Results Returned

Active Directory will enforce by default a maximum LDAP query page size of 1000. To change the maximum page size for LDAP queries use the command line tool, ntdsutil. However, it is not recommended to set this limit very high. A very large page size will introduce performance issues.

4.4.2.1. Changing the page size

? Login as Administrator. ? ? Open a Command Prompt. ? ? Enter commands (in bold) replacing SERVERNAME with the appropriate server name. ?
C:> ntdsutil ntdsutil: ldap policies ldap policy: connections server connections: connect to server SERVERNAME Binding to SERVERNAME Connected to SERVERNAME using credentials of locally logged on user server connections: q ldap policy: show values

Draft

10

LDAP Admin Setup Guide

Policy MaxPoolThreads MaxDatagramRecv MaxReceiveBuffer InitRecvTimeout MaxConnections MaxConnIdleTime MaxActiveQueries MaxPageSize MaxQueryDuration MaxTempTableSize MaxResultsSetSize MaxNotificationPerConn Current(New) 4 1024 10485760 120 5000 900 20 1000 120 10000 262144 5

ldap policy: set maxpagesize to #### (for example, 2000) ldap policy: commit changes ldap policy: q ntdsutil: q Disconnecting from SERVERNAME C:>

4.5. Active Directory / Exchange 2003 Configuration

The MFP Global Address Book and User Authentication features should work with the standard installation of Active Directory / Exchange 2003. Use of the Global Address Book and User Authentication features does not require anonymous access.

4.5.1. Enable Anonymous LDAP Access

See Section 4.4.1.

4.5.2. Maximum Number of Search Results Returned

See Section 4.4.2.

4.6. Linux/OpenLDAP
The uid or user ID attribute may need to be added to the LDAP schema for the User Authentication feature. uid is an attribute for uniquely identifying computer system login names. To determine the existence of the uid attribute on your LDAP server, you may need to refer to an LDAP administrator or product documentation for that server.

4.7. Novell eDirectory 8.7

Novell eDirectory uses the password stored in the simplePassword attribute to perform Simple and DigestMD5 binds. This value must be stored as clear text in order for the bind to succeed. The simplePassword attribute can be set by using the ICE import-export tool or through the SimplePassword ConsoleOne snapin, or using an LDAP control in your userpassword modification code. Since the MFP does not support a secure transport layer such as TLS, during installation of eDirectory, deselect the option Require TLS for Simple Bind with Password. After installation, the option can be deselected using the Novell ConsoleOne snap-in tool by selecting the General tab in the LDAP Group

Draft

11

LDAP Admin Setup Guide Properties page. In addition, using ConsoleOne, the Require TLS for All Operations option must be deselected in the SSL/TLS Configuration tab in the LDAP Server Properties page.

Draft

12

LDAP Admin Setup Guide

5. Basic MFP Configuration

This section describes how to configure the MFP to use the Global Address Book and User Authentication features.

5.1. DNS Setup

Configure the DNS Setup web page. See Figure 7.
Figure 7. DNS Setup Web Page

Name Primary DNS Server Secondary DNS Server Timeout Domain Name

Definition IP address of primary Domain Name Service (DNS) server. IP address of secondary Domain Name Service (DNS) server. DNS server timeout Full name of the domain

Type / Input Limitations IP address format IP address format 0 to 60 seconds 64 characters text

Default Value Blank Blank 20 Blank

5.2. Kerberos Authentication Setup

For Kerberos authentication, configure Kerberos Setup web page. See Figure 8.

Draft

13

LDAP Admin Setup Guide

Figure 8. Kerberos Setup Web Page

Name KDC Server Port Number Realm

Definition An IP address or resolvable host name for the Key Distribution Center (KDC). LDAP server port number. The logical network served by the Kerberos database. Kerberos realm names are casesensitive. By convention, realm names are generally all uppercase letters. However, the user should refer to the Kerberos administrator for the correct realm name. Typically for Active Directory, the Kerberos realm name is the full DNS name of the domain in uppercase letters. From our example, the domain, surfnet.local, maps to a Kerberos realm name of SURFNET.LOCAL. The Active Directory domain name can be obtained from the Active Directory Users and Computers administrative tool (see Figure 9).

Type / Input Limitations IP address format or 127 characters text 5 digit 127 characters text

Default Value Blank 88 Blank

Figure 9. Active Directory Users and Computers Tool

Draft

14

LDAP Admin Setup Guide

5.3. Clock Setup

For Kerberos authentication, time synchronization between the MFP and the KDC is critical. The maximum clock skew is usually specified by the KDC. The default value is typically 300 sec. To synchronize time with the Kerberos KDC, the user needs to select the corresponding Time Zone on the SMTP Setup web page [2,3] (see Figure 10).
Figure 10. Time Zone Setup

Set the date and time to current local date and time via the Custom Settings Mode. Select Daylight Saving Time Setting if applicable (see Figure 11).
Figure 11. MFP Clock Adjust

Rebooting of the MFP is required after an MFP clock adjustment.

Draft

15

LDAP Admin Setup Guide

5.4. Global Address Book Setup

Use the Global Address Book Setup web page to configure LDAP access on MFP [2]. Up to seven address books can be configured to point at different LDAP servers or break one LDAP server down into several subdirectories. The Global Address Book Setup for Case 1, Section 3.3.2, is shown in Figure 12.
Figure 12. Global Address Book Setup Web Page for Case 1

Name Name Search Root

Definition Name of the address book. Users will select which address book to search by the name. The base or root of the directory where the LDAP server will start the search for names. Allows user(s) to limit the LDAP search. The form of the search root is server and installation specific. Check with LDAP system administrator for specific information. Using the examples in Section 3, a typical search root for MS Exchange 5.5: cn=Recipients,ou=slacamas,o=sec. Active Directory Case 1: cn=Users,dc=surfnet,dc=local Active Directory Case 2: ou=west,ou=sales,dc=surfnet,dc=local. An IP address or resolvable host name for the LDAP server LDAP server port number. Some LDAP implementations require a different port number

Type / Input Limitations 42 characters text 512 characters text

Default Value Blank Blank

LDAP Server

Port Number

IP address format or 127 characters text 5 digits

Blank

389

Draft

16

LDAP Admin Setup Guide other than the default port number. LDAP server connection and search request timeout. The name of a user authorized to search entries in the user directory. Format may be user logon name or distinguished name. Section 5.4.4 provides more details on the format for this entry. Note: It is recommended that the LDAP administrator create a user name for the MFP itself. The password for the user specified by the User Name. Authentication type for address book. See Table 1 for more information. Note: Microsoft Active Directory does not support the standard Anonymous authentication type. To use anonymous access with Active Directory, select Simple authentication, enter anonymous as the username, and leave password blank. Sets the current address book as the default. The default address book is used for user authentication and is pre-selected as the address book for searches (user can select an alternative address book at search time).
Table 1. Authentication Types

Timeout User Name

0 to 60 seconds 32 characters text

5 Blank

Password Authentication Type

32 characters text Drop down list (Anonymous, Simple, NTLM, Digest-MD5, Kerberos)

Blank Anonymous

Default Address Book

Checkbox

Unchecked

Authentication Type Anonymous

Description No user name or password is provided. The User Name and Password fields are not passed to the LDAP server in the bind request operation. A NULL user name and password are used in place of these values. User name and password are provided, but are sent over the network in clear-text. A challenge/response authentication method using MD5 algorithm. The mandatory-to-implement default authentication mechanism for LDAPv3. NTLM is a authentication protocol used in Windows NT environments. The password is hashed and then encrypted with a challenge from the server before being sent over the network. In NT environments, user information is stored in and verified by the SAM database (Security Accounts Manager) on the domain controller. Kerberos is a trusted-third party authentication system developed by MIT. Kerberos is the default authentication protocol for Windows 2000 environments. Kerberos utilizes a Key Distribution Center (KDC) that authenticates users and grants tickets to use services on a network.

Simple Digest-MD5 NTLM

Kerberos

Draft

17

LDAP Admin Setup Guide

5.4.1. Global Address Book Setup Example for Case 2

Figure 13. Global Address Book Setup Web Page for Case 2

5.4.2. Global Address Book Setup Example for MS Exchange

Figure 14. Global Address Book Setup Web Page for MS Exchange 5.5

Draft

18

LDAP Admin Setup Guide

5.4.3. Global Address Book Setup Example for Novell eDirectory 8.7
Figure 15. Global Address Book Setup Web Page for Novell eDirectory 8.7

Draft

19

LDAP Admin Setup Guide

5.4.4. User Name Entry

The User Name and Password entries can have different formats based on the authentication type selected. The different formats the User Name entry can have are described in Table 2. The Anonymous authentication type does not use the User Name and Password entries. These entries are left as NULL during the LDAP bind request. The Simple authentication type uses the LDAP directory to authenticate the user and usually requires the Display name, DN or RDN format. NTLM is a Microsoft proprietary authentication mechanism and uses the User Logon Name format. The Digest-MD5 and Kerberos authentication types use the SASL protocol and generally, use the User Logon Name format.
Table 2. User Name Entry Formats

Format Distinguished Name (DN)

Description A unique identifier of an entry in an LDAP directory. In effect, it is the path to the object in a directory information tree (DIT). Components are comma-separated. The individual components of a distinguished name. The users logon name. The users display name

Examples Case 1: cn=Mary Smith,cn=Users,dc=surfnet,dc=local Case 2: cn=John Doe,ou=West,ou=Sales,dc=surfnet,dc=local

Relative Distinguished Name (RDN) User Logon Name Display Name

Case 1: cn=Mary Smith Case 2: cn=John Doe Case 1: msmith Case 2: jdoe Case 1: Mary Smith Case 2: John Doe

5.4.4.1. MS Exchange 5.5 Authentication Support

MS Exchange 5.5 supports the Anonymous, Simple and NTLM authentication types. The User Name to be entered is described in Table 3.
Table 3. User Name Entry for MS Exchange 5.5

Authentication Type Anonymous Simple NTLM Digest-MD5 Kerberos

User Name Entry No entry in User Name is required. Distinguished name (DN) or distinguished name (RDN) User logon name Not supported. Not supported. relative cn=jdoe jdoe

Examples

5.4.4.2. Active Directory / Exchange 2000 Authentication Support

Windows 2000 with Active Directory supports the Simple, NTLM and Kerberos authentication types. Anonymous access to Active Directory is turned off by default. The User Name to be entered is described in Table 4.

Draft

20

LDAP Admin Setup Guide

Table 4. User Name Entry for Active Directory 2000

Authentication Type Anonymous

User Name Entry Not supported. Note: If anonymous access is enabled, use Simple Authentication type with User Name of Anonymous and no password. Active Directory Display name Active Directory User logon name Not supported. Active Directory User logon name

Examples

Simple NTLM Digest-MD5 Kerberos

Case 1: Mary Smith Case 2: John Doe Case 1: msmith Case 2: jdoe Case 1: msmith Case 2: jdoe

5.4.4.3. Active Directory / Exchange 2003 Authentication Support

Windows Server 2003 with Active Directory supports the Simple, NTLM, Digest-MD5 and Kerberos authentication types. Anonymous access to Active Directory is turned off by default. The User Name to be entered is described in Table 5.
Table 5. User Name Entry for Active Directory 2003

Authentication Type Anonymous

User Name Entry Not supported. Note: If anonymous access is enabled, use Simple Authentication type with User Name of Anonymous and no password. Active Directory Display name Active Directory User logon name Active Directory User logon name Active Directory User logon name

Examples

Simple NTLM Digest-MD5 Kerberos

Case 1: Mary Smith Case 2: John Doe Case 1: msmith Case 2: jdoe Case 1: msmith Case 2: jdoe Case 1: msmith Case 2: jdoe

5.4.4.4. Linux/OpenLDAP Authentication Support

OpenLDAP supports the Anonymous, Simple, Digest-MD5 and Kerberos authentication types. The User Name to be entered is described in Table 6.
Table 6. User Name Entry for OpenLDAP

Authentication Type Anonymous Simple NTLM

User Name Entry No entry in User Name is required. Distinguished name (DN) Not supported.

Examples cn=jlum,dc=sharplabs,dc=com

Draft

21

LDAP Admin Setup Guide Digest-MD5 Kerberos OpenLDAP user name in sasldb or other database User principal name jlum jlum

5.4.4.5. Novell eDirectory 8.7 Authentication Support

Novell eDirectory 8.7 supports Anonymous, Simple and Digest-MD5 authentication types. The User Name to be entered is described in Table 7.
Table 7. User Name Entry for Novell eDirectory 8.7

Authentication Type Anonymous Simple NTLM Digest-MD5 Kerberos

User Name Entry No entry in User Name is required. Distinguished name (DN) Not supported. Distinguished name (DN) must be preceded by dn:. Not supported.

Examples cn=tjones,ou=Users,o=slahb dn:cn=tjones,ou=Users,o=slahb

5.4.5. Additional Notes

The system administrator can set the user name for the different formats to be the same text characters. In Active Directory 2000, the system administrator can set the display name, the user logon name and relative distinguished name to be the same text characters. Using Case 2 as an example, the sys admin can set the ? Display name: jdoe ? ? User logon name: jdoe ? ? Distinguished name: cn=jdoe,ou=west,ou=sales,dc=surfnet,dc=local ? In Active Directory, the Display name is automatically generated from the First and Last names. The Display name can be replaced with one of your choosing. The Display name must be unique from all other Display names in the directory. The Sharp MFP LDAP client creates a search filter using the common name or cn attribute. The Sharp MFP LDAP client queries the LDAP server to retrieve the common name or cn and mail attributes. These items cannot be configured. The wildcard character, an asterisk (*), can be used for wildcard comparisons. For NTLM, the user logon name must be in the same network domain as the copier.

5.5. User Authentication

User authentication is enabled on the Network Scanning Setup web page. See Figure 16.

Draft

22

LDAP Admin Setup Guide

Figure 16. Network Scanning Setup Web Page

Items used for authentication may be login name, password, and e-mail address or login name and password only. If e-mail address is included, authentication will only succeed if the e-mail address setup for the sender matches the one in the LDAP server. User authentication is performed using the LDAP server configured for the default address book. Each user that will be authenticated needs to be setup as a sender on the device using the Sender Management web page. See Figure 17.

Figure 17. Sender Management Web Page

When users access the scan function at the MFP front panel they will be prompted to select a sender name and enter their password. The login name configured for that sender and the entered password will be sent to the LDAP server for authentication. Upon successful authentication, the e-mail address configured for the sender will be placed in the e-mail From field. Authentication of login name, password, and email address can be used to ensure that the e-mail address configured for the sender matches the one on the LDAP server. The login name for the sender can have different formats based on the authentication type of the default Global Address Book. It may be necessary to enter the distinguished name, relative distinguished name, or user login name. See Table 2 in Section 5.4.4 for details.

Draft

23

LDAP Admin Setup Guide The uid and samaccountname attributes are used for user authentication. Therefore, in order for the user authentication to be successful, the LDAP server must contain either the uid or samaccountname attribute. The uid is typically used in Unix/Linux systems. The samaccountname is used in Windows 2000 / 2003 Active Directory.

Draft

24

LDAP Admin Setup Guide

6. Basic Troubleshooting
This section provides basic troubleshooting to help the user diagnose problems with the configuration of the Global Address Book and User Authentication features. Due to the large number of possible network environments, an exhaustive troubleshooting guide is beyond the scope of this document.

6.1. LDAP Configuration Problems

Problem Error message on web page: LDAP Server connection failed. Solution or Cause Incorrect LDAP configuration. Review the LDAP settings for port number, search root, and user name and password. The LDAP server is down. Check with appropriate network administration personnel. Make sure that TCP/IP is installed and enabled on the server for network protocols. Verify the LDAP server is resolvable using forward and reverse DNS lookups. Make sure that TCP/IP is installed and enabled on the MFP for network protocols. Verify the LDAP server is resolvable using forward and reverse DNS lookups. Use IP address of LDAP server instead of hostname.

Error message on web page: NIC is not ready. Error message on web page: To resolve the name of LDAP Server failed. Error message on web page: Timeouted. Error message on web page: Authentication of LDAP Server failed. Front panel user authentication failed.

Increase the LDAP server timeout value setting using the MFP web interface. See Section 6.2.

Ensure uid or samaccountname attributes are accessible in directory. MFP searches for a user name using the uid or samaccountname attribute in the directory. If either of these attributes is not accessible for LDAP queries, the search fails even if a valid user name and password are provided.

6.2. Authentication Problems

Problem Anonymous access fails. Solution or Cause Ensure LDAP server is configured for anonymous access. Verify search root. Note: Microsoft Active Directory (2000 and 2003) does not support anonymous binds. See Sections 5.4.4.2 and 5.4.4.3. Verify entered user name and password are correct. Capture network trace to ensure correct user name and password. Verify entered user name and password are correct. Check the user name and password entered are correct.

Simple authentication fails. NTLM authentication fails. Digest-MD5 authentication fails.

Draft

25

LDAP Admin Setup Guide Kerberos authentication fails. Verify user name is user principal name. Verify entered user name and password are correct. Create a test user principal and password to use with the MFP. Test with a desktop system on the same network as the MFP and KDC. Check time synchronization between MFP and KDC is within limits specified by the KDC. Make sure KDC is running. Ensure Kerberos realm name is correct. Kerberos realm name is casesensitive. Verify the KDC is resolvable using DNS.

Draft

26

LDAP Admin Setup Guide

7. Glossary
This glossary defines terms used in the LDAP Users Guide. LDAP The Lightweight Directory Access Protocol used by clients to locate entries in a directory. Commonly used by e-mail servers to make global address books available to clients. LDAP is used in Sharp MFPs to search the global address e-mail address book at the front panel and for completing e-mail fields on the device web pages. A message digest algorithm [4]. Refers to NT LAN Manager security. Also referred to as Windows NT challenge/response in Microsofts Exchange Server Administrator tool. Simple Authentication and Security Layer is a protocol used in LDAP to provide authentication, data integrity and data confidentiality

MD5 NTLM

SASL

Draft

27