Managing LDAP security for InfoPrint Manager for AIX

InfoPrint Manager provides an extension to the FST security that allows you to use an LDAP/Active Directory server for user authentication and access rights. When enabling LDAP security, the FST security continues to work as before. Use the AIX SMIT utility to configure, enable, or disable the LDAP security of your print system. Open the SMIT interface, and go to InfoPrint Printing System Security LDAP Security.

Enable/Disable LDAP Security
To enable the LDAP security:
  1. Click the Enable/Disable LDAP option.
  2. Choose the Enable LDAP Security option.
To disable the LDAP security:
  1. Click the Enable/Disable LDAP option.
  2. Choose the Disable LDAP Security option.
Add/Change LDAP Connection
To add an LDAP connection:
  1. Click the LDAP Connections option.
  2. Choose the Add LDAP Connection option.
  3. Fill in these fields with the required information:

    Connection Name
    Enter the connection name of the LDAP server.
    IP Address or Host Name
    Enter the host name or IP address of the LDAP server.
    Port
    Enter the port number that is used for communication.
    Encryption Method
    Enter an encryption method for the LDAP Server. Select the Use Start TLS Extension or the Use SSL Encryption option if you want to use the Start TLS or the SSL protocols.
    Description
    Enter an optional description.
    Test Connection
    If the information you enter is valid, you receive a confirmation message. If you enter incorrect settings, you receive an error message.

To edit an LDAP connection:
  1. Click the LDAP Connections option.
  2. Choose the Edit LDAP Connection option.
  3. Select the LDAP connection and make the necessary changes.
To delete an LDAP connection:
  1. Click the LDAP Connections option.
  2. Choose the Delete LDAP Connection option.
  3. Select the LDAP connection that you want to delete.
LDAP Authentication
Specify how InfoPrint Manager authenticates to the Lightweight Directory Access Protocol Server (LDAP). This information is used as authentication data for all existing LDAP connections. InfoPrint Manager uses the information to authenticate to the LDAP Server to retrieve specific data (for example, group membership and login attributes) about the entries.

To change the LDAP authentication:

  1. Click the LDAP Authentication option.
  2. Fill in these fields with the required information:

    Test Authentication against LDAP Connection
    Select one of the available LDAP connections to validate settings. If you enter incorrect settings, you receive an error message.
    Important: If you have multiple LDAP servers defined, the server information is common for all.
    Authentication Method
    Select the method of authentication: No Authentication, Simple, or Digest.
    Bind DN or User
    Enter the distinguished name (DN) of the account.
    Bind Password
    Enter your password.
    Note: When you use the Anonymous login, it is not necessary to specify a value for: Bind DN/ user or Bind Password.
    SASL Realm
    Enter the name of the SASL Realm. This option is available when you use the Digest method.

LDAP Search options
Specify the settings used by InfoPrint Manager when searching for LDAP users. This information is used as search options for all existing LDAP connections.

To change the LDAP search options:

  1. Click the LDAP Search Options.
  2. Fill in these fields with the required information:
    Validate Search Options against LDAP Connection
    Select one of the available LDAP connections to validate settings. If you enter incorrect settings, you receive an error message.
    Important: If you have multiple LDAP servers defined, the search information is common for all.
    Users:
    User Search Base
    Specifies the distinguished name (DN) of the branch in the LDAP directory tree where the users are located.
    Login Attributes
    Specifies the user attributes for the login in the LDAP server.
    User Filter Type
    Specifies one or more object classes to filter when InfoPrint Manager searches for users.
    User Filter Value
    Specifies a custom filter that InfoPrint Manager uses when it searches users.
    Groups:
    Group Search Base
    Specifies the distinguished name (DN) of the branch in the LDAP directory tree where the groups are located.
    Group Name Attributes
    Specifies an attribute that identifies the group name (for example, cn).
    Group Member Attribute
    Specifies the attribute of a user group (for example, member).
    Group Filter Type
    Specifies one or more object classes to filter when InfoPrint Manager searches for groups.
    Group Filter Value
    Specifies a custom filter that InfoPrint Manager uses when searching for groups.
    Performance Search Option
    Use “memberOf” capability
    Informs InfoPrint Manger that the group membership can be determined directly from the memberOf field.
    Note: Make sure that this property is supported on your LDAP server.
    Traverse Nested Groups
    Applies only to the Microsoft Active Directory and it is used to check if a user is an indirect member of a group.
    Use “ibm-allGroups” Capability
    Applies only to IBM Tivoli Directory Server and it is used to determine the group membership directly from the attribute ibm-allgroups.
    Note: Make sure that this option is supported on your LDAP server.
    Use case-sensitive search
    This option is used for case-sensitive matching in LDAP/AD queries. For instance, when this option is enabled, USER does not match user in the LDAP/AD query. This option must be consistent with the LDAP/AD server case-sensitive settings.

LDAP Security Status
This option lets you check if the LDAP security status of the InforPrint Manager system is enabled or disabled.
To check the LDAP security status, click the LDAP Security Status option.
TLS/SSL Keystore Database
This option lets you set a Keystore Database password. You need a TSL/SSL Keystore Database password when you use Use SSL Encryption as an encryption method for an LDAP connection.

You must create a CMS key database file: pdldap.kdb (key database itself), pdldap.rdb (store certificate requests), pdldap.crl (certificate revocation list) to access the LDAP server via SSL/TLS. The CSM database file must be placed within /var/pddir/default_cell/ldap. If the default path /var/pddir/default_cell/ldapis not suitable for you, you can change the location for the CSM database using the environment variable PD_LDAP_KDB_PATH . The environment variable PD_LDAP_KDB_PATH must point to the custom CSM database directory. The password for the CSM key database must be configured in SMIT.

See the documentation for your operating system for information on the packages that you need to install.