Managing LDAP security for InfoPrint Manager for Linux

InfoPrint Manager provides an extension to the FST security that allows you to use an LDAP/Active Directory server for user authentication and access rights. When enabling LDAP security, the FST security continues to work as before.

Enable/Disable LDAP Security
Use the Linux IPMMI utility (it requires GUI) to enable or disable the LDAP security of your print system.

Depending on your needs, choose one of these options:

  • Open a Linux term window and enter startipmmi on the command line, then press enter.

  • On the RedHat Enterprise System, go to Applications InfoPrintManager, and select Management Interface to start the Management Interface GUI. On the SUSE Linux Enterprise Server, go to Computer More Application InfoPrint Manager, and select Management Interface to start the Management Interface GUI.

To enable the LDAP security:
  1. Click the Security tab.
  2. Right-click the LDAP tab and choose Enable LDAP Security option.
    Note: You must have at least one LDAP connection with valid authentication settings and search options to enable the LDAP security.
To disable the LDAP security:
  1. Click the Security tab.
  2. Right-click the LDAP tab and choose Disable LDAP Security option.
Create/Change LDAP Connection
To create an LDAP connection:
  1. Click the Security tab.
  2. Right-click the LDAP tab and choose the New… option.
To change an LDAP connection:
  1. Click the Security tab.
  2. Click the LDAP tab.
  3. Right-click the LDAP connection and choose the Open... option.

Connection Name
Enter the connection name of the LDAP server.
IP Address or Host Name
Enter the host name or IP address of the LDAP server.
Port
Enter the port number that is used for communication.
Encryption Method
Enter an encryption method for the LDAP Server. Select the Use Start TLS Extension or the Use SSL Encryption option if you want to use the Start TLS or the SSL protocols.
Description
Enter an optional description.
Test Connection
If the information you enter is valid, you receive a confirmation message. If you enter incorrect settings, you receive an error message.

LDAP Authentication
Specify how InfoPrint Manager authenticates to the Lightweight Directory Access Protocol Server (LDAP). This information is used as authentication data for all existing LDAP connections. InfoPrint Manager uses the information to authenticate to the LDAP Server to retrieve specific data (for example, group membership and login attributes) about the entries.

To change the LDAP authentication:

  1. Click the Security tab.
  2. Click the LDAP tab.
  3. Right-click the LDAP connection and choose the Authentication… option.

Bind DN or user
Enter the distinguished name (DN) of the account.
Bind Password
Enter your password.
Note: When you use the Anonymous login, it is not necessary to specify a value for: Bind DN/user or Bind Password.
Method
Select the method of authentication: Simple or Digest.
SASL Realm
Enter the name of the SASL Realm. This option is available when you use the Digest method.
Anonymous login
Select to authenticate as an anonymous user when no access permission is required.
Test Authentication
Validates settings. If the information you enter is valid, you receive a confirmation message. If you enter incorrect settings, you receive an error message.
Important: If you have multiple LDAP servers defined, the authentication information is common for all.

LDAP Search options
Users:
Search Base
Specifies the distinguished name (DN) of the branch in the LDAP directory tree where the users are located.
Login Attributes
Specifies the user attributes for the login in the LDAP server.
Object Class Filter
Specifies one or more optional object classes to filter when InfoPrint Manager searches for users.
Custom Filter
Specifies an optional custom filter that InfoPrint Manager uses when it searches users.
Groups:
Search Base
Specifies the distinguished name (DN) of the branch in the LDAP directory tree where the groups are located.
Group Name Attributes
Specifies an attribute that identifies the group name (for example, cn).
Group Member Attribute
Specifies the attribute of a user group (for example, member).
Object Class Filter
Specifies one or more optional object classes to filter when InfoPrint Manager searches for groups.
Custom Filter
Specifies an optional custom filter that InfoPrint Manager uses when searching for groups.
Performance Search Option
Use “memberOf” capability
Informs InfoPrint Manger that the group membership can be determined directly from the memberOf field.
Note: Make sure that this property is supported on your LDAP server.
Traverse Nested Groups
Applies only to the Microsoft Active Directory and it is used to check if a user is an indirect member of a group.
Use “ibm-allGroups” Capability
Applies only to IBM Tivoli Directory Server and it is used to determine the group membership directly from the attribute ibm-allgroups.
Note: Make sure that this option is supported on your LDAP server.
Use case-sensitive search
This option is used for case-sensitive matching in LDAP/AD queries. For instance, when this option is enabled, USER does not match user in the LDAP/AD query. This option must be consistent with the LDAP/AD server case-sensitive settings.
Parent topic: Administrative Procedures: Configuring InfoPrint Manager