Managing LDAP security for InfoPrint Manager for Windows
InfoPrint Manager provides an extension to the FST security that lets you use a LDAP/Active Directory server for user authentication and access rights. When enabling LDAP security, the FST security continues to work as before. Use the Management Console for InfoPrint Manager Server utility to configure, enable, or disable the LDAP security of your print system. Open the MMC interface, and go to
- Enable/Disable LDAP Security
- Use the Management Console interface to enable or disable the LDAP security of your InfoPrint system.
- To enable the LDAP security:
- Click the Security folder.
- Right-click the LDAP object and choose the Enable LDAP Security option.
- To disable the LDAP security:
- Click the Security folder.
- Right-click the LDAP object and choose the Disable LDAP Security option.
Note: You must have at least one LDAP connection with valid authentication settings and search options to enable the LDAP security.
- Create/Change LDAP Connection
- To create an LDAP connection:
- Click the Security folder.
- Right-click the LDAP option and choose the New… option.
- To change an LDAP connection:
- Click the Security folder.
- Go to the LDAP object.
- Select an available connection in the right pane of the Management Console.
- Right-click the LDAP connection and choose the Open... option.
You can see and change these options:
- Connection Name
- Enter the connection name of the LDAP server.
- IP Address or Host Name
- Enter the host name or IP address of the LDAP server.
- Port
- Enter the port number that is used for communication.
- Encryption Method
- Enter an encryption method for the LDAP Server. Select the Use Start TLS Extension or the Use SSL Encryption option if you want to use the Start TLS or the SSL protocols.
- Description
- Enter an optional description.
- Test Connection
- If the information you enter is valid, you receive a confirmation message. If you enter incorrect settings, you receive an error message.
- LDAP Authentication
- Specify how InfoPrint Manager authenticates to the Lightweight Directory Access Protocol
Server (LDAP). This information is used as authentication data for all existing LDAP
connections. InfoPrint Manager uses the information to authenticate to the LDAP Server
to retrieve specific data (for example, group membership and login attributes) about
the entries.
To change the LDAP authentication:
- Click the Security folder.
- Go to the LDAP object.
- Select an available connection in the right pane of the Management Console.
- Right-click the LDAP connection and choose the Authentication… option.
-
You can see and change these options:
- Bind DN or user
- Enter the distinguished name (DN) of the account.
- Bind Password
- Enter your password.
Note: When you use the Anonymous login, it is not necessary to specify a value for: Bind DN/user or Bind Password.
- Method
- Select the method of authentication: Simple or Digest.
- SASL Realm
- Enter the name of the SASL Realm. This option is available when you use the Digest method.
- Anonymous login
- Select to authenticate as an anonymous user when no access permission is required.
- Test Authentication
- Validates settings. If the information you enter is valid, you receive a confirmation
message. If you enter incorrect settings, you receive an error message.
Important: If you have multiple LDAP servers defined, the authentication information is common for all.
- LDAP Search options
-
- Click the Security folder.
- Go to the LDAP object.
- Select an available connection in the right pane of the Management Console.
- Right-click the LDAP connection and choose the Search option… option.
- You can see and change these options:
- Users:
- Search Base
- Specifies the distinguished name (DN) of the branch in the LDAP directory tree where the users are located.
- Login Attributes
- Specifies the user attributes for the login in the LDAP server.
- Object Class Filter
- Specifies one or more optional object classes to filter when InfoPrint Manager searches for users.
- Custom Filter
- Specifies an optional custom filter that InfoPrint Manager uses when it searches users.
- Groups:
- Search Base
- Specifies the distinguished name (DN) of the branch in the LDAP directory tree where the groups are located.
- Group Name Attributes
- Specifies an attribute that identifies the group name (for example, cn).
- Group Member Attribute
- Specifies the attribute of a user group (for example, member).
- Object Class Filter
- Specifies one or more optional object classes to filter when InfoPrint Manager searches for groups.
- Custom Filter
- Specifies an optional custom filter that InfoPrint Manager uses when searching for groups.
- Performance Search Option
-
- Use “memberOf” capability
- Informs InfoPrint Manger that the group membership can be determined directly from
the memberOf field.
Note: Make sure that this property is supported on your LDAP server.
- Traverse Nested Groups
- Applies only to the Microsoft Active Directory and it is used to check if a user is an indirect member of a group.
- Use “ibm-allGroups” Capability
- Applies only to IBM Tivoli Directory Server and it is used to determine the group
membership directly from the attribute ibm-allgroups.
Note: Make sure that this option is supported on your LDAP server.
- Use case-sensitive search
- This option is used for case-sensitive matching in LDAP/AD queries. For instance, when this option is enabled, USER does not match user in the LDAP/AD query. This option must be consistent with the LDAP/AD server case-sensitive settings.