Setting up to use LDAP authentication

If you have an existing LDAP or Active Directory server, you can use LDAP or Active Directory user names and passwords to authenticate into RICOH ProcessDirector.
You must install the Security feature before you can set up to use LDAP authentication.

Consult your LDAP administrator for the values of the LDAP server and other properties you set in this procedure. Before you turn on LDAP authentication, you map RICOH ProcessDirector security groups to existing LDAP groups.

After you turn on LDAP authentication, the first time that a user logs in:

  • RICOH ProcessDirector authenticates the user name and password with the LDAP server.
  • RICOH ProcessDirector creates a RICOH ProcessDirector user name that is identical to the LDAP user name.
      Note:
    • No LDAP password information is stored on the RICOH ProcessDirector server.
    • When you use an LDAP user ID to access your production environment, RICOH ProcessDirector cannot track the number of failed login or password change attempts. Therefore, RICOH ProcessDirector cannot lock the user out after repeated failed login attempts with an incorrect LDAP password. You must configure the maximum number of failed login or password change attempts on your LDAP server in addition to configuring RICOH ProcessDirector security.
  • RICOH ProcessDirector assigns the user RICOH ProcessDirector group memberships based on the values for the Product to LDAP group mapping property and the LDAP group memberships of the user.

Each time that a user logs in:

  • RICOH ProcessDirector authenticates the user name and password with the LDAP server.
  • If you synchronize product groups with LDAP groups, RICOH ProcessDirector updates the product group memberships of the user based on:
    • The values for the Product to LDAP group mapping property.
    • The LDAP group memberships of the user.
  • If you do not synchronize product groups with LDAP groups, RICOH ProcessDirector does not update the product group memberships of the user. You can assign group memberships to users manually in RICOH ProcessDirector.

To set up to use LDAP authentication:
  1. Log in as a user who is a member of the Administrator security group.
  2. Click the Administration tab.
  3. In the left pane, click Settings LDAP.
  4. Set the LDAP server property to either of these values:
    • The network IP address.
    • The fully qualified host name of the LDAP server and the port that the system uses for authentication.

      To include more than one LDAP server, use a semicolon (;) to separate the entries.

  5. Specify values for the Root distinguished name, User search base, and User search filter properties.
    The value you enter for the User search filter property determines the format of your RICOH ProcessDirector user names, for example, an email address format or a UID format.
  6. Optional: Specify a value for the Email attribute property.
    If you enter a value for this property, RICOH ProcessDirector sets a value for the Email address property when it creates a user.
  7. Specify values for the Manager distinguished name and Manager password properties.
  8. Specify values for the Group search base, Group search filter, and Group search member properties.
    RICOH ProcessDirector uses the name of the LDAP group specified in the Product to LDAP group mapping property in the Group search filter property when it authenticates an LDAP user to RICOH ProcessDirector.
  9. If you want to manage RICOH ProcessDirector security groups using LDAP, set the Synchronize with LDAP property to Yes. If you want to manage security groups using RICOH ProcessDirector, set the property to No.
  10. Specify the connections between product groups and LDAP groups:
    1. Select a product security group from the list.
    2. Type the name of the corresponding LDAP group next to it.
    3. Click + to the right of the LDAP group and map another product group to an LDAP group.
    4. Repeat the previous step until you have mapped all product groups to LDAP groups.
  11. Check to see whether your browser has automatically filled the Manager distinguished name and Manager password properties.
    • If you are using Active Directory and LDAP, leave the pre-filled values there.
    • If you are using LDAP but not using Active Directory clear the properties and leave them blank.
  12. To secure the connection to the LDAP server and establish Transport Layer Security (TLS), specify a value for the LDAP security property:
    • To use the StartTLS operation, set the property to StartTLS.

      StartTLS works with most default implementations of LDAP.

    • To use the Secure LDAP (LDAPS) protocol, set the property to ldaps.

      Do not specify LDAPS unless your LDAP administrator already has set up your LDAP implementation to use LDAPS.

  13. To verify that you can log in with your LDAP credentials:
    1. In the Test LDAP Settings section, enter an LDAP user name and password. Make sure that the user name is a member of an LDAP group that is mapped to the RICOH ProcessDirector Administrator group.
    2. Click Test LDAP Settings.
      If the test is successful, you receive a message that says LDAP settings test succeeded.

      If you receive an error message, click Close, update your LDAP settings, and click Test LDAP Settings again.

  14. When the test completes successfully, set the Authenticate with LDAP property to Yes.
    If you cannot get a successful test, leave the Authenticate with LDAP property set to No and have your LDAP specialist look at other possible issues.
  15. Click SAVE.
    If you have not used the test function before you click SAVE with the Authenticate with LDAP property set to Yes, the system runs the test with the user ID and password specified.
    • If the test succeeds, the settings are saved and LDAP authentication is activated.
    • If the test fails, you see an error message and none of the settings are saved.

      Fix the LDAP settings and run the test until it passes. If the test continues to fail, set the Authenticate with LDAP property to No and click SAVE. Work with your LDAP specialist to resolve the problems and retest the settings.

After you turn on LDAP authentication:
  • Local RICOH ProcessDirector users cannot log in to RICOH ProcessDirector.
  • The first time that an LDAP user logs in to RICOH ProcessDirector, the system creates a user name that is identical to the LDAP user name.
  • If the Synchronize with LDAP property is set to Yes, RICOH ProcessDirector does not use any product groups that are not associated with LDAP groups.

RICOH ProcessDirector does not delete existing user names when you turn on LDAP authentication. You must manually delete those user names from the system.

    Note:
  • When LDAP authentication is turned on and RICOH ProcessDirector has a user with the same user name as an LDAP user:
    • RICOH ProcessDirector keeps the password of the existing user.
    • RICOH ProcessDirector lets the user authenticate with LDAP.
  • If LDAP authentication is turned off, the user can authenticate with the RICOH ProcessDirector password.