Merianstraße 30, 44801 Bochum

gb-logo
Popular Search ldapabbyybpmupdatemac
View Categories

Configure an authentication-provider (LDAP)?

4 min read

Table of Contents

This point also very well described in our product documentation.

Prerequisites #

  • Genius Server basic installation
  • ldap user with read permissions of ldap
  • (ldap user with write permissions, only required for card registration into LDAP attribute via GeniusMFP)
  • DN of ldap read user
  • (permisson to install ldap browser on local vm if some info is missing)

Objective #

  • on user login a central user management system should be contacted to:
    • (check if a card exists mapped to user) (card login only)
    • check if the user exists (all login methods)
    • get user details

Solution #

  • configure Genius MFP to connect to Microsoft Active Direcotry or other LDAP server

Example #

  • start configuration tool as administratoraccess configuration, switch to Advanced and access MyModule, Authentication Providers
  • click the New LDAP Provider button
  • Enter a unique name like the hostname of the LDAP server or an alias (e.g. GBLDAP) and press save
  • From the Preset Menu, choose Active Directory, for all other products, choose “LDAP”
  • Enter URL
    ldap://<HostNameOfLDAPServer:389
    ldaps://<FQDNofLDAPServer>:636
    Note: a valid certificate is required for ldaps, see ***ADDLINKTOTrustStoreCertificateGuide***
  • enter the Distinguished Name of the user with ldap read permissions, e.g.:
    CN=LDAPConnect,OU=Function,OU=SBSUsers,OU=Users,OU=MyBusiness,DC=GeniusBytesGmbH,DC=local
  • Change the default password to the password of the ldap read user
  • Enter the base path, in most cases the two first blocks (read from right to left) from the DN of the ldap read user
    DC=GeniusBytesGmbH,DC=local
  • enter the Base user path, e.g. OU=SBSUsers,OU=Users
    The Base user path and Base path combined will be the resulting search path for a user (OU=SBSUsers,OU=Users,DC=GeniusBytesGmbH,DC=local)
    Do not enter the base path again in the base user path field
  • enter a sAMAccountName in the Test connection username field
    The username for the connection test has to be located in a path below the Base user path
    It will be used to recheck if a providers is reachable again after a timeout
  • if the cards are stored in the LDAP server, enable the checkbox “Card login lookup” in Base section and modify the Card user filter
    (&(PUT_AD_ATTRIBUTE_HERE={card})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
    Replace “PUT_AD_ATTRIBUTE_HERE” by the name of the LDAP Attribute storing the card token
  • proceed in the same way for CardPIn (two factor authentication) or PIN if these login methods should be used
  • if GeniusMFP should store a new card in LDAP, set the card attribute to write the card and enable the checkbox “Enable Card Registration” in the Base section
    This will require write permissions for the configured user
  • Configure optional attributes to be read from LDAP attributes
    (GeniusMFP name, suggested LDAP attribute)
    • Cost center attribute, deparment
    • mail, mail
    • Home folder attribute, homeDirectory
  • Perform all Tests from the Tests Menu to ensure the configuration is valid
  • At least perform the Query users test
  • If all tests are successful, restart Genius Server service

More configuration options #

  • More optional attributes can be read from LDAP and are available after login to GeniusMFP like Custom field 0-9 (can be used in BPM Processes)
  • Delegation attribute can be set, the content of the read attribute will be a username. The user logging in will see all printjobs printed to the username in this attribute. This is often used for username in SAP which can differ from sAMAccountNames in Active Directory
  • For Group Mapping check seperate FAQ
  • Additional group name can be used to create a virtual group for all users logging in via this authentication provider
  • It can be imported into Genius Server after the services has been restarted, see seperate FAQ fore more information about groups
  • Card validation pattern is a RegEx expression, only matching cards will be allowed to login
  • Card Pre Processing Script is an option to modify the received card token, before using it for login
    e.g. (cardreader+device) -> sends DBDBD560 to GeniusMFP, this card is a hex stored as a string
    to turn it into a decimal use: int(card,16)
    As a result the value checked by the card filter would be: 3688617312

Troubleshooting #

  • If the login performance is slow, check if your searches are only scanning required objects
    • if a user container exists in a subtree and contains all target users for login, limit the search scope to this subtree and container only
      an empty user path will start the user lookup in the base path
    • if an objectCategory or objectClass exists, it can speed up the user lookup
      for example adding (objectCategory=user) will avoid searching for other objects
      if possible add a category or class to all filters
      (&(sAMAccountName={username})(objectCategory=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
      More on LDAP filters
Authentication, LDAP

Powered by BetterDocs

Leave a Reply

Your email address will not be published. Required fields are marked *
Nach oben scrollen