White Papers
Table Of Contents
- Contents
- Change history
- Overview
- Securing network connections
- Managing devices remotely
- Managing login methods
- Restricting public access to functions, applications, printer management, and security options
- Using local accounts
- Using LDAP or LDAP+GSSAPI
- Using Kerberos
- Using Active Directory
- Creating LDAP, LDAP+GSSAPI, or Active Directory groups
- Editing or deleting LDAP, LDAP+GSSAPI, or Active Directory groups
- Understanding access controls
- Managing certificates
- Managing other access functions
- Securing data
- Troubleshooting
- User is locked out
- User is logged out automatically
- User cannot access applications or functions
- KDC and MFP clocks are out of sync
- Domain controller certificate is not installed
- KDC is not responding within the required time
- LDAP lookups fail
- Make sure that the server and firewall settings are configured to allow communication between the pr ...
- If reverse DNS lookup is not used in your network, then disable it in the Kerberos settings
- If the LDAP server requires SSL, then enable SSL for LDAP lookups
- Narrow the LDAP search base to the lowest possible scope that includes all necessary users
- Make sure that all LDAP attributes that are being searched for are correct
- Notices
- Index
Using LDAP or LDAP+GSSAPI
LDAP is a standards‑based, cross‑platform, extensible protocol that runs directly on top of the TCP/IP layer. It
is used to access information stored in a specially organized information directory. It can interact with many
dierent kinds of databases without special integration, making it more flexible than other authentication
methods.
LDAP+GSSAPI is used when you want your transmission to be always secure. Instead of authenticating directly
with the LDAP server, the user is
first
authenticated with a Kerberos to obtain a Kerberos ticket. This ticket is
presented to the LDAP server using the GSSAPI protocol for access. LDAP+GSSAPI is typically used for networks
running Active Directory®.
Notes:
• LDAP+GSSAPI requires a Kerberos network account. For more information, see “Creating a Kerberos
login method” on page 16.
• Supported printers can store a maximum of five unique LDAP or LDAP+GSSAPI login methods. Each
method must have a unique name.
• Administrators can create up to 32 user‑
defined
groups that apply to each unique login method.
• LDAP and LDAP+GSSAPI relies on an external server for authentication. If the server is down, then users
are not able to access the printer using LDAP or LDAP+GSSAPI.
• To help prevent unauthorized access, log out from the printer after each session.
Creating an LDAP or LDAP+GSSAPI login method
1 From the Embedded Web Server, click Settings > Security > Login Methods.
2 From the Network Accounts section, click Add Login Method > LDAP.
3 Select the authentication type.
• LDAP
• LDAP+GSSAPI
4 Configure the settings.
General Information
•
Setup Name—Type a unique name for the LDAP network account.
• Server Address—Type the IP address or the host name of the LDAP server.
• Server Port—Enter the port where LDAP queries are sent.
Note: If you are using SSL, then use port 636. Otherwise, use port 389.
• Required User Input—Select the required LDAP authentication credentials used when logging in to the
printer. This setting is available only in the LDAP setup.
• Use Integrated Windows Authentication—Select one of the following:
– Do not use
– Use if available—Use Windows® operating system authentication credentials, if available.
– Require—Use only Windows operating system authentication credentials.
Note: This setting is available only in the LDAP+GSSAPI setup.
Managing login methods 14