Active Directory LDAP - · PDF fileGoPrint provides options for the following Active Directory attributes: 1. Account ID 2 ... To access the GoPrint Active Directory LDAP profile configuration

© 2014 GoPrint Systems, Inc. All rights reserved. | Active Directory LDAP 1

Active Directory LDAP Quota and Admin account

authentication and management

Version 4.1

Updated July 2014

GoPrint Systems

© 2014 GoPrint Systems, Inc, All rights reserved.

One Annabel Lane, Suite 105 • San Ramon, CA 94583 • (925)790-0070


Table of Contents Overview ..................................................................................................... 1

Create the LDAP Connector Profile .................................................................. 3

Base DN ................................................................................................. 6

Search User Account ................................................................................ 8

Search Filter ........................................................................................... 9

Attributes ............................................................................................. 10

Authentication Test ................................................................................ 11

Multiple Connectors..................................................................................... 14

Understanding Authentication....................................................................... 14

Search Directory Option .............................................................................. 15

Integrated Authentication ............................................................................ 15

LDAP-Driven Accounts by Group Membership ................................................. 16

Troubleshooting .......................................................................................... 22

LDAP Over SSL ........................................................................................... 24

Additional Resources ................................................................................... 28


Active Directory LDAP Configuration

Overview

GoPrint incorporates the LDAP protocol to authenticate and import users into a GoPrint

database to create Quota and Admin accounts based on Organization Unit or Group

Membership.

Things to know!

1. Multiple LDAP profiles can be created when it’s desired to authenticate users based

on different OU’s and Groups.

2. The user account (Quota account) does NOT get created until the user logs in to

and authenticates either at the Web Client Popup or Print Release Station. At that

point, an LDAP query is performed and if a match exists successful authentication

occurs and the account created.

3. Prior to configuration, you need the name of the domain controller, search user

domain account id and password, and a test account (student) and password.

GoPrint provides options for the following Active Directory attributes:

1. Account ID

2. FirstName

3. LastName

4. Department (optional field named reference no)

5. Email

6. Card Number to valid against a campus OneCard system

7. Reference Number (optional field for custom attributes)


Creating the LDAP Profile

To access the GoPrint Active Directory LDAP profile configuration section select:

Accounts – Authentication Connectors

Standard Authentication and Card Swipe Authentication

GoPrint provides two connector options, Standard Authentication and Card Swipe

Authentication. The card swipe authentication is used when the students Login ID is

programmed on a university campus card and is used to release print jobs when swiped at

a Print Release Station.

Step 1 - Click Add a Standard Authentication Connector


Step 2 - Select Microsoft Active Directory

Step 3 – Enter Connector Information

Connector Name: create a friendly name to identify the group of users being authenticated. The

name is also used for administration purses and comes in handy when creating multiple

LDAP profiles.

Active: check to enable

LDAP Server Server Name: enter the fully qualified DNS name of the domain controller. Do NOT enter

the IP Address. If you cannot resolve to the FQDN then network/DNS issues exist and

they must be resolve!!!

Security: leave the default of Simple (no network privacy)

Note: by default GoPrint issues level MD5 encryption access the network for all

User Logon and password attempts. If your environment requires an additional

level of security using LDAPS, and a trusted SSL certificate has been installed in the

domain controller’s certificate store and replicated to Active Director Domain Services,

then you may enable LDAP over SSL. This certificate must then be imported into the Java

JRE cacerts Keystore found under the GS4\jre\lib\security directory. For additional

information refer to the Control Center Advanced HELP topics.


Search Target Base DN (Distinguished Name): This field specifies the DN of the node where the search

for a user would start. For performance reasons, this DN should be as specific as possible

and must contain commas without spaces. Active Directory is not case sensitive.

Example #1 - Basic root search

Starting a search at the root level of a domain scans the entire

directory tree including all subordinate OUs. Using the Active

Directory domain “campus.edu” the base DN may look like:

DC=campus,DC=edu.


Example #2 – Organization Unit (OU)

Limiting the search

To reduce system overhead and to intentionally exclude or include only a specific group of users, (multiple LDAP GoPrint LDAP profiles) you can start the search at the OU level.

To start your search at the students OU of the campus.edu

domain, you might use a search base as follows:

OU=students,DC=campus,DC=edu

Example #2 – Nested Organization Level

When the group of users is nested below one or

more OU’s then the following string is set:

Note: GoPrint will not search for users in

the higher level OU’s only in the specific

OU set in the DN!!!

Hint: a common mistake is to set the DN from

the higher OU level down but it must be from the

start point up. In this case, our start point is the

medical OU.

OU=medical,OU=main campus,OU-gradstudents, DC=campus,DC=EDU


Example #3 - User Container Level Search: CN=Users,DC=campus,DC=edu

Windows Active Directory provides a default container called Users. It’s important to note

this is NOT an Organization Unit but a built-in container. Creating a search starting at the

Users container the common name (CN) must be used and not OU.

Note: not a common scenario in most environments but important to note.

Search User Account Search User DN: LDAP requires a domain user account to bind and search against the

Active Directory database.

Permissions Required: only standard user Read permissions are necessary

Append Base DN: DO NOT CHECK!!!


Step 4 - Configure Search Filter

The default LDAP search filter is set to use the sAMAccountName (users Account ID).

Leave the Default unless your environment users custom search path.

Example Search Filter with CN:

Example: Search Filter limiting search to users ONLY in the Business Department


Step 5 – Define Attributes

Sample of common Windows

attributes:

Account Profile – Account tab

User Logon:

sAmAccountName

userPrincipalName

Account Profile – General tab

givenName

SN

CN – First and Last Name

email


The Account ID corresponds to the user domain logon, which typically is the

sAMAccountName. This will be the Quota ID logon.

Note: the user’s domain password is automatically created at first login and is

automatically updated whenever the password is changed.

Attributes

Account ID: sAmAccountName (change to cn if used in the search filter)

Card Number: optional field used with OneCard integration

First Name: giveName

Last Name: sn

User Class: Select the User Class you which to add the authenticated users to

Note: The User Class selected here is used to associate the users with either an Admin

level Class or Payment Method such as a Scheduled Quota, One Card system, Credit

Allowance, or Cash to Account. Ensure the correct Payment Method is designated for the

select LDAP users.


Ref Number: optional field (Could be a department name or number)

Email: mail (optional doesn’t provide any functionally other to help provide contact

information when needed by system administrators.

Authentication Test

Once the LDAP settings are configured, an authentication test should be performed

to ensure a successful connection and user search can be established.

Select an authentication profile and enter a username and password to search


Common Authentication Errors

1. Failed: User doesn’t exist in the search path or password incorrect

2. Base DN is incorrect. Check for typo’s or incorrect search path


Multiple LDAP Profiles Multiple profiles can be created when desired to support users by individual OU’s commonly when different Quota amounts are given based on credit hours, department, or

graduate levels: also can be used when specifying Admin levels.

Hint: The profiles are searched in the order that they appear from the main list. The same account ID cannot be associated with multiple profiles.

How does authentication and Account Creation happen?

The user account (Quota account) does NOT get created until the user logs in to and

authenticates either at the Web Client Popup or Print Release Station. At this point, an

LDAP query is performed, and if a match exists, successfully authentication occurs and the

account created.


Creating Accounts using the Search Directory tab

Optionally, it may be necessary to manually create a Quota or Admin account. To do so, the Search Directory option can be used.

Important: unless absolutely necessary it’s recommended to allow users to authenticate

themselves and create their account because their domain password is not captured and a temporary password must be generated to create the account.

Hint: The user will not need this password to login because during the logon attempt when entering their domain password the account is updated.

Accounts – Manage Users

Integrated Authentication

Once the account gets created, a query to the GoPrint database happens first. To require

a LDAP search at each login, check Always Authenticate, Authorize, & do not cache passwords under SYSTEM – SYSTEM POLICY – security tab.


LDAP-Driven Accounts Using Group Membership

Authentication and assigning users to User Classes can be filter down to their

group membership level. This offers greater flexibility with filtering users when

they may exist in the same Organization Unit or Container and allows you to grant

users to multiple Class Definitions and their assigned payment methods.

Note: the following steps pertain to managing both end-users, as well as

users who can be assigned to Administrative Classes and granted various

levels of system administration.

Accounts – Authentication Connectors:


Sample: LDAP Connector

Step 1 – Select NONE at the LDAP Connector Attribute section

From the Default Class drop down menu select NONE

Important: Setting the Default Class level to None forces the LDAP search

to first authenticate Users then if a group membership exists at the Class

Definition level, then users are granted access to the payment method.


Step 2 – Select LDAP Options

Navigate to Accounts – Class

Definitions

Select the desired User Class

and select LDAP Options

Step 3 – Enter the corresponding group membership syntax

Option 1 - Group membership Accounts Using Distinguished Names

Every entry in the directory has a distinguished name (DN). The DN is the name that

uniquely identifies an entry in the directory. A DN is made up of attribute=value pairs,

separated by commas. This is the easiest way to drive Class membership based on data in

the LDAP Simply provide the full DN of the group container that is associated with this

Class of users.

Example: When it’s not necessary specify a complex memberOf string; you can

use the built-in distinguished name of the group. Note: Nestled OU’s are

supported.


Option 2 –Group Membership LDAP String using MemberOf Attribute

Note: Each argument must exist in its own set of parentheses. The entire

LDAP statement must be encompassed in a main set of parentheses.

Scenario #1 – Single group membership

(MemberOf=CN=students,DC=goprintcorp,DC=dyndns,DC=org)

Scenario #2 – Matching Multiple Groups

& (logical AND) - More than one condition, and you want all conditions in the

series to be true.

(|(memberOf=CN=medstudents,DC=goprintcorp,DC=dyndns,DC=org)(memberOf=CN=law

students,DC=goprintcorp,DC=dyndns,DC=org))

The & operator states that all Arguments must be true, or match. In this case, the

matching users MUST be a member of BOTH groups, ITS and staff.


Scenario #3 – Matching Multiple Groups

| (logical or) – either condition is true

(|(memberOf=CN=med students,DC=goprintcorp,DC=dyndns,DC=org)(memberOf=CN=law


The | Operator states that EITHER Argument can be true. In this case, users can

be a member of either group med students or law students.

Scenario #4 – Excluding Multiple Groups

! (logical NOT) - exclude objects that have a certain attribute

(!(memberOf=CN=med students,DC=goprintcorp,DC=dyndns,DC=org)(memberOf=CN=law


The ! Operator states that the first Argument must be true and NOT the second. In

this case, the Argument MUST match the users in the group med students, and

exclude users in the group students.


Optionally operators used to refine searches:

Operator Description

= Equal to

~= Approximately equal to

<= Lexicographically less than or equal to

>= Lexicographically greater than or equal to

& AND

| OR

! NOT

LDAP PORTS

The network ports that are used by Active Directory searches are listed in the following

table.

Port Assignments for Active Directory Searches

Service Name UDP TCP

LDAP None 389

LDAP SSL None 636

Global Catalog LDAP None 3268

Global Catalog LDAP SSL None 3269


Troubleshooting Bind and searching Issues

Whenever an unsuccessful test result is generated, it’s important to understand how the

search and authenticate process is initiated. The best point of reference is the GoPrint

RUN.log file found under GS4\Logs.

To Display Debug Logging: edit the GS4\Goprint.cfg file and enter the line verbose=true

A successful Bind and Search

A search attempt first looks for the authenticated user. If successful, the LDAP Auth users

Distinguish name is returned as follows:

] LDAP Auth for CN=goprintldap,CN=Users,DC=goprint,DC=com

Once authenticated an attempt is made to find the specific User entered during the test.

In this case, a successful attempt was made to find the user Steve under the IT Staff OU.

2008-11-17 16:07:28,265 DEBUG [btpool1-4:ldap.LDAPConnector ]

LDAP Auth for CN=Steve,OU=IT STAFF,DC=goprint,DC=com

Failed to find auhenticated user

An error code 525 is returned when the account cannot be found. The results could be

caused by a number of things:

The authenticated user account is not located in the search path

Authenticated username may be misspelled

DisplayName may be required

Incorrect search filter path

typos exist

Incorrect servername was provided.

] LDAP authentication for

CN=goprintldap,cn=Users,DC=goprint,DC=com failed: [LDAP: error code 49 - 80090308:

LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]


Wrong password provided by authenticated user

Incorrect passwords are represented by a 52e error

LDAP authentication for CN=goprintldap,CN=Users,DC=goprint,DC=com failed: [LDAP:

error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext

error, data 52e, vece ]

525 - user not found

52e - invalid credentials

Authenticated user and end-user accounts are found but invalid password was entered

LDAP Auth for CN=goprintldap,CN=Users,DC=goprint,DC=com

User account Fred is found but an error 52e is returned, representing

invalid credentials were entered.

2008-11-20 01:00:43,609 INFO [btpool1-3:ldap.LDAPConnector ] LDAP

authentication for CN=fred,CN=Users,DC=goprint,DC=com failed: [LDAP: error code 49 -

80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e,

vece ]

End user account does not exist

LDAP Auth for CN=goprintldap,CN=Users,DC=goprint,DC=com

2008-11-20 01:23:06,562 DEBUG [btpool1-

3:authentication.AuthenticationManager] Authentication failed: null

[Root exception is javax.naming.CommunicationException: goprint.com:389 [Root

exception is java.net.SocketTimeoutException: connect timed


Import Domain SSL Certificate for LDAP over SSL Authentication Using Java Keytool

C:\GS4\jre\bin>keytool -import -keystore C:\gs4\jre\lib\security\cacerts -alias

anyname -file c:\domaincert.cer

Enter keystore password:

Owner: CN=goprnsrv, OU=goprint, O=it, L=san ramon, ST=California, C=us

Issuer: CN=goprnsrv, OU=goprint, O=it, L=san ramon, ST=California, C=us

Serial number: 49b591b2

Valid from: Mon Mar 09 15:01:22 GMT-07:00 2009 until: Sat Dec 03 15:01:22 GMT-07

:00 2011

Certificate fingerprints:

MD5: 93:03:47:C3:65:EA:C8:D2:D5:1C:E9:46:25:6C:CC:CE

SHA1: 60:B6:C8:81:98:D1:53:8B:20:55:12:B7:3E:89:FB:89:99:A0:51:C5

Signature algorithm name: SHA1withRSA

Version: 3

Trust this certificate? [no]: y

Certificate was added to keystore


Import Using SSL Certificates Tool

1. System - SSL Certificates

2. Select Authorities

3. Enter a hostname and port


4. Enter Server’s Hostname or IP address and Port 636 and select Snag Certificate

5. Confirm import


6. Restart the GS-4 Services

7. Enable SSL over LDAP

8. Save

Common error Check with your system administrator to ensure SSL is enabled for the domain


Additional Resources

Global catalog search base

For an LDAP search, you must supply a valid search base. For a global catalog search, the

search base can be any value, including the value NULL ( ). A search base of NULL

effectively scopes the search on the search computer to the global catalog. If you use a

NULL search base with a scope of one level or subtree and specify port 389 (the default

LDAP port), the search fails. Therefore, if you submit a NULL search to the global catalog

port and then change the port to the LDAP port, you must change the search base for the

search to succeed.

Characteristics of a global catalog search

The following additional characteristics differentiate a global catalog search from a

standard LDAP search:

A global catalog search crosses directory partition boundaries. The extent of an

LDAP search is the directory partition.

A global catalog search does not return subordinate referrals. If you use port 3268

to request an attribute that is not in the global catalog, you do not receive a

referral to it. Subordinate referrals are an LDAP response. When you query a server

over port 3268, you receive global catalog responses, which are based solely on the

contents of the global catalog. If you query the same server over port 389, you

receive referrals for objects that are in the forest but whose attributes are not

referenced in the global catalog.


Anonymous queries

By default, anonymous LDAP operations to Active Directory, other than rootDSE searches

and binds, are not permitted in Windows Server 2003. (Active Directory in

Windows 2000 Server accepts anonymous requests; a successful result depends on

objects having correct user permissions in Active Directory.)

To enable anonymous binding to Active Directory in Windows Server 2003, you must

change the seventh character of the dsHeuristics attribute on the following directory

object:

CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,Root domain in

forest

Valid values for the dsHeuristics attribute are 0 and 2. By default, the dsHeuristics

attribute

does not exist, but its internal default is 0. If you set the seventh character to 2,

anonymous clients can perform any operation that is permitted by the access control list

(ACL). If the attribute is already set, do not modify any bits in the dsHeuristics string

other than the seventh bit. If the value is not set, make sure that you provide the leading

zeros up to the seventh bit. You can use Adsiedit.msc to make the change to the

dsHeuristics attribute.

After you set the dsHeuristics attribute, if you want anonymous users to be able to

query Active Directory, you can enable anonymous access to specific directory objects.

Users gain anonymous access to Active Directory objects through Anonymous Logon,

which is a special security identifier (SID) that is used to represent anonymous network

callers that perform an LDAP bind with NULL credentials.

Documents

Active Directory LDAP - · PDF fileGoPrint provides options for the following Active Directory attributes: 1. Account ID 2 ... To access the GoPrint Active Directory LDAP profile configuration