Online LDAP Authentication

  Previous topic Next topic  

LDAP (Lightweight Directory Access Protocol) is a protocol for accessing on-line directory services. A directory service organizes computerized content and runs on a directory server computer. Via LDAP it is possible to read out all information about for example users and computers of a directory server computer, e. g. to read out the users of a Windows 2003 Server Active Directory or Mac OS X Server Open Directory or Novell eDirectory. LDAP defines a relatively simple protocol for updating and searching directories running over TCP/IP.

Please click to expand!

 

1.Enabling Online LDAP Authentication

Go to the Server Config. > Interface > User Identification page and set the User Identification Module parameter from uniFLOW Standard (no LDAP authentication) to either one of the two options:

Online LDAP Authentication, uniFLOW Standard
uniFLOW tries to look up the user in the LDAP directory first, and in the uniFLOW database second. In former uniFLOW versions this option was known as Search priority direct online.
uniFLOW Standard, Online LDAP Authentication -
uniFLOW tries to look up the user in the uniFLOW database first, and in the LDAP directory second. In former uniFLOW versions this option was known as Search priority sync only new.

Selecting either one of these options enables on-demand user synchronization via LDAP into the uniFLOW kernel.

Click Save to save your settings.

 

uniFLOW will search for users within the uniFLOW database and in the LDAP directory. For that reason, you need to define a search priority. Below you will find a more detailed explanation of the two priority settings.

1. Online LDAP Authentication, uniFLOW Standard

With this option LDAP is searched first, if LDAP is unavailable then the uniFLOW Database is searched (search priority direct online). It provides the following functionalities:

Users will be automatically created the moment they print. This is only possible if the user already exists in the LDAP directory and if the LDAP server is available.
If the LDAP server is available but a user does not exist in LDAP, this user will not be able to print and uniFLOW will try to delete the user from its database.

Using this option, if a user prints, uniFLOW will try to find the user in LDAP. In this scenario, three things are possible:

a)If the LDAP server is available and the user is found, the user is correctly identified and can print. The user will be created – if necessary – in the uniFLOW database.
b)If the LDAP server is available and the user cannot be found, uniFLOW will – in case the user does exist in the database – delete the user from the database, as the user is apparently not allowed to print anymore.
c)If the LDAP server is not available (and only in this case), uniFLOW will try to identify the user in its database. If the user is found here, printing is possible.

Advantage :
Keeps the uniFLOW user database always up to date. Users will be created, updated or deleted in the uniFLOW database if there are changes in the LDAP directory.

Disadvantage:
The login mechanism will be slower, because of the LDAP replication with the uniFLOW Server.

Use this parameter, if you have a high fluctuation of users in your environment and uniFLOW needs to be always up to date.

 

2. uniFLOW Standard, Online LDAP Authentication

With this option, users are searched in the uniFLOW database first, then in LDAP (sync only new). This provides the following functionalities:

Users will be created in the uniFLOW database, if they want to print or copy and exist in the LDAP directory.
Automatic data synchronization with LDAP does not take place, LDAP is used to store new users only.
Users will not automatically be deleted in the uniFLOW database in case the user does not exist in the LDAP directory.

Advantage:
The login mechanism will be very fast, because uniFLOW searches only in the LDAP directory if a user does not exist in its own database.

Disadvantage:
Users who do not exist in the LDAP directory anymore will not be deleted automatically in the uniFLOW database.

Use this parameter if you do not have a high user fluctuation in your environment and you opt for a fast synchronization.

Database synchronisation

The uniFLOW Standard, Online LDAP Authentication option will not delete users automatically. For that reason, you can create an LDAP Import Task to regularly synchronize your databases. Please refer to Tasks – LDAP Import Task for a description of this task in uniFLOW.

hint_bluecircle

Activating Online LDAP Authentication

uniFLOW requires a restart of the uniFLOW Services. We recommend first of all configuring all LDAP settings described in this chapter and then restart the services.

Next, go to Connections > LDAP. There, you can set up the LDAP authentication.

 

You can create new LDAP connectors by clicking the New button in the top right hand corner of your screen. It is possible to create different connectors, for example for reading out different directory server computers or domains.

If connectors have already been configured, they will be shown in this list. To edit or delete a connector please click on the connector to enter the tabs in which the settings can be made or changed.