Authenticating in the LDAP server using the authentication card (LDAP-IC Card Authentication)
Overview
You can configure settings so that authentication is performed in the LDAP server using the card ID registered in the authentication card (LDAP-IC Card Authentication).
Authentication is completed only by placing the IC card. This enhances security without damaging users' ability to easily operate the machine.
To perform authentication using the authentication card, follow the below procedure to configure the settings.
Enable the use of Authentication Unit (IC card type) in this machine
Authentication Unit (IC card type) must be configured by your service representative. For details, contact your service representative.
Configure basic settings for the LDAP-IC card authentication
Set the following options according to your environment
Purpose
Reference
Communicate with the LDAP server using SSL
Configuring basic settings for the LDAP-IC card authentication
In the administrator mode, select [User Auth/Account Track] - [LDAP-IC Card Authentication Setting] - [LDAP-IC Card Authentication Setting], set [LDAP-IC Card Authentication Setting] to [ON] (Default: [OFF]).
In the administrator mode, select [User Auth/Account Track] - [LDAP-IC Card Authentication Setting] - [Server Registration] - [Edit], then register information of the LDAP server to be used for authenticating the user ID of the IC card.
Settings
Description
[Server Address]
Enter the address of the LDAP server to be used for authenticating the user ID of the IC card.
Use one of the following formats.
Example of host name entry: "host.example.com"
Example of IP address (IPv4) entry: "192.168.1.1"
Example of IP address (IPv6) entry: "fe80::220:6bff:fe10:2f16"
[Port No.]
If necessary, change the LDAP server port number.
Normally, you can use the original port number.
[389] is specified by default.
[Search Base]
Specify the starting point to search for a user to be authenticated (using up to 255 characters).
The range from the entered origin point, including the following tree structure, is searched.
Example of entry: "cn=users,dc=example,dc=com"
[Timeout]
If necessary, change the time-out time to limit a communication with the LDAP server.
[60] sec. is specified by default.
[General Settings]
Select the authentication method to log in to the LDAP server.
Select one appropriate for the authentication method used for your LDAP server.
[Simple]
[Digest-MD5]
[GSS-SPNEGO]
[NTLM v1]
[NTLM v2]
[Simple] is specified by default.
[Login Name]
Log in to the LDAP server, and enter the login name to search for a user (using up to 64 characters).
[Password]
Enter the password of the user name you entered into [Login Name] (using up to 64 characters, excluding ").
To enter (change) the password, select the [Password is changed.] check box, then enter a new password.
[Domain Name]
Enter the domain name to log in to the LDAP server (using up to 64 characters).
If [GSS-SPNEGO] is selected for [General Settings], enter the domain name of Active Directory.
[Use Referral]
Select whether to use the referral function, if necessary.
Make an appropriate choice to fit the LDAP server environment.
[ON] is specified by default.
[Search Attribute]
Enter the attribute for the location where the IC card information is registered (using up to 63 characters, including a symbol mark -).
The attribute must start with an alphabet character.
[uid] is specified by default.
[User Name]
Select how to obtain the user name when logging in to this machine.
[Use Card ID]: Select this option when only IC card information is registered on the server. Uses the card ID in the IC card as the user name.
[Acquiring]: Select this option when user information other than IC card information is registered on the server. Uses the user name obtained from the server. Enter the attribute to be searched as the user name ("uid") at [User Name Attribute].
[Use Card ID] is specified by default.
[External Server Connection]
Select the name of the external server to be used as authentication information saved on this machine.
The authentication information is saved on this machine when the LDAP-IC card authentication is successfully completed. This authentication information includes the user name and the external server name.
As authentication information to be saved on this machine, the name of external server registered on this machine can be registered.
[No Selection] is specified by default.
Using SSL communication
Communication between this machine and the LDAP server is encrypted with SSL.
Configure the setting if your environment requires SSL encryption communication with the LDAP server.
In the administrator mode, select [User Auth/Account Track] - [LDAP-IC Card Authentication Setting] - [Server Registration] - [Edit], then configure the following settings.
Settings | Description | |
|---|---|---|
[Enable SSL] | Select this check box to use SSL communication. [OFF] (not selected) is specified by default. | |
[Port No. (SSL)] | If necessary, change the SSL communication port number. Normally, you can use the original port number. [636] is specified by default. | |
[Certificate Verification Level Settings] | To verify the certificate, select items to be verified. If you select [Confirm] at each item, the certificate is verified for each item. | |
[Expiration Date] | Confirm whether the certificate is still valid. [Confirm] is specified by default. | |
[CN] | Confirm whether CN (Common Name) of the certificate matches the server address. [Do Not Confirm] is specified by default. | |
[Key Usage] | Confirm whether the certificate is used according to the intended purpose approved by the certificate issuer. [Do Not Confirm] is specified by default. | |
[Chain] | Confirm whether there is a problem in the certificate chain (certificate path). The chain is validated by referencing the external certificates managed on this machine. [Do Not Confirm] is specified by default. | |
[Expiration Date Confirmation] | Confirm whether the certificate has expired. Confirm for expiration of the certificate in the following order.
[Do Not Confirm] is specified by default. | |