Active Directory LDAP
Quota and Admin account
authentication and management
Version 4.1
Updated July 2014
GoPrint Systems
© 2014 GoPrint Systems, Inc, All rights reserved.
One Annabel Lane, Suite 105 • San Ramon, CA 94583 • (925)790-0070
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
1
Table of Contents
Overview ..................................................................................................... 1
Create the LDAP Connector Profile .................................................................. 3
Base DN ................................................................................................. 6
Search User Account ................................................................................ 8
Search Filter ........................................................................................... 9
Attributes ............................................................................................. 10
Authentication Test ................................................................................ 11
Multiple Connectors..................................................................................... 14
Understanding Authentication....................................................................... 14
Search Directory Option .............................................................................. 15
Integrated Authentication ............................................................................ 15
LDAP-Driven Accounts by Group Membership ................................................. 16
Troubleshooting .......................................................................................... 22
LDAP Over SSL ........................................................................................... 24
Additional Resources ................................................................................... 28
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
2
Active Directory LDAP Configuration
Overview
GoPrint incorporates the LDAP protocol to authenticate and import users into a GoPrint
database to create Quota and Admin accounts based on Organization Unit or Group
Membership.
Things to know!
1. Multiple LDAP profiles can be created when it’s desired to authenticate users based
on different OU’s and Groups.
2. The user account (Quota account) does NOT get created until the user logs in to
and authenticates either at the Web Client Popup or Print Release Station. At that
point, an LDAP query is performed and if a match exists successful authentication
occurs and the account created.
3. Prior to configuration, you need the name of the domain controller, search user
domain account id and password, and a test account (student) and password.
GoPrint provides options for the following Active Directory attributes:
1. Account ID
2. FirstName
3. LastName
4. Department (optional field named reference no)
5. Email
6. Card Number to valid against a campus OneCard system
7. Reference Number (optional field for custom attributes)
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
3
Creating the LDAP Profile
To access the GoPrint Active Directory LDAP profile configuration section select:
Accounts – Authentication Connectors
Standard Authentication and Card Swipe Authentication
GoPrint provides two connector options, Standard Authentication and Card Swipe
Authentication. The card swipe authentication is used when the students Login ID is
programmed on a university campus card and is used to release print jobs when swiped at
a Print Release Station.
Step 1 - Click Add a Standard Authentication Connector
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
4
Step 2 - Select Microsoft Active Directory
Step 3 – Enter Connector Information
Connector
Name: create a friendly name to identify the group of users being authenticated. The
name is also used for administration purses and comes in handy when creating multiple
LDAP profiles.
Active: check to enable
LDAP Server
Server Name: enter the fully qualified DNS name of the domain controller. Do NOT enter
the IP Address. If you cannot resolve to the FQDN then network/DNS issues exist and
they must be resolve!!!
Security: leave the default of Simple (no network privacy)
Note: by default GoPrint issues level MD5 encryption access the network for all
User Logon and password attempts. If your environment requires an additional
level of security using LDAPS, and a trusted SSL certificate has been installed in the
domain controller’s certificate store and replicated to Active Director Domain Services,
then you may enable LDAP over SSL. This certificate must then be imported into the Java
JRE cacerts Keystore found under the GS4\jre\lib\security directory. For additional
information refer to the Control Center Advanced HELP topics.
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
5
Search Target
Base DN (Distinguished Name): This field specifies the DN of the node where the search
for a user would start. For performance reasons, this DN should be as specific as possible
and must contain commas without spaces. Active Directory is not case sensitive.
Example #1 - Basic root search
Starting a search at the root level of a domain scans the entire
directory tree including all subordinate OUs. Using the Active
Directory domain “campus.edu” the base DN may look like:
DC=campus,DC=edu.
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
6
Example #2 – Organization Unit (OU)
Limiting the search
To reduce system overhead and to intentionally exclude or include only a specific group of
users, (multiple LDAP GoPrint LDAP profiles) you can start the search at the OU level.
To start your search at the students OU of the campus.edu
domain, you might use a search base as follows:
OU=students,DC=campus,DC=edu
Example #2 – Nested Organization Level
When the group of users is nested below one or
more OU’s then the following string is set:
Note: GoPrint will not search for users in
the higher level OU’s only in the specific
OU set in the DN!!!
Hint: a common mistake is to set the DN from
the higher OU level down but it must be from the
start point up. In this case, our start point is the
medical OU.
OU=medical,OU=main campus,OU-gradstudents, DC=campus,DC=EDU
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
7
Example #3 - User Container Level Search: CN=Users,DC=campus,DC=edu
Windows Active Directory provides a default container called Users. It’s important to note
this is NOT an Organization Unit but a built-in container. Creating a search starting at the
Users container the common name (CN) must be used and not OU.
Note: not a common scenario in most environments but important to note.
Search User Account
Search User DN: LDAP requires a domain user account to bind and search against the
Active Directory database.
Permissions Required: only standard user Read permissions are necessary
Append Base DN: DO NOT CHECK!!!
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
8
Step 4 - Configure Search Filter
The default LDAP search filter is set to use the sAMAccountName (users Account ID).
Leave the Default unless your environment users custom search path.
Example Search Filter with CN:
Example: Search Filter limiting search to users ONLY in the Business Department
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
9
Step 5 – Define Attributes
Sample of common Windows
attributes:
Account Profile – Account tab
User Logon:
sAmAccountName
userPrincipalName
Account Profile – General tab
givenName
SN
CN – First and Last Name
email
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
10
The Account ID corresponds to the user domain logon, which typically is the
sAMAccountName. This will be the Quota ID logon.
Note: the user’s domain password is automatically created at first login and is
automatically updated whenever the password is changed.
Attributes
Account ID: sAmAccountName (change to cn if used in the search filter)
Card Number: optional field used with OneCard integration
First Name: giveName
Last Name: sn
User Class: Select the User Class you which to add the authenticated users to
Note: The User Class selected here is used to associate the users with either an Admin
level Class or Payment Method such as a Scheduled Quota, One Card system, Credit
Allowance, or Cash to Account. Ensure the correct Payment Method is designated for the
select LDAP users.
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
11
Ref Number: optional field (Could be a department name or number)
Email: mail (optional doesn’t provide any functionally other to help provide contact
information when needed by system administrators.
Authentication Test
Once the LDAP settings are configured, an authentication test should be performed
to ensure a successful connection and user search can be established.
Select an authentication profile and enter a username and password to search
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
12
Common Authentication Errors
1. Failed: User doesn’t exist in the search path or password incorrect
2. Base DN is incorrect. Check for typo’s or incorrect search path
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
13
Multiple LDAP Profiles
Multiple profiles can be created when desired to support users by individual OU’s
commonly when different Quota amounts are given based on credit hours, department, or
graduate levels: also can be used when specifying Admin levels.
Hint: The profiles are searched in the order that they appear from the main list. The same
account ID cannot be associated with multiple profiles.
How does authentication and Account Creation happen?
The user account (Quota account) does NOT get created until the user logs in to and
authenticates either at the Web Client Popup or Print Release Station. At this point, an
LDAP query is performed, and if a match exists, successfully authentication occurs and the
account created.
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
14
Creating Accounts using the Search Directory tab
Optionally, it may be necessary to manually create a Quota or Admin account. To do so,
the Search Directory option can be used.
Important: unless absolutely necessary it’s recommended to allow users to authenticate
themselves and create their account because their domain password is not captured and a
temporary password must be generated to create the account.
Hint: The user will not need this password to login because during the logon attempt
when entering their domain password the account is updated.
Accounts – Manage Users
Integrated Authentication
Once the account gets created, a query to the GoPrint database happens first. To require
a LDAP search at each login, check Always Authenticate, Authorize, & do not cache
passwords under SYSTEM – SYSTEM POLICY – security tab.
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
15
LDAP-Driven Accounts Using Group Membership
Authentication and assigning users to User Classes can be filter down to their
group membership level. This offers greater flexibility with filtering users when
they may exist in the same Organization Unit or Container and allows you to grant
users to multiple Class Definitions and their assigned payment methods.
Note: the following steps pertain to managing both end-users, as well as
users who can be assigned to Administrative Classes and granted various
levels of system administration.
Accounts – Authentication Connectors:
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
16
Sample: LDAP Connector
Step 1 – Select NONE at the LDAP Connector Attribute section
From the Default Class drop down menu select NONE
Important: Setting the Default Class level to None forces the LDAP search
to first authenticate Users then if a group membership exists at the Class
Definition level, then users are granted access to the payment method.
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
17
Step 2 – Select LDAP Options
Navigate to Accounts – Class
Definitions
Select the desired User Class
and select LDAP Options
Step 3 – Enter the corresponding group membership syntax
Option 1 - Group membership Accounts Using Distinguished Names
Every entry in the directory has a distinguished name (DN). The DN is the name that
uniquely identifies an entry in the directory. A DN is made up of attribute=value pairs,
separated by commas. This is the easiest way to drive Class membership based on data in
the LDAP Simply provide the full DN of the group container that is associated with this
Class of users.
Example: When it’s not necessary specify a complex memberOf string; you can
use the built-in distinguished name of the group. Note: Nestled OU’s are
supported.
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
18
Option 2 –Group Membership LDAP String using MemberOf Attribute
Note: Each argument must exist in its own set of parentheses. The entire
LDAP statement must be encompassed in a main set of parentheses.
Scenario #1 – Single group membership
(MemberOf=CN=students,DC=goprintcorp,DC=dyndns,DC=org)
Scenario #2 – Matching Multiple Groups
& (logical AND) - More than one condition, and you want all conditions in the
series to be true.
(|(memberOf=CN=medstudents,DC=goprintcorp,DC=dyndns,DC=org)(memberOf=CN=law
students,DC=goprintcorp,DC=dyndns,DC=org))
The & operator states that all Arguments must be true, or match. In this case, the
matching users MUST be a member of BOTH groups, ITS and staff.
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
19
Scenario #3 – Matching Multiple Groups
| (logical or) – either condition is true
(|(memberOf=CN=med students,DC=goprintcorp,DC=dyndns,DC=org)(memberOf=CN=law
students,DC=goprintcorp,DC=dyndns,DC=org))
The | Operator states that EITHER Argument can be true. In this case, users can
be a member of either group med students or law students.
Scenario #4 – Excluding Multiple Groups
! (logical NOT) - exclude objects that have a certain attribute
(!(memberOf=CN=med students,DC=goprintcorp,DC=dyndns,DC=org)(memberOf=CN=law
students,DC=goprintcorp,DC=dyndns,DC=org))
The ! Operator states that the first Argument must be true and NOT the second. In
this case, the Argument MUST match the users in the group med students, and
exclude users in the group students.
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
20
Optionally operators used to refine searches:
Operator
Description
=
Equal to
~=
Approximately equal to
<=
Lexicographically less than or equal to
>=
Lexicographically greater than or equal to
&
AND
|
OR
!
NOT
LDAP PORTS
The network ports that are used by Active Directory searches are listed in the following
table.
Port Assignments for Active Directory Searches
Service Name
UDP
TCP
LDAP
None
389
LDAP SSL
None
636
Global Catalog LDAP
None
3268
Global Catalog LDAP SSL
None
3269
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
21
Troubleshooting Bind and searching Issues
Whenever an unsuccessful test result is generated, it’s important to understand how the
search and authenticate process is initiated. The best point of reference is the GoPrint
RUN.log file found under GS4\Logs.
To Display Debug Logging: edit the GS4\Goprint.cfg file and enter the line verbose=true
A successful Bind and Search
A search attempt first looks for the authenticated user. If successful, the LDAP Auth users
Distinguish name is returned as follows:
]
LDAP Auth for CN=goprintldap,CN=Users,DC=goprint,DC=com
Once authenticated an attempt is made to find the specific User entered during the test.
In this case, a successful attempt was made to find the user Steve under the IT Staff OU.
2008-11-17 16:07:28,265
DEBUG
[btpool1-4:ldap.LDAPConnector
]
LDAP Auth for CN=Steve,OU=IT STAFF,DC=goprint,DC=com
Failed to find auhenticated user
An error code 525 is returned when the account cannot be found. The results could be
caused by a number of things:
The authenticated user account is not located in the search path
Authenticated username may be misspelled
DisplayName may be required
Incorrect search filter path
typos exist
Incorrect servername was provided.
]
LDAP authentication for
CN=goprintldap,cn=Users,DC=goprint,DC=com failed: [LDAP: error code 49 - 80090308:
LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece ]
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
22
Wrong password provided by authenticated user
Incorrect passwords are represented by a 52e error
LDAP authentication for CN=goprintldap,CN=Users,DC=goprint,DC=com failed: [LDAP:
error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext
error, data 52e, vece ]
525 - user not found
52e - invalid credentials
Authenticated user and end-user accounts are found but invalid password was entered
LDAP Auth for CN=goprintldap,CN=Users,DC=goprint,DC=com
User account Fred is found but an error 52e is returned, representing
invalid credentials were entered.
2008-11-20 01:00:43,609
INFO [btpool1-3:ldap.LDAPConnector
]
LDAP
authentication for CN=fred,CN=Users,DC=goprint,DC=com failed: [LDAP: error code 49 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e,
vece ]
End user account does not exist
LDAP Auth for CN=goprintldap,CN=Users,DC=goprint,DC=com
2008-11-20 01:23:06,562
DEBUG
3:authentication.AuthenticationManager]
[btpool1Authentication failed: null
[Root exception is javax.naming.CommunicationException: goprint.com:389 [Root
exception is java.net.SocketTimeoutException: connect timed
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
23
Import Domain SSL Certificate for LDAP over SSL
Authentication Using Java Keytool
C:\GS4\jre\bin>keytool -import -keystore C:\gs4\jre\lib\security\cacerts -alias
anyname -file c:\domaincert.cer
Enter keystore password:
Owner: CN=goprnsrv, OU=goprint, O=it, L=san ramon, ST=California, C=us
Issuer: CN=goprnsrv, OU=goprint, O=it, L=san ramon, ST=California, C=us
Serial number: 49b591b2
Valid from: Mon Mar 09 15:01:22 GMT-07:00 2009 until: Sat Dec 03 15:01:22 GMT-07
:00 2011
Certificate fingerprints:
MD5: 93:03:47:C3:65:EA:C8:D2:D5:1C:E9:46:25:6C:CC:CE
SHA1: 60:B6:C8:81:98:D1:53:8B:20:55:12:B7:3E:89:FB:89:99:A0:51:C5
Signature algorithm name: SHA1withRSA
Version: 3
Trust this certificate? [no]: y
Certificate was added to keystore
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
24
Import Using SSL Certificates Tool
1. System - SSL Certificates
2. Select Authorities
3. Enter a hostname and port
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
25
4. Enter Server’s Hostname or IP address and Port 636 and select Snag Certificate
5. Confirm import
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
26
6. Restart the GS-4 Services
7. Enable SSL over LDAP
8. Save
Common error
Check with your system administrator to ensure SSL is enabled for the domain
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
27
Additional Resources
Global catalog search base
For an LDAP search, you must supply a valid search base. For a global catalog search, the
search base can be any value, including the value NULL ( ). A search base of NULL
effectively scopes the search on the search computer to the global catalog. If you use a
NULL search base with a scope of one level or subtree and specify port 389 (the default
LDAP port), the search fails. Therefore, if you submit a NULL search to the global catalog
port and then change the port to the LDAP port, you must change the search base for the
search to succeed.
Characteristics of a global catalog search
The following additional characteristics differentiate a global catalog search from a
standard LDAP search:

A global catalog search crosses directory partition boundaries. The extent of an
LDAP search is the directory partition.

A global catalog search does not return subordinate referrals. If you use port 3268
to request an attribute that is not in the global catalog, you do not receive a
referral to it. Subordinate referrals are an LDAP response. When you query a server
over port 3268, you receive global catalog responses, which are based solely on the
contents of the global catalog. If you query the same server over port 389, you
receive referrals for objects that are in the forest but whose attributes are not
referenced in the global catalog.
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
28
Anonymous queries
By default, anonymous LDAP operations to Active Directory, other than rootDSE searches
and binds, are not permitted in Windows Server 2003. (Active Directory in
Windows 2000 Server accepts anonymous requests; a successful result depends on
objects having correct user permissions in Active Directory.)
To enable anonymous binding to Active Directory in Windows Server 2003, you must
change the seventh character of the dsHeuristics attribute on the following directory
object:
CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,Root domain in
forest
Valid values for the dsHeuristics attribute are 0 and 2. By default, the dsHeuristics
attribute
does not exist, but its internal default is 0. If you set the seventh character to 2,
anonymous clients can perform any operation that is permitted by the access control list
(ACL). If the attribute is already set, do not modify any bits in the dsHeuristics string
other than the seventh bit. If the value is not set, make sure that you provide the leading
zeros up to the seventh bit. You can use Adsiedit.msc to make the change to the
dsHeuristics attribute.
After you set the dsHeuristics attribute, if you want anonymous users to be able to
query Active Directory, you can enable anonymous access to specific directory objects.
Users gain anonymous access to Active Directory objects through Anonymous Logon,
which is a special security identifier (SID) that is used to represent anonymous network
callers that perform an LDAP bind with NULL credentials.
© 2014 GoPrint Systems, Inc. All rights reserved.
| Active Directory LDAP
29