Lexmark X925 Common Criteria Installation Supplement and Administrator Guide - Page 28

•

Mail Attribute

—Type the mail attribute.

•

Full Name Attribute

—Type the full name attribute.

•

Search Base

—Specify the node in the LDAP server where user accounts reside. Multiple search bases can be

entered, separated by semicolons.

Note:

A search base consists of multiple attributes, such as cn (common name), ou (organizational unit), o

(organization), c (country), or dc (domain), separated by semicolons.

•

Search Timeout

—Specify a value from 5 to 30 seconds.

•

Required User Input

—Select either

User ID and Password

or

User ID

to specify which credentials a user must

provide when attempting to access a function protected by the LDAP building block.

Device Credentials (optional)

•

Use Active Directory Device Credentials

—Click to select or clear. When the printer authenticates to the LDAP

server, it can provide Active Directory device credentials in addition to supporting anonymous binding or the

specified credentials in the MFP's Kerberos Username and MFP's Password fields.

•

MFP's Kerberos Username

—Type the distinguished name of the print server or servers.

•

MFP's Password

—Type the Kerberos password for the print servers.

Search specific object classes (optional)

•

person

—Click to select or clear. This specifies that the “person” object class will also be searched.

•

Custom Object Class

—Click to select or clear. The administrator can define up to three custom search object

classes.

LDAP Group Names

Administrators can associate as many as 32 named groups stored on the LDAP server.

•

Group Search Base

—Type the name of the group search base.

•

For each LDAP+GSSAPI group you want to define, specify the “Short name for group” and the Group Identifier.

•

When creating security templates, you will select groups from this setup to control access to device functions.

5

Click

Submit

.

Using the touch screen

1

From the home screen, touch

>

Security

>

Edit Security Setups

>

Edit Building Blocks

>

LDAP+GSSAPI

.

2

Touch

Add Entry

.

3

Type a setup name, and then touch

Done

. This name will be used to identify this particular LDAP+GSSAPI Server

Setup when creating security templates.

4

For Server Address, type the IP address or host name of the LDAP server where authentication will be performed,

and then touch

Done

. The MFP returns to the General Information screen.

5

Touch

General Information

, and then adjust the following settings as needed:

•

Server Port

—Type the port number used to communicate with the LDAP server. The default LDAP port is 389.

•

Use SSL/TLS

—Select

None

,

SSL/TLS

(Secure Sockets Layer/Transport Layer Security), or

TLS

.

•

Userid Attribute

—Type

sAMAccountName

(default),

uid

,

userid

,

user

‑

defined

, or

cn

(common

name).

•

Mail Attribute

—Type the mail attribute.

28

Section	Page
Installation Supplement and Administrator Guide	1
Contents	3
Overview and first steps	5
Overview	5
Using this guide	5
Supported devices	5
Operating environment	6
Before configuring the device (required)	6
Verifying physical interfaces and installed firmware	6
Attaching a lock	7
Encrypting the hard disk	7
Disabling the USB buffer	8
Installing the minimum configuration	9
Configuring the device	9
Configuration checklist	9
Configuring disk wiping	9
Enabling the backup password (optional)	9
Creating user accounts	10
Creating security templates	11
Controlling access to device functions	12
Disabling home screen icons	14
Administering the device	15
Using the Embedded Web Server	15
Settings for network-connected devices	15
Creating and modifying digital certificates	15
Setting up IPSec	17
Disabling the AppleTalk protocol	18
Shutting down port access	18
Other settings and functions	19
Network Time Protocol	19
Kerberos	19
Security audit logging	20
E-mail	22
Fax	24
Configuring security reset jumper behavior	25
User access	25
Creating user accounts through the EWS	25
Configuring LDAP+GSSAPI	27
Configuring Common Access Card access	30
Creating security templates using the EWS	32
Controlling access to device functions	33
Configuring PKI Held Jobs	33
Controlling access to device functions using the EWS	34
Troubleshooting	37
Login issues	37
“Unsupported USB Device” error message	37
Make sure a supported Smart Card reader is attached	37
The printer home screen fails to return to a locked state when not in use	37
Make sure the authentication token is installed and running	37
Make sure PKI Authentication is installed and running	37
Login screen does not appear when a Smart Card is inserted	37
Make sure the Smart Card is recognized by the reader	37
“The KDC and MFP clocks are different beyond an acceptable range; check the MFP's date and time” err ...	38
Verify the date and time on the printer	38
“Kerberos configuration file has not been uploaded” error message	38
Make sure the Kerberos file has been uploaded	38
Users are unable to authenticate	38
Make sure the Realm specified in the Kerberos settings is in uppercase	38
“The Domain Controller Issuing Certificate has not been installed” error message	39
Make sure that the correct certificate has been installed on the printer	39
“The KDC did not respond within the required time” error message	39
Make sure the IP address or host name of the KDC is correct	39
Make sure the KDC is available	39
Make sure Port 88 is not blocked by a firewall	39
“User's Realm was not found in the Kerberos Configuration file” error message	39
Make sure the Windows Domain is specified in the Kerberos settings	39
“Realm on the card was not found in the Kerberos Configuration File” error message	40
Upload a Kerberos configuration file and make sure the realm has been added to the file	40
“Client [NAME] unknown” error message	40
Verify that the Domain Controller information is correct	40
Login does not respond at “Getting User Info”	40
User is logged out almost immediately after logging in	40
Increase the Panel Login Timeout interval	40
LDAP issues	41
LDAP lookups take a long time and then fail	41
Make sure Port 389 (non-SSL) and Port 636 (SSL) are not blocked by a firewall	41
Make sure the LDAP search base is not too broad in scope	41
LDAP lookups fail almost immediately	41
Verify that the Address Book Setup contains the host name for the LDAP server	41
Verify or adjust Address Book Setup settings	41
Narrow the LDAP search base	41
Verify that the LDAP attributes being searched for are correct	41
Held Jobs/Print Release Lite issues	42
“You are not authorized to use this feature” Held Jobs error message	42
Add the user to the appropriate Active Directory group	42
“Unable to determine Windows User ID” error message	42
Make sure PKI Authentication is setting the user ID for the session	42
“There are no jobs available for [USER]” error message	42
Make sure PKI Authentication is setting the correct user ID	42
Make sure the jobs were sent to the correct printer and were printed	42
Jobs are printing out immediately	43
Make sure PKI Held Jobs is installed and running	43
Make sure all jobs are required to be held	43
Appendix A: Using the touch screen	44
Appendix B: Acronyms	46
Appendix C: Description of access controls	47
Access controls	47
Appendix D: Using Common Access Cards	50
Using a Common Access Card to access the printer	50
Notices	51
LEXMARK SOFTWARE LICENSE AGREEMENT	51

Lexmark X925 Common Criteria Installation Supplement and Administrator Guide - Page 28

Use Active Directory Device Credentials

Page 28 highlights