Home » Lexmark Manuals » Multifunction Devices » Lexmark MX6500e 6500e » Manual Viewer

Lexmark MX6500e 6500e Common Criteria Installation Supplement and Administrato - Page 27

Configuring LDAP+GSSAPI

View all Lexmark MX6500e 6500e manuals

Add to My Manuals
Save this manual to your list of manuals

Page 27 highlights

27 5 Click Settings > Security > Security Setup > Internal Accounts. 6 Click Add an Internal Account, and then provide the information needed for each account: • Account Name-Type the user's account name (example: "Jack Smith"). • User ID-Type an ID for the account (example: "jsmith"). • Password-Passwords must: - Contain a minimum of 8 characters. - Contain at least one lowercase letter, one uppercase letter, and one non‑alphabetic character. - Not be dictionary words or a variation of the user ID. • Re‑enter password-Retype the password. • E‑mail-Type the user's e-mail address (example: "[email protected]"). • Groups-Select the group or groups to which the account should belong. Hold down the Ctrl key to select multiple groups for the account. 7 Click Submit. Configuring LDAP+GSSAPI On networks running Active Directory, you can use LDAP+GSSAPI to take advantage of authentication and authorization services already deployed on the network. User credentials and group designations can be pulled from your existing system, making access to the MFP as seamless as other network services. Supported devices can store a maximum of five LDAP+GSSAPI configurations. Each configuration must have a unique name. Note: You must configure Kerberos before setting up LDAP+GSSAPI. For information about configuring Kerberos, see "Kerberos" on page 19. Using the EWS 1 From the Embedded Web Server, click Settings > Security > Security Setup. Note: For information about accessing the EWS, see "Using the Embedded Web Server" on page 15. 2 Under Advanced Security Setup, Step 1, click LDAP+GSSAPI. 3 Click Add an LDAP+GSSAPI Setup. 4 Configure the following LDAP+GSSAPI Server Setup settings: General Information • Setup Name-Type a name that will be used to identify this particular LDAP+GSSAPI Server Setup when creating security templates. • Server Address-Type the IP address or the host name of the LDAP server where authentication will be performed. Note: For LDAP+GSSAPI, the LDAP server can be the domain controller or a separate server. • Server Port-Type the port number used to communicate with the LDAP server. The default LDAP port is 389. • Use SSL/TLS-Select None, SSL/TLS (Secure Sockets Layer/Transport Layer Security), or TLS. • Userid Attribute-Type sAMAccountName (default), uid, userid, user‑defined, or cn (common name).

Section	Page
Installation Supplement and Administrator Guide	1
Contents	3
Overview and first steps	5
Overview	5
Using this guide	5
Supported devices	5
Operating environment	6
Before configuring the device (required)	6
Verifying physical interfaces and installed firmware	6
Attaching a lock	7
Encrypting the hard disk	7
Disabling the USB buffer	8
Installing the minimum configuration	9
Configuring the device	9
Configuration checklist	9
Configuring disk wiping	9
Enabling the backup password (optional)	9
Creating user accounts	10
Creating security templates	11
Controlling access to device functions	12
Disabling home screen icons	14
Administering the device	15
Using the Embedded Web Server	15
Settings for network-connected devices	15
Creating and modifying digital certificates	15
Setting up IPSec	17
Disabling the AppleTalk protocol	18
Shutting down port access	18
Other settings and functions	19
Network Time Protocol	19
Kerberos	19
Security audit logging	20
E-mail	22
Fax	24
Configuring security reset jumper behavior	25
User access	25
Creating user accounts through the EWS	25
Configuring LDAP+GSSAPI	27
Configuring Common Access Card access	30
Creating security templates using the EWS	32
Controlling access to device functions	33
Configuring PKI Held Jobs	33
Controlling access to device functions using the EWS	34
Troubleshooting	37
Login issues	37
“Unsupported USB Device” error message	37
Make sure a supported Smart Card reader is attached	37
The printer home screen fails to return to a locked state when not in use	37
Make sure the authentication token is installed and running	37
Make sure PKI Authentication is installed and running	37
Login screen does not appear when a Smart Card is inserted	37
Make sure the Smart Card is recognized by the reader	37
“The KDC and MFP clocks are different beyond an acceptable range; check the MFP's date and time” err ...	38
Verify the date and time on the printer	38
“Kerberos configuration file has not been uploaded” error message	38
Make sure the Kerberos file has been uploaded	38
Users are unable to authenticate	38
Make sure the Realm specified in the Kerberos settings is in uppercase	38
“The Domain Controller Issuing Certificate has not been installed” error message	39
Make sure that the correct certificate has been installed on the printer	39
“The KDC did not respond within the required time” error message	39
Make sure the IP address or host name of the KDC is correct	39
Make sure the KDC is available	39
Make sure Port 88 is not blocked by a firewall	39
“User's Realm was not found in the Kerberos Configuration file” error message	39
Make sure the Windows Domain is specified in the Kerberos settings	39
“Realm on the card was not found in the Kerberos Configuration File” error message	40
Upload a Kerberos configuration file and make sure the realm has been added to the file	40
“Client [NAME] unknown” error message	40
Verify that the Domain Controller information is correct	40
Login does not respond at “Getting User Info”	40
User is logged out almost immediately after logging in	40
Increase the Panel Login Timeout interval	40
LDAP issues	41
LDAP lookups take a long time and then fail	41
Make sure Port 389 (non-SSL) and Port 636 (SSL) are not blocked by a firewall	41
Make sure the LDAP search base is not too broad in scope	41
LDAP lookups fail almost immediately	41
Verify that the Address Book Setup contains the host name for the LDAP server	41
Verify or adjust Address Book Setup settings	41
Narrow the LDAP search base	41
Verify that the LDAP attributes being searched for are correct	41
Held Jobs/Print Release Lite issues	42
“You are not authorized to use this feature” Held Jobs error message	42
Add the user to the appropriate Active Directory group	42
“Unable to determine Windows User ID” error message	42
Make sure PKI Authentication is setting the user ID for the session	42
“There are no jobs available for [USER]” error message	42
Make sure PKI Authentication is setting the correct user ID	42
Make sure the jobs were sent to the correct printer and were printed	42
Jobs are printing out immediately	43
Make sure PKI Held Jobs is installed and running	43
Make sure all jobs are required to be held	43
Appendix A: Using the touch screen	44
Appendix B: Acronyms	46
Appendix C: Description of access controls	47
Access controls	47
Appendix D: Using Common Access Cards	50
Using a Common Access Card to access the printer	50
Notices	51
LEXMARK SOFTWARE LICENSE AGREEMENT	51

Match case Limit results 1 per page

Click

Settings

Security

Security Setup

Internal Accounts

Click

Add an Internal Account

, and then provide the information needed for each account:

•

Account Name

—Type the user's account name (example: “Jack Smith”).

•

User ID

—Type an ID for the account (example: “jsmith”).

•

Password

—Passwords must:

–

Contain a minimum of 8 characters.

–

Contain at least one lowercase letter, one uppercase letter, and one non

‑

alphabetic character.

–

Not be dictionary words or a variation of the user ID.

•

‑

enter password

—Retype the password.

•

‑

mail

—Type the user's e-mail address (example: “[email protected]”).

•

Groups

—Select the group or groups to which the account should belong. Hold down the

Ctrl

key to select

multiple groups for the account.

Click

Submit

Configuring LDAP+GSSAPI

On networks running Active Directory, you can use LDAP+GSSAPI to take advantage of authentication and authorization

services already deployed on the network. User credentials and group designations can be pulled from your existing

system, making access to the MFP as seamless as other network services.

Supported devices can store a maximum of five LDAP+GSSAPI configurations. Each configuration must have a unique

name.

Note:

You must configure Kerberos before setting up LDAP+GSSAPI. For information about configuring Kerberos, see

“Kerberos” on page 19.

Using the EWS

From the Embedded Web Server, click

Settings

Security

Security Setup

Note:

For information about accessing the EWS, see “Using the Embedded Web Server” on page 15.

Under Advanced Security Setup, Step 1, click

LDAP+GSSAPI

Click

Add an LDAP+GSSAPI Setup

Configure the following LDAP+GSSAPI Server Setup settings:

General Information

•

Setup Name

—Type a name that will be used to identify this particular LDAP+GSSAPI Server Setup when creating

security templates.

•

Server Address

—Type the IP address or the host name of the LDAP server where authentication will be

performed.

Note:

For LDAP+GSSAPI, the LDAP server can be the domain controller or a separate server.

•

Server Port

—Type the port number used to communicate with the LDAP server. The default LDAP port is 389.

•

Use SSL/TLS

—Select

None

SSL/TLS

(Secure Sockets Layer/Transport Layer Security), or

TLS

•

Userid Attribute

—Type

sAMAccountName

(default),

uid

userid

user

‑

defined

, or

(common

name).