3.5.6 Authentication Systems
This subsection describes how to configure an authentication system.
- Organization of this subsection
(1) Creating an authentication system
To create an authentication system:
-
In the sidebar area, click Authentication Systems.
The Authentication Systems window appears in the content area.
-
Click the New System button.
The New Authentication system window appears.
![[Figure]](GRAPHICS/ZU03F100.GIF)
-
Configure the settings in the Basic tab.
If the Server Type drop-down list box is set to LDAP v3:
![[Figure]](GRAPHICS/ZU03F200.GIF)
If the Server Type drop-down list box is set to Active Directory:
![[Figure]](GRAPHICS/ZU03F300.GIF)
The following table describes the items you specify.
Table 3‒34: Setting items in the Basic tab Item
Description
System Name (Japanese/Chinese)
Enter any name by which you can identify the authentication system.
The value you enter here is displayed in windows that use Japanese and Chinese.
-
You can enter no more than 256 characters.
-
Some symbols (/\?*:|"<>@^) are not available.
-
A name consisting of only spaces or periods (.) is not available.
System Name (English)
Enter any name by which you can identify the authentication system.
The value you enter here is displayed in windows that use English.
-
You can enter no more than 256 alphanumeric characters and symbols.
-
Some symbols (/\?*:|"<>@^) are not available.
-
A name consisting of only spaces or periods (.) is not available.
Server Type
Select the type of the directory server you use.
-
LDAP v3 (general-purpose): LDAPv3-compatible directory server other than Active Directory
-
Active Directory: Active Directory server
The default value is LDAP v3 (general-purpose).
When the server type is changed, the settings are initialized except for the values in System Name (Japanese/Chinese), System Name (English), and Server Type.
Before the type is changed, a dialog box appears asking you to confirm that you want to change the setting. Clicking the OK button makes the server-type change take effect.
Base DN#
Specify the DN that serves as the starting point for a user search in the DIT of the directory server. In general, it must be the root DN, but if you want to narrow down which directory trees are searched for, you can specify a starting point DN for your search.
If Server Type is set to Active Directory, a DN that represents a domain on the directory server cannot be specified. In this case, specify a DN containing OU or CN.
Domain Name
Specify the domain name for Active Directory, separated by dots, if Server Type is set to Active Directory.
User ID Attribute
Specify the attribute that stores the user ID in the user entry of the DIT.
If Server Type is set to LDAP v3 (general-purpose), the default value is uid. You can change this value, depending on your system design.
If Server Type is set to Active Directory, the User ID Attribute text box must have the value of sAMAccountName.
User Search Filter
Specify user search criteria in the DIT of the directory server.
If Server Type is set to LDAP v3 (general-purpose), the User Search Filter text box must have the value of (objectclass=*).
If Server Type is set to Active Directory, the User Search Filter text box must have the value of (objectclass=user).
- #
-
- If the following LDAP special characters are used, they must be escaped:
Comma (,), plus sign (+), equal sign (=), double quotation mark ("), backslash (\), less-than sign (<), greater-than sign (>), semicolon (;), hash mark (#) (only if it precedes the DN string), and forward slash (/)
- In Active Directory, \\ must be preceded by a symbol.
For example, a # character must be escaped like: \\#. However, a \ character must be escaped like \\\\, and /, like \/.
- In OpenLdap, \ must be preceded by a symbol.
For example, a # character must be escaped like \#, and \, like \\.
Values in the User ID Attribute and User Search Filter text boxes form a search filter expression, which can be used to identify a user. By default, the following filter expression is used to search the directory server for a user:
-
If Server Type is set to LDAP v3: (&(uid=%s)(objectclass=*))
-
If Server Type is set to Active Directory: (&(sAMAccountName=%s)(objectclass=user))
- Important
-
The variable %s means the left part of the @ in the user ID that is specified for the system login. If the filter expression above identifies more than one user entries, the users are not allowed to log in when they have the same login credentials (such as a password).
The User ID Attribute text box must have an attribute that can uniquely identify a user entry.
-
-
Configure the settings in the Directory Servers & Auth Methods tab.
![[Figure]](GRAPHICS/ZU03F400.GIF)
Table 3‒35: Setting items in the Directory Servers & Auth Methods tab Category
Item
Description
Directory Servers Configuration
Protocol
Select either of the following:
-
ldap: Select to use the non-encrypted LDAP protocol to communicate with the directory server. We recommend that you select this option only in a LAN environment because traffic is not encrypted.
-
ldaps: Select to use SSL to encrypt traffic to communicate with the directory server. The directory server must support the LDAPS protocol.
The default value is ldap.
Host name
Specify the host name of the directory server.
Port number
Specify the port number that the system uses to communicate with the directory server. If omitted, it is set to the default port number. The default port number for each option is as follows:
-
ldap: 389
-
ldaps: 636
Add button
Clicking this button generates one directory server URL based on the information you entered, and adds the URL to the directory server list. However, if the list already has an entry, the URL is not added. The list can have only one directory server in it.
Authentication
Finder DN/User ID
Specify the DN or user ID of the user that is used to search the DIT of the directory server.
This user must have permission to search the DIT. If the Server Type drop-down list box in the Basic tab is set to LDAP v3 (general-purpose), the DN of the user that is used for searching must be specified. If it is set to Active Directory, the user ID (sAMAccountName) must be specified. In Active Directory, the string Administrator is usually specified.
If the user who searches the DIT of the directory server does not have the correct permission, the directory server authentication does not work properly, possibly causing unexpected behavior.
Password
Specify the password of the user you entered in the Finder DN/User ID text box.
Confirmation
Enter the password again to confirm it.
-
-
Click the Connection confirmation button to make sure that the system can connect to the configured directory server.
-
Click the Create button. The authentication system is created and appears in the Authentication Systems window.
(2) Editing an authentication system
To edit an authentication system:
-
In the sidebar area, click Authentication Systems.
The Authentication Systems window appears in the content area.
-
Click the menu icon (
![[Figure]](GRAPHICS/ZI033800.GIF)
) of the authentication system you want to edit, and then select Edit.
The Edit Authentication system window appears.
-
Change the settings. For details about each item, see 3.5.6(1) Creating an authentication system.
-
Click the Connection confirmation button to make sure that the system can connect to the directory server, with the changed settings.
-
Click the Update button.
The authentication system settings are updated, and a dialog box appears indicating the updated authentication system is registered.
![[Figure]](GRAPHICS/ZU03F500.GIF)
-
Click the OK button.
The Authentication Systems window appears.
(3) Deleting an authentication system
To delete an authentication system:
-
In the sidebar area, click Authentication Systems.
The Authentication Systems window appears in the content area.
-
Click the menu icon (
) of the authentication system you want to delete, and then select Delete.
A dialog box appears asking you to confirm that you want to delete the authentication system.
-
Click the OK button.
The authentication system is deleted, and the Authentication Systems window appears.
- Important
-
An authentication system used in an authentication policy cannot be deleted.