2.1.4 User authentication by linking with a directory server
User authentication functionality manages JP1 authentication information (JP1 user authentication information and JP1 operating permission) or JP1 authentication information's JP1 user authentication information only through linking with a directory server. This function is called directory server linkage. An Active Directory server is used for the directory server.
When using directory server linkage, users' passwords are managed on the directory server. In other words, they are managed not based on the JP1/Base password policy definitions but based on the directory server's policy.
The directory server linkage function has two management methods. One is to manage JP1 authentication information on a directory server and the other is to manage JP1 authentication information's JP1 user authentication information only on a directory server. The following table shows the management servers for every management method including the one not to use the directory server linkage function.
|
User authentication method |
JP1 authentication information |
||
|---|---|---|---|
|
JP1 user authentication information |
JP1 operating permission |
||
|
User name |
Password |
||
|
Directory server linkage function unused |
Managed by an authentication server |
Managed by an authentication server |
Managed by an authentication server |
|
Directory server manages JP1 authentication information |
Managed by a directory server |
Managed by a directory server |
Managed by a directory server |
|
Directory server manages JP1 user authentication information only |
Managed by both an authentication server and a directory server |
Managed by a directory server |
Managed by an authentication server |
JP1 users can be classified into JP1 user types or JP1 user authentication information management types according to their method of user authentication. The following table shows user authentication methods and corresponding JP1 user types.
|
User authentication method |
JP1 user type |
|---|---|
|
Directory sever linkage unused (Authentication server performs user authentication) |
|
|
Directory server manages JP1 authentication information |
|
|
Directory server manages JP1 user authentication information only |
Define every user to be a standard user, DS user, or linkage user on an authentication server. Two JP1 user types can be assigned to a JP1 user at the same time for the combinations below. Account administrators shall assign a JP1 user type through recognizing where its account is defined.
-
Standard user and DS user#
-
Standard user and linkage user
#:
-
User authentication is performed as a standard user if the name of the user for user authentication exists under both standard user and DS user.
DS users can perform the following operation:
-
JP1 authentication information can be managed on a directory server.
JP1 authentication information (JP1 user authentication information and JP1 operating permission) is managed on a directory server. The account of the directory server (Active Directory) can be used as a JP1 user and can be managed together with JP1 operating permission.
-
JP1 operating permission can be set in a security group of the Active Directory.
On the Active Directory, user accounts can be grouped into units for easy management by using a security group. By setting JP1 operating permission to a security group, JP1 operating permission can be also given to accounts to belong to the security group. Thus, JP1 operating permission can be easily set. The security group to which JP1 operating permission is given is called a DS group.
A security group can be organized to belong to a higher ranking security group, and JP1 operating permission given to the higher ranking security group can be also given to the security group.
Figure 2‒5: JP1 operating permission setting to security groups ![[Figure]](GRAPHICS/ZU014100.GIF)
Linkage users can perform the following operation:
-
JP1 authentication information's JP1 user authentication information can only be managed by a directory server.
JP1 user authentication information is managed by a directory server. JP1 user name and JP1 operating permission are managed by an authentication server.
- Organization of this subsection
(1) Setting up linkage with a directory server
Directory server linkage is disabled by default. To link with a directory server, you will need to modify the default common definitions. For details on the settings, see 8.2 Setup for user authentication linking with the directory server (Windows only).
After modifying the common definitions, you can check the status of the connection to the directory server and the modified common definitions by using commands. If the directory server is temporarily disabled due to a failure, you can switch the target server by using commands.
(2) Example of user authentication by linking with a directory server
The following figure shows an example of user authentication where JP1 authentication information is managed by a directory server.
|
|
![[Figure]](GRAPHICS/ZU010501.GIF)
The following figure shows an example of user authentication where only JP1 user authentication information is managed by a directory server.
|
|
![[Figure]](GRAPHICS/ZU010500.GIF)
(3) Notes on user authentication by linking with a directory server
Sometimes user authentication takes a while from a JP1/Base authentication server because the following are also performed from the authentication server:
-
Communicating between the authentication server and a directory server
-
Authenticating users on a directory server
The LDAP protocol is used for communicating between an authentication server and a directory server.