I spoke too soon.  Because a user who should have rights was able to log in and use services (copy, scan to email, etc.) I assumed that it was working.  What I didn't realize was that the firmware update seems to have made those services available to everyone.  A user who is distinctly NOT in any of the Access Group listings under LDAP Server -> Authorization Access -> Service Access or Server Roles was able to do whatever he pleased.

As far as I can tell, all the settings are configured to restrict authorization to members of specific AD security groups.  I am feeling very confused about how the LDAP settings mesh with the Security -> Authentication settings though.  What I'm trying to do is configure this unit once and be able to manage access centrally in Active Directory using the same standard tools I manage access to other network resources.  I do not want to have to go to this unit or log into it's web interface (or use Xerox-supplied server tool) every time there is a change in personnell.  This Xerox multifunction unit is the first we have seen from many manufacturers that appears to have this ability.  Is this possible (and why does it seem so tedious and convoluted)?

Thanks.

ok, thats good to know, i also had that version installed on my site

I was allowed to download a newer firmware (061.121.221.29800) than what is publicly available by opening a support ticket, and that alone has solved the authorization problem. 

Thanks.

when i authenticate with xerox secure access softwareit just works for with the common name of the security group

i sometimes create an ldap group "color", on the machine authrorization access/roles i fill in "color" , and only members of that group are able to use color after loggin in

no issued here

Thanks for the suggestion even though it doesn't seem to be the answer. 

I was using CN which, in our case, has the same value as SAMAccountName, but nonetheless, how can it check for access if no LDAP login credentials have been supplied?

I changed the UserMapping to use SAMAccountName, but it made no difference. With the User Name Test, I get "Access Denied", and when logging into the web interface as myself (part of the admin LDAP group which is itself saved in the System Administrator Access field of Authorization Access/User Roles), I get:

Only users with admin privileges can modify settings.

I haven't tried logging into the panel yet because the machine is all the way accross campus, but I don't have high hopes. 

Can you (someone) at least tell me if I need just the CN (= SAMAccountName) of the groups, or do I need the full DN, or do either work?  That at least would eliminate one possible source of problem.

Thanks

i think you need to change the defaukt setting for user login to =SamAccount... under user mappings, then it validates the user name against it