I've successfully configured a WC 7556 to authenticate users to the AD domain, but none of the rights that I am trying to grant to security groups are working.
In the LDAP Server -> Authorization Access fields (User Roles, Device Access, Service Access, Feature Access) I have tried the CN as well as the full DN of the appropriate security groups. It doesn't seem to matter, because users can log in, but they have no permissions to do anything.
I'm also confused about testing it because while under LDAP Server -> User Mappings, I have the option to enter LDAP credentials to return a sample set of user properties, there is no equivalent login credential option under any of the sections in Authorization Access. Thus, anytime I try to use the "User Name Test", it fails, but I don't know if that is because it doesn't have credentials to log into LDAP, or something else (the user is certainly part of the group).
Any help or suggestions would be truly appreciated.
i think you need to change the defaukt setting for user login to =SamAccount... under user mappings, then it validates the user name against it
Thanks for the suggestion even though it doesn't seem to be the answer.
I was using CN which, in our case, has the same value as SAMAccountName, but nonetheless, how can it check for access if no LDAP login credentials have been supplied?
I changed the UserMapping to use SAMAccountName, but it made no difference. With the User Name Test, I get "Access Denied", and when logging into the web interface as myself (part of the admin LDAP group which is itself saved in the System Administrator Access field of Authorization Access/User Roles), I get:
Only users with admin privileges can modify settings.
I haven't tried logging into the panel yet because the machine is all the way accross campus, but I don't have high hopes.
Can you (someone) at least tell me if I need just the CN (= SAMAccountName) of the groups, or do I need the full DN, or do either work? That at least would eliminate one possible source of problem.
ThanksOnly users with admin privileges can modify settings.
when i authenticate with xerox secure access softwareit just works for with the common name of the security group
i sometimes create an ldap group "color", on the machine authrorization access/roles i fill in "color" , and only members of that group are able to use color after loggin in
no issued here
I was allowed to download a newer firmware (061.121.221.29800) than what is publicly available by opening a support ticket, and that alone has solved the authorization problem.
I spoke too soon. Because a user who should have rights was able to log in and use services (copy, scan to email, etc.) I assumed that it was working. What I didn't realize was that the firmware update seems to have made those services available to everyone. A user who is distinctly NOT in any of the Access Group listings under LDAP Server -> Authorization Access -> Service Access or Server Roles was able to do whatever he pleased.
As far as I can tell, all the settings are configured to restrict authorization to members of specific AD security groups. I am feeling very confused about how the LDAP settings mesh with the Security -> Authentication settings though. What I'm trying to do is configure this unit once and be able to manage access centrally in Active Directory using the same standard tools I manage access to other network resources. I do not want to have to go to this unit or log into it's web interface (or use Xerox-supplied server tool) every time there is a change in personnell. This Xerox multifunction unit is the first we have seen from many manufacturers that appears to have this ability. Is this possible (and why does it seem so tedious and convoluted)?
yes, its all working , i setup those authorization all the time... works perfectly for using system admin access/color...
maybe you can call a xerox analyst to help you out?