Re: User authentication via OpenLDAP

RuiC-Xerox · ‎03-30-2011

Hi,

maybe a long shot but would you be able to configure the LDAP settings without a Directory Root and with a username/password (anonymous login).

If that does not work start to build from the username/password.

Rgds,

Please select Accept as Solution if you feel this post has helped you.

JMAlexandre · ‎03-29-2011

Hi gtallan,

I've been crazy looking for a possibility to bullk add XSA users (that for us represent client's id numbers) to our brand new ColorQube 9203 (we have 5 of them).

I've no skills of perl but could you please provide your script so that I can charge our machines XSA with more than 2 thousand users. Mannualy is dauting.

Would it be easy to adapt your script so that it could use a CSV file instead of MySQL?

Thanks in advance.

Best regards,

Joao M. Alexandre

NMCAndree · ‎01-26-2011

gtallan,

Thanks for your comments.

If it was using the userPassword, I thought I would have seen that in query sent to the ldap server when the machine is looking up authentication information - but maybe it just expects it in the response which seems strange. There are always ways that we can have the ldap server rewrite both incoming and outgoing queries specifically from the Xerox machine - maybe that'll be the next try. What I can't figure out is what field the password would be in... I will have to test some more.

Uploading user databases is always an option, but I would really prefer not to if at all possible. It seems as if LDAP authentication should be straightforward, but perhaps not. I guess the other way to go might be to add custom principals to the kerberos database for all printer users, and have the machine authenticate against kerberos.

I find it interesting that few seems to have tried ldap authentication. I'll keep trying. If anyone else have ideas, feel free to pitch in.

gtallan · ‎01-25-2011

I think the Xerox machine tries to bind to your ldap server with the supplied credentials, so by default it will be using the userPassword attribute in the ldap server. I'm not sure if there's any way you could change this.

The trouble with XSA is that there's no automated way to handle bulk accounts in the copier interface, just a web gui to enter/update one user at a time. Which is too painful if you have a lot of users and/or a lot of churn.

I wrote a little perl program to keep the XSA userlist in our copiers up to date (using mysql as a data source but could equally use LDAP). It was pretty easy to use the WWW:Mechanize module to automatically add a list of users. It also downloads the XSA accounting records and puts them back into mysql for us. I only hacked it together a few days ago so it's pretty rough (eg only adds new users, doesn't remove ones who are gone). Anyway, it only took about a half day so far, and about 80 lines of code... maybe worth considering something like this as an alternative.

Fabio · ‎11-20-2010

i think you can set it up with the software called "xerox secure access"

but remember , with the XSA accounting you can create reports ... but when you switch to ldap accounting ( with or without xerox secure acces) you cant track reports anymore

or you have to upgrade to equitrac...

NMCAndree · ‎11-19-2010

Hi,

We have a fairly extensive OpenLDAP setup that we are not willing to move away from. However, I would really like to get my Xerox 7120 users authenticated through LDAP so that I don't have to manage useraccounts locally on the machine. I've gotten all the connectivity up, so the machine can get address books etc from the LDAP server, but I'm having issues with authentication.

I've gotten to the point where the machine can query the server for the user identity entered on the login form, i.e., it sends the queries to the LDAP server correctly. However, what I don't understand is how it wants to check a password. While we are doing regular user authentication with a kerberos server and complex passwords. I would like the xerox users to be able to just use a simple pin, without the need of going through the kerberos server first.

I can easily manage a custom PIN attribute on the LDAP server, and I can remap responses from the server to different attributes if possible, but... I have not been able to find a good place where I can specify what the "PIN" attribute should be, etc... Here's an extract of the connection log that the OpenLDAP server sees when I'm trying to authenticate:

Nov 19 11:37:22 ldap slapd[8091]: conn=30 fd=16 ACCEPT from IP=x.x.x.x:1032 (IP=0.0.0.0:636)

Nov 19 11:37:22 ldap slapd[8091]: conn=30 fd=16 TLS established tls_ssf=256 ssf=256

Nov 19 11:37:22 ldap slapd[8091]: conn=30 op=0 BIND dn="cn=xerox7120,ou=Hosts,dc=organization,dc=org" method=128

Nov 19 11:37:22 ldap slapd[8091]: conn=30 op=0 BIND dn="cn=xerox7120,ou=Hosts,dc=organization,dc=org" mech=SIMPLE ssf=0

Nov 19 11:37:22 ldap slapd[8091]: conn=30 op=0 RESULT tag=97 err=0 text=

Nov 19 11:37:22 ldap slapd[8091]: conn=30 op=1 SRCH base="ou=People,dc=organization,dc=org" scope=2 deref=0 filter="(uid=andree)"

Nov 19 11:37:22 ldap slapd[8091]: conn=30 op=1 SRCH attr=uid mail homeDirectory displayName userCertificate;binary userAccountControl

Nov 19 11:37:22 ldap slapd[8091]: conn=30 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Nov 19 11:37:22 ldap slapd[8091]: conn=30 op=2 UNBIND

Nov 19 11:37:22 ldap slapd[8091]: conn=30 fd=16 closed

This leads me to believe that:

1) Either the xerox machine wants a user certificate to authenticate without password, or

2) There will be a separate query after the first query has taken place and validity established

However, the machine doesn't send this initial query until *after* I have also entered the password on the main control panel on the machine.

Did anyone get something like this working in an OpenLDAP setting, or have some insights to share?

Thanks a bunch.

Andree