READ THIS BEFORE PROCEEDING
Before reviewing this documentation, Canon Business Solutions, Inc. (“CBS”) hereby refers you, the customer or customer’s representative or agent (“you”), to the terms and conditions of the “Drivers & Software” agreement (“License Agreement”) to which you agreed in order to download the associated SOFTWARE. The License Agreement governs your use of both the SOFTWARE and all related documentation, including this document.
You may not copy, duplicate, translate or convert this documentation, except as expressly provided in the License Agreement. Except as expressly permitted by applicable law, you may not alter or modify this documentation. Neither CBS nor its affiliates guarantee uninterrupted service, or the absence or correction of errors.
CBS AND ITS AFFILIATES DISCLAIM ALL IMPLIED WARRANTIES, INCLUDING ANY WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO THE
SOFTWARE OR ACCOMPANYING DOCUMENTATION. NEITHER CBS NOR ITS AFFILIATES ARE LIABLE FOR ANY LOSS OR DAMAGE INCLUDING CONSEQUENTIAL OR INCIDENTAL LOSS OR DAMAGE SUCH AS LOSS OF PROFITS, EXPENSE OR INCONVENIENCE, WHATSOEVER CAUSED BY OR ARISING OUT OF THE SOFTWARE, ACCOMPANYING DOCUMENTATION OR THE USE THEREOF. CBS AND ITS AFFILIATES SHALL HAVE NO OBLIGATION TO INDEMNIFY YOU IN CONNECTION WITH ANY CLAIM OR SUIT BY A THIRD PARTY ALLEGING THAT THE SOFTWARE, ACCOMPANYING DOCUMENTATION OR THE USE THEREOF INFRINGES ANY INTELLECTUAL PROPERTY OF SUCH THIRD PARTY. THE LICENSE AGREEMENT ESTABLISHES THE ENTIRE LIABILITY OF CBS AND ITS AFFILIATES AND YOUR EXCLUSIVE REMEDY IN CONNECTION WITH THE SOFTWARE AND ACCOMPANYING DOCUMENTATION.
LDAP (Lightweight Directory Access Protocol) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet.
On the imageRUNNER, the LDAP protocol is used to browse to a server running LDAP to retrieve contents of the address book resident on that server (ex. email addresses, fax numbers, etc).
Topics included in this document are: Supported Server Environments Registering an LDAP Server Sample LDAP Settings
How to Search Using an LDAP Server Printing the LDAP Settings
Configure the LDAP address book as the default Deleting an LDAP Server
Troubleshooting
Supported Server Environments
The following LDAP server environments are supported with the Canon devices: i Windows 2008/Standard/Enterprise - Active Directory
i Windows 2000/2003 - Active Directory i Novell NetWare Ver 5.1 or later i Lotus Notes Domino R5 or later
Note: A maximum of 5 LDAP servers can be registered.
Registering an LDAP Server on an imageRUNNER
i On an ImageRUNNER: Press Additional Functions> System Settings> Store LDAP Server (or Register LDAP Server)
i On an iR Advance: Press Settings/Registration> Set Destination> Register LDAP Server When registering the LDAP server, there are many settings that are necessary. These settings must be obtained from the LDAP Server Administrator. Without the proper settings, communication will not be successful. (click here for Sample LDAP Settings)
The necessary settings are as follows:
1) Server Name - This can be any name (Nickname) you want for the server (up to 24 alphanumeric characters )
2) Server Address - This can be either the IP Address or Fully Qualified Domain Name (FQDN) of the LDAP Server (up to 48 alphanumeric characters) Note: if using a FQDN, DNS must be set up on the unit 3) Location - This string must be obtained from the Administrator (up to 128 alphanumeric characters). Using the domain name in the correct syntax may work
Location Syntax:
i If you are using Windows 2000/2003/2008 Server with Active Directory, use the syntax:
Add 'DC=' to each dot-separated series of characters in the Active Directory domain name, and separate each series of characters by a comma.
For example, if 'team1.salesdept.canon.co.jp' is the domain name in Active Directory, use: dc=team1,dc=salesdept,dc=canon,dc=co,dc=jp
i If you are using Novell Netware 5.1 (NDS) or later, use the syntax:
Add the corresponding object class 'o=', 'ou=', or 'c=' to each dot-separated series of characters that make up the distinguished name, and separate each series of characters by a comma. For example, if 'TEAM1.SALESDEPT.CANON' is the distinguished name in NDS, use: ou=team1,ou=salesdept,o=canon
i If you are using Lotus Notes Domino R5 or later, use the syntax:
Enter the dn (Distinguished Name) of the node on the directory tree, such as 'ou=team1', 'ou=salesdept', 'o=canon', or 'c=jp'.
4) Use SSL - Select Yes if the server uses SSL (Secure Sockets Layer). The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmission on the Internet 5) Port Number - The default is 389 but this can be easily changed on the server side, so the correct port must be determined
6) Login Information -Some servers will not require authentication, while others do. If login is needed, select the login type and add the Username and Password
Three options are given for Login Information when you register the LDAP server: Do Not Use, Use, and Use (Security Authorization). These refer to whether or not login information is required for an LDAP search, and if so, how secure that login will be.
i Do Not Use - There is no User Name and Password information, so the LDAP search can be anonymous. Only the LDAP version number needs to be selected
i
i Use - User Name and Password must be entered, and these must be equivalent to what is registered on the client-side of the network. Server LDAP version and character code must also be entered in this setup screen. The option to Display Authentication Dialog allows the System Administrator to choose whether or not the User Name/Password screen will be displayed when the end-user is searching for an address. The On mode displays the user name and password box even if a password is not required, while the Off mode of this function hides box when a password is not required. In this latter case, no login dialog box appears when the end-user begins a LDAP search
i Use (Secure Authorization) - This feature is similar to the Use option, with some security enhancements, but may only be used when the LDAP server is running Windows 2000. When this mode is set, a Domain Name may be entered, but if the Date/Time settings of the device must match the time on the LDAP Server, then the device will not be able to establish a connection with the server.
7) Server LDAP Version and CharacterCode - There are different versions of LDAP as well as
Character Codes. You must find this information from the Administrator or connection will not be possible if the wrong Version and Character Code is set.
Character Codes: UTF-8: Unicode.
SJIS: Shift Japan Industrial Standard. EUC: Extended Unix Code.
JIS: Japan Industrial Standard.
ISO: International Organization for Standardization
Sample LDAP Settings
Note: these settings may not work in your environment if different security requirements have been implemented.
Server Name: Identifier for Canon configuration (can be anything, doesn’t have to match network)
Server Address: IP address of the Windows 2000/2003/2008 domain controller (not the Exchange Server)
Location to Start Searching: cn=users,dc=stsd,dc=tsc,dc=net
Our domain name in this example is STSD.TSC.NET and I wanted to search the Users OU. Replace it with the customers domain name and the OU they want to query. It should work in most cases without entering an OU (just using the domain name - ex. dc=stsd,dc=tsc,dc=net). Use SSL: No
Port number: 389 (default) or the port # customer is using for LDAP traffic
Max No. of address to search: 100 (Note: if there are thousands of entries to search through, you may need to increase this setting)
Search Timeout: 100 (Note: if there are thousands of entries to search through, you may need to increase this setting)
Login Information: Use
User: A valid username of an account that has permissions on the domain controller- I used the administrator account in the following format: [email protected] (Note: be sure to enter the username in the format user@domainname (ex. [email protected])
Password: Enter the password for the user account Display authent. dialog when searching: Off
Server LDAP version and character code: VER. 3 - UTF-8
How to Search Using a registered LDAP Server:
Once the LDAP Server settings have been configured properly, the instructions below will allow you to send a file using an address from a LDAP Server.
1) On the touchscreen, press Send (or Scan and Send on iR Advance)
2) Select the Address Book button
3) On the Address Book drop down menu, select the last setting labeled Search on Server
4) Start typing a Name, Email address or Fax number in the appropriate field 5) Select the Start Searching button
6) A list of addresses retrieved from the LDAP Server will display. Choose desired addresses, hit OK
Printing the LDAP Server settings on the copier To print out the LDAP server settings on the copier:
i On an ImageRUNNER: Press Additional Functions> System Settings> Register LDAP Server> Print List> Yes
i
i On an iR Advance: Press Settings/Registration> Set Destination> Register LDAP Server> Print List> Yes
Configure the LDAP address book as the default when using Universal Send Follow these steps to set one of three address books as the default view on the iR ADVANCE: 1. Press the Settings/Registration button
2. Select Set Destination
3. Select Change Default Display of Address Book - from here you can set default address book to LOCAL, LDAP or REMOTE
Deleting an LDAP server
i On an ImageRUNNER: Press Additional Functions> System Settings> Register LDAP Server. Select server to delete, press Erase, Yes, Done
i
i On an iR Advance: Press Settings/Registration> Set Destination> Register LDAP Settings. Select server to delete, press Erase, Yes, Done.
Troubleshooting
Firewalls
Verify that the network gateway(s) at your site (ex. routers) are not filtering traffic on the port you are trying to search with (ex. port 389)
Test with a public LDAP Server
When unable to query the LDAP server, it is recommended that you setup the imageRUNNER to connect to a public known good server. Listed below are three public servers that does not require authentication. Before configuring this, make sure that you can ping the IP Address with the PING utility in the TCP/IP setup of the ImageRUNNER.
i University of Michigan Public LDAP Server Information IP Address: 141.211.93.133
Use SSL: Off Port: 389
Login Information: Do Not Use Type: Version 2 - UTF-8 i
i Columbia University LDAP Server
Server Name: Columbia University Server Address: ldap.columbia.edu Location to Start Search: <blank> Use SSL: Off
Port: 389
Login Information: Do Not Use Type: Version 2 - UTF-8 i New York University LDAP Server
Server Name: NYU
Server Address: ldap.nyu.edu Location to Start Search: <blank> Use SSL: Off
Port: 389
Login Information: Do Not Use Type: Version 3 - UTF-8
If you can connect to the public servers but cannot connect to your LDAP server, this means that the imageRUNNER is functioning properly but is not configured properly for your LDAP server. Note: To use a Fully Qualified Domain Name (FQDN), like ldap.columbia.edu, you will need to configure the imageRUNNER with the ip address of a DNS Server that is capable of resolving the FQDN to the proper ip address
