Configuring an LDAP type directory

Introduction

This configuration applies to the following directory types:

• Microsoft Active Directory

• Open LDAP

• LDAP V3 generic

 

Settings

 

The information entered in this subsection is used to establish communication between Watchdoc and the directory :

• DN: Specify the "Default Naming Context" of the directory. For example, for the "acme.fr" domain, the DN will probably be "DC=acme,DC=fr" with Active Directory.
  All of the users present in "CN=Users,DC=acme,DC=fr" will be a part of this directory.
  

• Server: Specify the DNS name or the IP address of the LDAP server.
  

  Specifying a server name makes the system intolerant to primary DC failures. We therefore recommend leaving this field empty, except in cases where there are performance issues.

• Port: Specify the port used for connecting to the LDAP server (by default 389).

• TLS/SSL: tick the box if you wish to establish a secure connection between Watchdoc and the directory. 
  You can only activate the secure connection if you have first implemented a certificate server.

• Secure bind.: Tick this box if you wish to establish a secure connection between the client and server using the SASL technique in cases where the server requires this authentication.

   

Identification

 

• Watchdoc will use this account to connect to the user directory: Tick this box if the directory requires authentication and fill-in the following parameters:

  • Identifier: Login for the account allowed to connect to the directory,

  • Password: Password for the account allowed to connect to the directory.

If the specified account is not located in "CN=Users,DC=...,DC=..." and the "DOMAIN\login" format does not work, then it is essential to specify the complete DN (e.g. "CN=account_readonly,OR=test,DC=...,DC=...").
The account allowed to connect only requires read and search rights on the directory. There is no need for write rights.

PUK Code

In Watchdoc, the user has several authentication means:

Mode: select in the list the creating mode of the PUK code:

• Disabled (by default): choose this status if the PUK code is not used;

• Automatic: choose this status if the PUK code is automatically created. In this case, complete then:

  • Algorithm: select in the list the algorithm type on which the code is based (information given by the directory administrator);

  • Variability: select in the list the frequency with which the encryption algorithm of the PUK Code is renewed of the algorithm.
    Please note: when you change this setting, the change takes effect immediately. For example, if you choose the ‘Change every day (at midnight)’ option at 6pm on a Monday, the codes will be different from 00:01am on Tuesday.

  • Prefix: enter in this fiel the prefix (digit between 2 and 8) that precedes the PUK code.
    
    

     

• Attribute: choose this status if the PUK code is registered in an attribute of the LDAP directory. In this case, complonte then the Attibute field;

  • Attribute: indicate in this field the LDAP directory attribut in which the PUK code is stored;

• Deported: choose this status if the PUK code is stored in an SQL database. In this case, select the name of the directory in which the PUK codes are to be saved from the list (PUK by default). Internal note: Other tables can be dedicated to recording PUK codes if required (users table in the SQL database). PUKsql
  
  

 

PIN Code

In Watchdoc^®, the user has several authentication means:

• Mode: select in the list the creating mode of the PIN Code PIN (Personal Identification Number) is a code comprising of at least four digits. It is used, for example, on a mobile or smartphone with a SIM card. The term PIN is not exclusively used by mobile phones as a PIN is also used for banking and may refer to any Personal Identification Number comprising of four or more digits. code:

  • Disabled (by default): choose this status if the PIN code is not used;

  • Automatic: choose this status if the PIN code is automatically created. In this case, complete then the Algorithm, Digits and Variability fields;

  • Attribute: choose this status if the PIN code is registered in an attribute of the LDAP directory. In this case, complonte then the Attibute field;

• Algorithm: select in the list the algorithm type on which the code is based (information given by the directory administrator);

• Digits: enter in this field the number of the digits that ;composes the PIN Code;

• Variability: select in the liste the frequency with which the encryption algorithm of thtePIN Code will be renewed.

 

Avanced parameters

Fill this fields only in certain specific cases

• UID Attr.: Specify the name of the attribute that will be used as the user login in the history, if different from 'sAMAccountName'. It is not recommended to change it.

• Search Attr.: Specify the attribute(s) used to search for the user. For example, you can search for a user using his Windows login ('sAMAccountName') and his copy PIN code ('pinCode'), specifying 'sAMAccountName|pinCode'.

• Groups Attr.: Allows you to specify the name of the attribute containing the list of groups of which the user is a member, if it is different from 'memberOf'.

• Dyn. Group: Specify the name of an attribute that contains a department or service code, which will be added to the user's group list.

• Dyn. Code: Allows you to specify the name of an attribute containing a customer or project re-invoicing code, which will be used for the balance sheet by Customer Code.

• Timeout: Allows you to specify the timeout period for LDAP search queries, in seconds. The default value is 15 seconds.

• Persistence: Check this box to allow the cache to be preserved on the disk. When persistence is enabled, the system compresses and encrypts the cache on the disk.

The configuration for this subsection is covered by a precise description in the Watchdoc V5 Administration Guide - Advanced Functions.

 

Timeout

 

By default, Watchdoc^® includes values defining the lifetime of the cache relative to the directory. This cache makes it possible to limit queries between the directory and Watchdoc^® so as not to saturate the bandwidth.

In general, the default values entered are suitable for the majority of uses. However, in very specific cases, it may be necessary to fine-tune the cache lifetime so as not to interrupt printing activity. This is especially useful if the PUK code is changed on a regular basis: it is then necessary to remove the cache between the generation of the new PUK codes and the start of the printing activity. 
For each parameter, indicate in the field its lifetime. Beyond the defined duration, the cache will be emptied, thus obliging Watchdoc^® to reinterrogate the directory to find the (updated) information of the user.

 

Cache

 

Watchdoc can retain the requests for cache in its memory to accelerate their execution.
By default, the lifetime (TTL By default, the lifetime (TTL) of cached directory data is 72 hours.) of cached directory data is 72 hours.
Tick the boxes for the caches you wish to enable:

• User Infos: Tick this box to enable the user information cache.

• Not found: Tick this box to enable the cache covering users whose accounts have not been found.

• Cold Cache: Tick this box to retain "cold" data cache, i.e. already checked but now expired data..

• Persistence: Tick this box to allow retaining the cache on disk so that it can be retrieved if the Watchdoc service is restarted..

• Compression: Tick this box to enable cache compression on disk. We strongly recommend enabling this setting to reduce the size of the file when persistence is enabled.

• Encryption: Tick this box to encrypt the cache file on disk, to secure its content.

 

Cards

The user can authenticate to the printing device using a badge. If this authentication method is used, select from the list the directory in which the user's badges are registered: the users will receive an e-mail containing their code (PUK or PIN) and inviting them to enroll Action when a user account is assigned to a badge number belonging to them. Enrolment takes place when a badge is used for the first time. Enrolment may be performed by the IT services manager when they issue a badge to a user or by the user themselves by entering their ID (PIN, PUK or ID and password) which is then assigned to their badge number. Once enrolment is complete, the badge number is definitively assigned to their owner. their badge.

 

E-mail

To communicate with users (when e-mail notifications are enabled), Watchdoc^® needs to have their e-mail address. This setting is used to define how Watchdoc^® determines a user's e-mail address:

• Stored in the directory: Opt for this choice if the directory has an attribute that is specific to the e-mail address,

• The user account is also used as the e-mail address: Opt for this choice so that Watchdoc^® will create the e-mail address by linking the user account name with a DNS domain name. In this case, state:

  • The DNS domain name to add when linking.

• Find the address in an alias directory: Opt for this choice if the e-mail address is stored in an Alias directory.

  • Search: Select the Alias directory where the e-mails are stored.

 

Circuit Breaker

User directories are usually hosted on a remote domain controller or server, accessible via the local network. In the event of a network failure or severe slowdown, this can cause a cascading effect that can cause the print server to freeze or slow down.

In this case, it may be useful to activate a "logic fuse", which trips in the event of a major system slowdown, to stop requests being sent to the faulty server.

Warning: it is important to consider the impact of the fuse activation on the service's good functioning!
In order to effectively protect the server from any malfunction of the remote directory, it is important to calibrate the fuse correctly. It is recommended to test the fuse setting before configuring it in a production environment.

Enter in the fields the values beyond which Watchdoc stops sending queries to the directory server to avoid overload:

1. Acces the Watchdoc^® administration interface as an administrator.

2. From the Main Menu, Configuration section, click on Users directories.

3. In the list of declared directories, click on the button to access the directory settings ;

4. or click on the button to Register a new directory (in the top banner).

5. In the Register a directory interface, go to the Circuit breaker section.

6. In the fields, enter the values beyond which Watchdoc stops sending queries to the directory server to avoid overload:

• Max. errors: it's the number of "serious" successive errors. A "serious" error is, for example, a network communication problen, a timeout, a malfunction or the remote server.  These errors are generally rare and can sometimes be resolved automatically (end of a peak period, restart of the remote server, etc.). Logical errors (such as authentication failure, syntax error or directory setting error) are ignored.

• Max. Requests: this is the maximum number of parallel requests allowed. In case of heavy workload, the remote server may not be able to respond to a large number of simultaneous requests.

• Max. duration: it is the maximum average time for the execution of the 10 last requests. In case of a strong slowdown of the remote server (peak period, network timeout,...), this time is extended.

• Retry Delay: after starting the circuit breaker, waiting time before reactivation. At the end of this delay, Watchdoc restarts the requests in order to "probe" the state of the server. If the requests are successful, the fuse is reactivated, otherwise it waits for the timeout to expire again.
  The administrator can manually deactivate the fuse at any time. The fuse then remains switched off until it is manually reactivated. Consider using this feature to test the impact of a failure on the print server.

   

  

   

The values frequently entered to activate the circuit breaker in a a large multi servers environment are the following:

• max. errors: 5

• max. requests: 5

• max. duration: 30 secondes

• retry delay: 120 secondes

 

Validating the configuration

Click on the Create button to validate the configuration for your directory.