Use the Advanced button to the right of the Kerberos realm (domain) field to access the Alternate Domain Configuration. Alternate domains are mapped to the default realm.

The Kerberos server hostname can be the same as the Kerberos realm (domain) if a DNS (Domain Name Service) service is available and correctly configured. The device will use DNS to look up the first available KDC (Kerberos Domain Controller) on the network. If DNS is not available, the IP address of the Kerberos Server may be used.

The Kerberos server port is the default IP port used by the Kerberos authentication method. The default is port 88, but this can be different in different network environments. Please contact your IT administrator to determine the appropriate port if the default port does not work.

Accessing the LDAP Server

The LDAP server bind method determines how the device will access the LDAP server.

The Credentials configuration section is used to determine which credentials will be used to bind (authenticate) to the LDAP server.

When Use device user credentials is selected, the device users credentials (entered at the control panel of the device) will be used to access the LDAP server. This method has the advantage of not having to store a username and password, which may expire, in the device.

When Use public credentials is selected and user credentials are not available, the Username and Password entered will be used to access the LDAP server. This method should be used if for some reason device users do not have read access to the LDAP data.

The Bind prefix setting is the LDAP attribute used to construct the user's Distinguished Name (DN) for authentication. This prefix is combined with the username typed at the control panel to form the Relative Distinguished Name (RDN). Commonly used prefixes are "CN" (for common name) or "UID" (for user identity).

The Bind and search root value is used to validate the user's credentials with the LDAP server. This value is combined with the RDN to construct the full Distinguished Name (DN) of the user.

The string consists of "attribute=value" pairs, separated by commas. For example:

ou=engineering,o=Hewlett Packard,c=US ou=marketing,o=Hewlett Packard,c=US o=hp.com ou=engineering,cn=users,dc=hp,dc=com

The LDAP server is typically the same as the Kerberos server in the Windows Active Directory Environment.

The Port is the IP port used by the LDAP protocol to communicate with the LDAP server. This is typically port 389 or port 3268.

Searching the LDAP Database

The Search root is the Distinguished Name (DN) of the entry in the LDAP directory structure where address searching is to begin. A DN is made up of ' attribute=value ' pairs, separated by commas. For example:

dc=Hewlett-Packard,dc=com ou=engineering,dc=northamerica,dc=Hewlett-Packard,dc=com ou=marketing,o=Hewlett Packard,c=US

o=hp.com

ou=engineering,cn=users,dc=hp,dc=com

364 Chapter 6 Device Configuration Options

ENWW