XSA 5.5 Administration Guide

XSA 5.5 Administration Guide

Chapter 4: Creating & Managing Accounts

Working with User Accounts

When you first implement Xerox Secure Access, you can choose from three methods to create user accounts: create accounts with Xerox Secure Access one at a time, allow the system to create users automatically, or import users from

Synchronized Directories (e.g. Active Directory and LDAP). Instructions for each method are provided within this chapter.

Creating User Accounts

Xerox Secure Access provides several different methods to create user accounts. Use the table below to determine the best method for your needs. Instructions are provided within this section for each method.

Method

Purpose

Add users individually

Use System Manage within Xerox Secure Access to add users one at a time.

Allow Xerox Secure Access to create users automatically

Configure Xerox Secure Access to create a new account automatically when a print request is received from a user not known to the Accounting Server.

Import Users with Active

Directory Synchronization

Use Active Directory Services to batch import user data, then synchronize updates as they occur.

Minimizes administration because updates occur automatically via communication with the Active Directory Services.

Offers PIN code and home server synchronization to single or multiple Active Directory servers.

LDAP Synchronization

Flat-File Import

Has all the same features as Active Directory Synchronization. The LDAP server must support persistent search (e.g. Novell eDirectory).

Use the EQCmd.exe utility to import a file containing user account data.

54 Xerox Secure Access Unified ID System® Administration Guide

Chapter 4: Creating & Managing Accounts

Adding and Editing Users Individually

If you are managing a smaller number of users, you may prefer to create users one at a time.

1

2

In System Manage, select Users in the left pane.

Select Add user under Current tasks to open the Add User dialog box.

3

Enter the following information in the fields provided

.

Field

User ID

Full Name

Email address

Location

Additional

Information

Description

ID logged to the database to track the account (required field).

To qualify user IDs with the domain name, use the <domain.com>\userID format. If you configured

Xerox Secure Access to identify users by qualifying and recording the user’s originating domain in the accounts database (System Manager > Configuration > Domain qualification), you must also include the domain information in the User ID.

The full name of the user. Enter a full name to easily identify the user within System Manager. This name also appears in account statements.

The email address is used to send notification email messages to the users in event of job error.

Enter the location you wish to assign the user to.

Enter any additional information that you may find useful when pulling up a user’s information.

Xerox Secure Access Unified ID System® Administration Guide 55

Chapter 4: Creating & Managing Accounts

Field

PIN Information

Description

If the user enters PIN codes on a control terminal, enter a Primary PIN and an optional Secondary

PIN. The primary PIN identifies the user, and the secondary PIN is used as a password.

You can also enter an Alternate primary PIN that serves as another primary PIN for this user. The user can enter either primary PIN at a control mechanism.

The DRE print server that manages this users print jobs.

Home Server

Xerox Secure Access adds the User to the accounts database and lists the User name in the right pane.

To edit an existing User, do the following:

1

2

3

In System Manage, select Users in the left pane.

Right-click a User in the right pane, and select Properties from the menu to open its Properties window and modify any of the editable fields.

Click OK to save the changes.

56 Xerox Secure Access Unified ID System® Administration Guide

Chapter 4: Creating & Managing Accounts

Importing Users with Active Directory Services

System Manager provides a utility to import uses via Active Directory Services (ADS). If you want to minimize administration overhead, and you are managing a large number of User Accounts, you should use ADS to synchronize user accounts.

WARNING: The Equitrac services must be started by a Domain account with access to the contact Active Directory. If services are started under the local administrative account, the Active Directory synchronization fails.

CAUTION: If you plan to use Active Directory Services to generate user accounts, you must decide before performing the first synchronization whether or not to use Domain Qualification. See

Qualifying Accounts by Domain

on page

63 for instructions.

Configuring Active Directory Synchronization

It is important to select options in the correct order in the Directory Services synchronization dialog box. Performing these steps causes a task to run in the background. You can see the result of the task in the System Manage—the list of users populates automatically when the task is complete.

An Active Directory server consists of containers that contain records (users, computers, printers, etc.) organized by type, geographical location or similar. Synchronization, settings and any related operations available in this window can be applied to servers or individual containers, depending on your selection.

To configure active directory synchronization, do the following:

1

In System Manager, navigate to Configuration > Directory Services synchronization and select the Active

Directory tab.

2

Above the tree view in the Servers and containers group, click Add server...

Xerox Secure Access Unified ID System® Administration Guide 57

Chapter 4: Creating & Managing Accounts

4

5

3

Enter the Domain Controller server name. (A domain controller refers to a server shared by a group of computers that use a common accounts database.) The fully qualified domain name—not the IP address—must be entered for the Domain Controller.

Enter the Application partition for the directory of users, or click Browse to select from a list of partitions.

Click OK to add it to the domain controller list. A specific server can only be added once to the list.

6

7

8

Click Modify if you wish to make changes to any of the domain servers in the list.

Click Remove to clear any of the domain servers from the list.

To add individual containers, select a server in the tree view and click Add Container... A container is a subset of a

Domain controller. Select one or more containers that belong to the selected Domain Controller. A specific container can only be added once to the same server.

CAUTION: Ensure that the Organization Units (OU) containers you choose are comprised of user account data only.

If the OUs contain other data (such as system or contact information), you will see unexpected results. You may need to create specific OU containers to be used only for importing and synchronization purposes.

9

Select a container and click Remove to clear it from the list.

10

Click Test to open an Active Directory lookup dialog box. Enter a user account name. When the domain controller is contacted, the dialog box shows the ADS properties for that account. You can test servers as well as containers, depending on your list selection. Lookups may get resource intensive operations: ensure that you use this functionality on an entire server only if your task specifically requires it.

11

Optionally, you can move servers and containers up or down the tree view. Select the item to move and use the

Move Up or Move Down buttons next to the view.

NOTE: Controls in this group are also accessible from the item context menu.

12

Under Filtering, you can specify a search filter for synchronization. Click the (...) button if you wish to assemble a filter using a graphical interface. A standard filter dialog box opens. Use this to specify conditions. To specify an unlisted field use the Search filter textbox. Only user accounts that meet these conditions are included in the synchronization.

Click the checkbox Filtering is specified at the container level

if you are working with containers instead of servers.

NOTE: If filters are applied after the initial user import, updates to users who do not match the filter specifications are ignored.

13

In the Field mappings section, you can link Xerox Secure Access user fields to ADS attributes. You should enter the AD attribute name, not the field label. Synchronization uses the specified mappings.

Click the Mappings are specified at the container level checkbox to set field mappings for containers instead of servers.

58 Xerox Secure Access Unified ID System® Administration Guide

Chapter 4: Creating & Managing Accounts

Check the options you want to associate with the user accounts in the selected containers:

Account name – contains the user login ID. This is mapped to the User ID property in Xerox Secure Access.

Display name – contains a description of the user, such as the full user name. This is mapped into the Full

name property for the user within Xerox Secure Access.

Email address – contains the user’s email address.

Primary PIN and Secondary PIN – map the numeric PIN values found on the ADS to the PrimaryPIN and

SecondaryPIN fields in Xerox Secure Access.

Alternate PIN – maps the alternative primary PIN.

Location – maps the user’s physical location.

Home Server – maps the name of a particular print server to the Home Server field in the Xerox Secure Access database. If you are enabling Follow-You Printing, ensure that you select the Home Server attribute for these users.

NOTE: Department, Color quota, Home folder and Delegates do not apply to Xerox Secure Access.

14

Use the controls in the Synchronization group (under Field mappings) to specify synchronization settings.

15

Click the checkbox Synchronization is specified at the container level if you want to synchronize containers rather than servers. Ensure that you only use this option with a container selected.

16

Select or clear AD update options—Adds, Deletes, or Changes—to specify which AD accounts Xerox Secure

Access receives and applies to the accounts database during subsequent synchronizations.

You must have at least one option selected to perform synchronization or save your changes.

You can import added or changed users, or remove inactive accounts from the Secure Access accounts database.

Leave these settings at the default to ensure the accounts are updated and kept in sync with the ADS server.

NOTE: The Deletes option only works if the "isDeleted" AD attribute is set to true. In case the entire user record is removed from AD, Xerox Secure Access cannot detect this deletion due to an AD limitation, and the corresponding user is not deleted automatically from Secure Access database.

17

Click the Automatic synchronization checkbox to enable adjustments to the Synchronization interval. Use this to change how often Xerox Secure Access synchronizes its accounts database with the specified AD. The synchronization interval value must be at least 15 minutes. The maximum value 10080 minutes (one week).

18

After specifying the synchronization settings, click Synchronize Now… to schedule a single synchronization process (as opposed to automatic synchronization, which is performed periodically). Click OK to have this single synchronization performed in the background.

19

Click OK to exit the dialog box. The task continues to run even though the dialog box is closed. Server settings apply to all containers of the server.

20

After a few minutes, refresh System Manage, then check the list of Users to ensure successful import of the accounts. Open the user account properties and ensure that the settings are correct.

Xerox Secure Access Unified ID System® Administration Guide 59

Chapter 4: Creating & Managing Accounts

Active Directory LDS Support

Xerox Secure Access supports Active Directory Lightweight Directory Services (AD LDS) to synchronize a subset of the Active Directory tree to a local LDS server.

Like Active Directory, AD LDS provides a hierarchical data store for storage of directory data, a Directory Service with an LDAP directory service interface. Unlike Active Directory, however, multiple AD LDS instances can be run on the same server. AD LDS shares the code base with Active Directory and provides the same functionality as Active

Directory, including an identical API, but does not require the creation of domains or domain controllers.

AD LDS operates independently of Active Directory and independently of Active Directory domains or forests. It operates either as a standalone data store, or it operates with replication. Its independence enables local control and autonomy of directory services for specific applications. It also facilitates independent, flexible schemas, and naming contexts.

AD LDS is ideal for applications that require directory services, but do not require the complete infrastructure features of Active Directory.

60 Xerox Secure Access Unified ID System® Administration Guide

Chapter 4: Creating & Managing Accounts

Configuring LDAP Synchronization

LDAP synchronization requires that the LDAP server supports search functionality. LDAP import will not work if the

Base DN or user names contain spaces.

To configure LDAP synchronization, do the following:

1

In System Manager, navigate to Configuration > Directory Services synchronization and select the LDAP tab.

2

Above the tree view in the Servers group, click Add... to open the New LDAP server dialog box.

c a b

Enter the LDAP server name.

Enter the Port number. The default value depends on whether you have the Use SSL checkbox marked or clear

(see below).

In the Base DN field, enter the location within the directory to start the search. For example, if the entire directory is to be searched under an organization of “Nuance”, this would be “O=nuance”. Ensure the Base DN name does not contain spaces, or the import will fail.

f d e

Enter a Login ID. The login ID is the fully qualified user ID (e.g. CN=admin, O=nuance).

Enter a Login password.

Select an LDAP version from the drop-down list.

Xerox Secure Access Unified ID System® Administration Guide 61

Chapter 4: Creating & Managing Accounts

3

4

5

6 g

Select Use SSL if you want use Secure Socket Layer encryption.

h

Click OK to add the new server.

Click Modify if you wish to make changes to any of the LDAP servers in the list.

Click Remove if you wish to remove any of the LDAP servers from the list.

Click Test to confirm that Persistent Search is enabled. An LDAP lookup dialog box opens. Enter a user account name. If Persistent Search is enabled, the dialog box shows the LDAP properties for that account. If a search filter

(see below) is specified, the lookup only returns users matching the selected filter.

Optionally, you can move servers and containers up or down the tree view. Select the item to move and use the

Move Up or Move Down buttons next to the view.

NOTE: Controls in this group are also accessible from the item context menu.

7

To specify import search criteria, enter it in the Search filter field under Filtering. "(objectClass=person)" is the default search filter, and can be modified as needed. Use standard LDAP filter syntax to define the search criteria. he search filter criteria also affects the information returned in the LDAP lookup Test tool.

If desired, you can enter additional search criteria along with the Object class. For example, if the search filter entered is "(&(objectClass=person)(l=Waterloo)", this would search for objects that have the Object class = person

AND also have a location set to Waterloo.

NOTE: When using LDAP email search, the Search filter field is not active. LDAP email search looks for entries in the displayName attribute, not the email address. The displayName attribute must match what is entered in the LDAP server.

8

In the Field mappings section, you can link Xerox Secure Access user fields to LDAP attributes. The LDAP lookup must resolve to a unique user identifier.

The specified field mappings are used by synchronization. Check the options you want to associate with the user accounts in the selected containers:

Account name – contains the user login ID. This is mapped to the User ID property in Xerox Secure Access.

Display name – contains a description of the user, such as the full user name. This is mapped into the Full

name property for the user within Xerox Secure Access.

Email address – contains the user’s email address.

Primary PIN and Secondary PIN – map the numeric PIN values found on LDAP to the PrimaryPIN and

SecondaryPIN fields in Xerox Secure Access.

Alternate PIN – maps the alternative primary PIN.

Location – maps the user’s physical location.

Home Server – maps the name of a print server to the Home Server field in the Xerox Secure Access database.

If you are enabling Follow-You Printing, ensure that you select the Home Server attribute for these users.

NOTE: Department, Color quota, Home folder and Delegates do not apply to Xerox Secure Access.

9

Use the controls in the Synchronization group (under Field mappings) to specify synchronization settings.

10

Select or clear update options—Adds, Deletes, or Changes—to specify which accounts Xerox Secure Access receives and applies to the accounts database during subsequent synchronizations. At least one option selected to perform synchronization or save the changes.

62 Xerox Secure Access Unified ID System® Administration Guide

Chapter 4: Creating & Managing Accounts

11

Click the Automatic synchronization checkbox to enable adjustments to the Synchronization interval. Use this to change how often Xerox Secure Access synchronizes its accounts database with the specified LDAP server. The synchronization interval value must be at least 15 minutes. The maximum value 10080 minutes (one week).

12

After specifying the synchronization settings, click Synchronize Now… to schedule a single synchronization process (as opposed to automatic synchronization, which is performed periodically). Click OK to have this single synchronization performed in the background.

13

Click OK to exit the dialog box. The task continues to run even though the dialog box is closed.

After a few minutes, refresh System Manage, then check the list of Users to ensure successful import of the accounts.

Open the user account properties and ensure that the settings are correct.

LDAP Field Mapping to CAS

Mapping the LDAP attributes to CAS fields provides a way to cross-reference the attributes received from the LDAP server with the corresponding fields for the user account in the CAS database. When a user logs in and is authenticated based on the LDAP configuration, CAS looks up the LDAP attributes mapping and imports the correct fields into the user’s account. CAS updates the fields with every authentication if the field has changed.

An LDAP server does not need to be added to the LDAP synchronization dialog box for field mapping.

Qualifying Accounts by Domain

If you plan to use Active Directory Synchronization to generate user accounts, you must decide before performing

the first synchronization whether or not to use Domain Qualification.

Performing an initial synchronization creates user accounts based on Windows credentials without specifying a domain for the imported users. If you enable Domain Qualification after the initial synchronization, however, the process creates a second account for every Windows user. Also check the configuration of your control system; to maintain consistency in user data, both the control system and Xerox Secure Access should be similarly configured to use or not use domain data.

Therefore, to prevent slowing down system resources by doubling the number of user accounts unnecessarily, decide whether or not to enable Domain Qualification before you perform a synchronization. If you enable domain qualification and want to subsequently create users manually, ensure that you include the domain qualification in the user ID you create, using the following format: user’s_domain\userID .

To set the domain qualification option, do the following:

1

2

In System Manager, navigate to Configuration > Domain qualification.

Select or clear the Qualify all user IDs with NT domain information option as necessary, depending on whether or not you want to use domain-qualified user IDs.

3

If necessary, provide a default domain name for unqualified users attempting to print, and click OK.

Xerox Secure Access Unified ID System® Administration Guide 63

Chapter 4: Creating & Managing Accounts

Adding Users from a Flat File Import

Use the EQCmd.exe utility to add, delete, modify and query user accounts from a flat file. This method is a one-time import and does not synchronize data beyond the import.

Xerox Secure Access installs this utility on the accounting server in the Program Files\Xerox\Xerox Secure

Access\Tools folder.

The command line utility accepts commands in the following format:

EQCmd -s<Server> <Action> <Obj_type> <Obj_ID>|All [<Options>]

Execute the command with a batch file:

EQCmd -s<Server> -f<BatchFile> [-o<OutputFile>]

The OutputFile parameter is an optional parameter which specifies where to output a trace file. If not specified, then

EQCmd will attempt to write the output file to the same folder where the batch file exists, using the same name as the batch file, but adding the .log extension. If the trace file cannot be opened, the utility will log a warning to the console screen and proceed with the batch file, writing all messages to the console.

Xerox Secure Access accepts CSV files as batch files. Batch operation allows all the command actions except for query command. Use the following table to fill in the parameters.

Parameters enclosed in parentheses < > are mandatory; parameters within square brackets [ ] are optional.

Parameter

Server

Action

Obj_type

Obj_ID

Variables

Specify the name or IP address of CAS.

Specify the action to take on the account. Use one of:

• add - Add a user.

• delete - Delete a user. It does not use <details> parameter.

• query - Query database. Output differs based on <Obj_type>.

• modify - Modify an object attribute.

• adjust - Adjust the user account balance; set a new balance to an object type or set a balance no less than a certain amount.

• lock/unlock - Lock or unlock a user.

Use one of:

• ur - user

Applies

<action> only to the specified object ID. Use double quotes around object IDs that have a space, for example human resources. Use All To apply

<Action> to all accounts of <Obj_type>.

Note: You can use “All” for “Assign”, “Remove”, “Query”, “Adjust” actions. You cannot use it for “Add”,

“Delete”, “Modify”, “Lock” and “Unlock” actions.

64 Xerox Secure Access Unified ID System® Administration Guide

Chapter 4: Creating & Managing Accounts

Parameter

Options for

Action

Command

Variables

Specify additional values. Use double quotes around detail values that have spaces or for empty values.

Specify amounts with a period for the decimal separator. For the modify action, place “!” for required fields that you don't wish to change.

<desc>: Description

<user_ID>: User ID

<user_name>: User name

<email>: User email

For a complete list of Action parameters, see

Modifying User Accounts from a Flat File

on page 107.

Importing LDAP User Accounts

You can use the EQCmd.exe utility to import a class containing specific LDAP users into the CAS database. Xerox

Secure Access installs the EQCmd.exe utility and the EQLDAPImport.ini on the accounting server in the Program

Files\Xerox\Xerox Secure Access\Tools folder.

After you create the LDAP class, call the class from the command line using the following format:

EQCmd.exe -s<CASServer> import ur <LDAPServer> <SearchRoot>

You can run the command line with the EQLDAPImport.ini file using the following format:

EQCmd.exe -s<CASServer> import ur <LDAPServer> <SearchRoot> <ini file>

CAUTION: Do not edit the original EQLDAPImport.ini file directly. Create a copy and modify it as needed, and then provide the EQLDAPImport copy file to EQCmd.

Command line parameters enclosed in parentheses < > are mandatory; parameters within square brackets [ ] are optional.

Parameter

CASServer

LDAPServer

SearchRoot

Definition

The name or IP address of CAS that you want to add a user accounts to.

The name or IP address of the LDAP server to import an account from.

The LDAP search root used to begin the import. For example "ou=Accounting, dc=metrics,dc=com".

The following table list the fields in EQLDAPImport.ini required to configure LDAP import.

Parameter Definition

[AccountSettings] This section specifies some initial settings for created accounts.

[ConnectionSettings] This section specifies how to connect and login to the LDAP server.

LoginID The LoginID for binding to the LDAP server.

Xerox Secure Access Unified ID System® Administration Guide 65

Chapter 4: Creating & Managing Accounts

Parameter

Password

BindMethod

UseSSL

Definition

The Password for the LoginID for binding to the LDAP server.

The authentication binding method. Supported values are "simple", "ntlm" and "negotiate".

Select whether or not to use SSL. "0=no, 1=yes".

Version

DataEncoding

[Attributes] This section specifies the attributes to import and map.

AccountName The attribute for lookup of the account name. If left blank, the default behavior is to look for the following attributes (in order): "sAMAccountName", "uid".

Email

What version of LDAP to use.

Encoding of LDAP data to expect. Supported values are "unicode16" or "utf8" or "ascii".

FullName

The attribute for lookup of the email address. If left blank, the default behavior is to look for the attribute "mail".

The attribute for lookup of the full name. If left blank, the default behavior is to look for the following attributes (in order): "displayName", "cn".

HomeServer

PrimaryPIN

SecondaryPIN

AlternatePIN

The attribute to look up the home server. If left blank, home servers are not imported.

The attribute to look up the primary PIN. If left blank, primary PINs are not imported.

The attribute to look up the secondary PIN. If left blank, secondary PINs are not imported.

The attribute to look up the alternate primary PIN. If left blank, alternate PINs are not imported.

Locked=logindisabled The attribute to look up to find if the account is locked.

Location The attribute to look up the location. If left blank, location is not imported.

[General Settings] This section specifies the general settings to import.

SearchFilter=

(objectClass=person)

The attribute to look up the class type to import.

66 Xerox Secure Access Unified ID System® Administration Guide

Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement

Table of contents