How do I configure OCS to validate users against an LDAP Filter?

Answer:

The following document outlines how to configure your account filter, and set the necessary parameters for accessing your LDAP database and validating users.

LDAP Filter

            The LDAP filter is turned on and off and configured through

                        - ocsmgr,

                        - utilities,

                        - operating parameters,

                        - accounts,

                        - filters and authentication,

                        - authenticate via LDAP

Operation

LDAP queries search for  an account based on the defined search criteria.  There are 3 components.

            1.  base define for the search object:  eg cn=John_Doe

            2.  intermediate search components: eg. ou=department,ou=division

            3.  base distinguished name:  eg. dc=ads_server,dc=com

The three components are concatenated for the search.  There can be a series of intermediate defines and the search process will evaluate each.

            ie -

            [1]        [2-a]    [3]

            [1]        [2-b]    [3]

            etc 

            or

             [uid=John_Doe]  [ou=department,ou=users]  [dc=my_ldap_server,dc=com]

             [uid=John_Doe]  [ou=deparment,ou=staff]  [dc=my_ldap_server,dc=com]

            where the system is searching for a user called John_Doe.

When the defines are complete and LDAP is turned on, you must stop and restart the OCS service engine.

LDAP at the Client

The standard printing popup (running in the Accounts Mode) will query the server to validate the entered user account and password.  When LDAP is enabled, the LDAP services will provide a response and accordingly either reject the request or accept it and add the user the OCS data base. 

In many cases this is perfectly suitable.  The system will differentiate between valid ldap accounts and 'guest' accounts that are created by 'guests' at kiosks.

A second guest option is provided with the software and is enabled by setting the flag 'LDAP-G-FLAG' to 1 in the main client config screen.  This option works as follows:

- A user logins in to a computer with a Name/Account and Password.  This account is validated by LDAP.

- If the user is a member of the 'guest' group then the user is advised to use an account which they have created (in OCS) at a kiosk.  They are assigned an OCS user group profile which is normally different from the non-guest accounts.

 - If the is not a member of the 'guest' group, then an OCS account is automatically created for he or she and their printing is processed directly.

 This second option prompts the user for their account and password and stores this data in and encrypted format in memory for their session, thereby eliminating repeated entries.  Their session is terminated via a normal logout.