Appendix J. Advanced LDAP Configuration
Prev		Next

Appendix J. Advanced LDAP Configuration

Table of Contents

J.1. LDAP Server Default Configuration

J.1.1. OpenLDAP
J.1.2. FreeIPA
J.1.3. Apple Open Directory
J.1.4. Novell eDirectory Defaults
J.1.5. Microsoft Active Directory Defaults
J.1.6. Google Cloud Directory

SavaPage supports the following LDAP server types out-of-the-box:

The basic configuration options for these types are discussed at Section 4.11.1.2, “LDAP”. However, other server/schema types can be supported by defining the fields to query and the LDAP searches to perform. These options are configured by adjusting entries in the Config Editor of the Admin Web App. The following configuration properties are available:

Configuration property	Description
ldap.schema.user-name-field	The LDAP field that contains the user's username. Content of this field is converted to lowercase when synchronized with the SavaPage database.
ldap.schema.user-full-name-field	The LDAP field that contains the user's full name.
ldap.schema.user-email-field	The LDAP field that contains the user's email address. Content of this field is converted to lowercase when synchronized with the SavaPage database.
ldap.schema.user-department-field	The LDAP field that contains the user's department.
ldap.schema.user-office-field	The LDAP field that contains the user's office location.
ldap.schema.user-name-search	The LDAP search to retrieve the user. The `{0}` in the search is replaced with `*` when listing all users, and `[username]` when searching for a specific user. If no search is defined the default is `(userNameField={0})`, where `userNameField` is the value of configuration property "ldap.schema.user-name-field". IMPORTANT: The search must include the `{0}` value and involve the LDAP field as specified in configuration property "ldap.schema.user-name-field".
ldap.schema.group-name-field	The LDAP field that contains the group's name.
ldap.schema.group-full-name-field	The LDAP field that contains the group's full name.
ldap.schema.group-member-field	The LDAP field that contains the group members.
ldap.schema.group-search	The LDAP search to retrieve the group. The `{0}` in the search is replaced with `*` for all group searches. If no search is defined, the default is `([groupMemberField]={0})`, which means get all entries with at least one member. IMPORTANT: The search must include the `{0}` value.
ldap.schema.posix-groups	If `Y`, then the group member field contains the user's username. If `N`, then the group member field contains the user's DN.

Table J.1. LDAP Configuration Properties

J.1. LDAP Server Default Configuration

When a particular LDAP server type is selected (e.g. Novell eDirectory), SavaPage uses the following defaults to query the LDAP server. These defaults can be used as a starting point for customizing the LDAP searches or for supporting other server types.

J.1.1. OpenLDAP

If the LDAP server is configured to support OpenLDAP based authentication then this schema type can be used. The following defaults are used.

Configuration property	Default value
ldap.schema.user-name-field	`uid`
ldap.schema.user-full-name-field	`cn`
ldap.schema.user-email-field	`mail`
ldap.schema.user-department-field	`departmentNumber`
ldap.schema.user-office-field This item is not set.
ldap.schema.user-name-search	`(uid={0})`
ldap.schema.group-name-field	`cn`
ldap.schema.group-full-name-field	`displayName`
ldap.schema.group-member-field	`member`
ldap.schema.group-search	`(&(cn={0})(objectClass=groupOfNames))`
ldap.schema.posix-groups	`N`

Table J.2. OpenLDAP Default Settings

J.1.2. FreeIPA

The defaults for FreeIPA based authentication are identical to OpenLDAP.

J.1.3. Apple Open Directory

If the LDAP server is configured to support Apple Open Directory based authentication then this schema type can be used. The following defaults are used.

Configuration property	Default value
ldap.schema.user-name-field	`uid`
ldap.schema.user-full-name-field	`cn`
ldap.schema.user-email-field	`mail`
ldap.schema.user-department-field	`departmentNumber`
ldap.schema.user-office-field This item is not set.
ldap.schema.user-name-search	`(uid={0})`
ldap.schema.group-name-field	`cn`
ldap.schema.group-full-name-field	`displayName`
ldap.schema.group-member-field	`memberUid`
ldap.schema.group-search	`(memberUid={0})`
ldap.schema.posix-groups	`Y`

Table J.3. Apple Open Directory Default Settings

J.1.4. Novell eDirectory Defaults

If the LDAP server is a Novell eDirectory then the following defaults are used^[53].

Configuration property	Default value
ldap.schema.user-name-field	`cn`
ldap.schema.user-full-name-field	`fullName`
ldap.schema.user-email-field	`mail`
ldap.schema.user-department-field	`OU`
ldap.schema.user-office-field	`l`
ldap.schema.user-name-search	`(&(cn={0})(objectClass=person))`
ldap.schema.group-name-field	`cn`
ldap.schema.group-full-name-field	`fullName`
ldap.schema.group-member-field	`member`
ldap.schema.group-search	`(&(member={0})(objectClass=groupOfNames))`
ldap.schema.posix-groups	`N`

Table J.4. Novell eDirectory Default Settings

J.1.5. Microsoft Active Directory Defaults

If the LDAP server is a Microsoft Active Directory then the following defaults are used^[54].

Configuration property	Default value
ldap.schema.user-name-field	`sAMAccountName`
ldap.schema.user-full-name-field	`displayName`
ldap.schema.user-email-field	`mail`
ldap.schema.user-department-field	`department`
ldap.schema.user-office-field	`physicalDeliveryOfficeName`
ldap.schema.user-name-search	`(&(sAMAccountName={0})(objectCategory=person) (objectClass=user)(sAMAccountType=805306368){1})` The extra `{1}` in the search is replaced with an optional filter to fetch enabled users only (see ldap.disabled-users.allow).
ldap.schema.group-name-field	`sAMAccountName`
ldap.schema.group-full-name-field	`displayName`
ldap.schema.group-member-field	`member`
ldap.schema.group-search	`(&(sAMAccountName={0})(objectCategory=group))`
ldap.schema.posix-groups	`N`

Table J.5. Microsoft Active Directory Default Settings

Configuration property	Default value / Description
ldap.disabled-users.allow	`N` If `Y`, then disabled users are accepted in user name searches. If `N`, they are ignored.
ldap.schema.dn-field	`distinguishedName` The LDAP field that contains the Distinguished Name (DN).
ldap.schema.user-name-group-search	`(&(memberOf={0})(objectCategory=person) (objectClass=user)(sAMAccountType=805306368){1})` This is the LDAP search to retrieve the users from a group. The `{0}` in the search is replaced with the DN of the user. The `{1}` in the search is replaced with an optional filter to fetch enabled users only (see ldap.disabled-users.allow). IMPORTANT: The search must include the `{0}` and `{1}` value.
ldap.schema.nested-group-search	`(&(memberOf={0})(objectCategory=group))` This is the LDAP search to retrieve the nested groups from a group. The `{0}` in the search is replaced with the DN of the group. IMPORTANT: The search must include the `{0}` value.

Table J.6. Microsoft Active Directory Custom Settings

Important

Active Directory field names must be in the Ldap-Display-Name format. For example, if you want to use the Employee-Number field, then the field name entered should be employeeNumber as shown on the Employee-Number attribute page https://docs.microsoft.com/en-us/windows/desktop/ADSchema/a-employeenumber.

J.1.6. Google Cloud Directory

The defaults for Google Cloud Directory based authentication are identical to OpenLDAP.

If your organization is allowed to use LDAP for G Suite or Google Cloud Identity services, you can create a certificate that clients like SavaPage can use for user synchronization and authentication. To create the certificate, log in to admin.google.com as Super Admin and add an LDAP Client. Set your Access permissions, download the certificate zip file and save it in a secure location. Finally, switch the LDAP Service status ON in the Client Details. Note that it may take up to 24 hours for the LDAP Client to be active.

The downloaded certificate zip file name contains its expiration date and time: we use Google_2022_10_27_37420.zip as an example. The zip contains the PEM formatted public certificate and private key file.

$ unzip Google_2022_10_27_37420.zip

# Have a look at the certificate
$ openssl x509 -in Google_2022_10_27_37420.crt -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1563872646762 (0x16c1e12d66a)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O=Google Inc., L=Mountain View, CN=LDAP Client, OU=GSuite, C=US, ...
        Validity
            Not Before: Oct 28 10:23:40 2019 GMT
            Not After : Oct 27 10:23:40 2022 GMT
        Subject: O=Google Inc., L=Mountain View, CN=LDAP Client, OU=GSuite, C=US, ...
        Subject Public Key Info:
    ....

# Check the private key
$ openssl rsa -in Google_2022_10_27_37420.key -check -noout
RSA key ok

Use the certificate and private key to create the p12 container needed by SavaPage. In addition store the p12 export password in a separate file. Set strict read permissions on both files.

$ openssl pkcs12 -inkey Google_2022_10_27_37420.key -in Google_2022_10_27_37420.crt \
               -export -out google-ldap-client-cert.p12

Enter Export Password:
Verifying - Enter Export Password:

$ sudo chown savapage:savapage google-ldap-client-cert.p12
$ sudo chmod 400 google-ldap-client-cert.p12
$ sudo mv google-ldap-client-cert.p12 /opt/savapage/server/data
sudo su - savapage
$ cd server/data

# Create file with Export Password to unlock p12 file 
$ echo "password=export-password" > google-ldap-client-cert.pw
$ chmod 400 google-ldap-client-cert.pw

If google-ldap-client-cert.p12 and google-ldap-client-cert.pw are present in /opt/savapage/server/data the Google Cloud Directory option will be available at Section 4.11.1.2, “LDAP”.

^[53] The list of standard Novell eDirectory user fields can be found on NDK: Novell eDirectory Schema Reference.

^[54] The list of standard Active Directory user fields can be found on the Microsoft Active Directory Schema web site .

Prev		Next
I.6. Update SavaPage Printers	Home	Appendix K. PPD Extensions