Understanding the CardAuth version 5 configuration data for e‑Task 5 printers

To prevent errors during deployment, do the following:

  • Make sure that the existing CardAuth application is running during the upgrade.

  • When applicable, configure the following:

    • User authentication settings

    • Web Service settings

    • Identity Service Provider settings

    • PIN settings

    • LDAP settings

    • LDAP Server Setup

    • LDAP Attributes

    • Login Screen settings

    • Lock Screen settings

    • Custom Profile

    • Advanced Settings

User authentication settings

Setting

Description

Card Validation

This setting determines how cards are validated.

Possible values

  • Printer-based

  • Web Service (for LPM On-Premises)

  • LDAP

  • Identity Service

Card Registration

The login method for registering using cards.

If this setting is not specified, or if the text does not match the printer security settings, then this setting is set to Disabled.

Manual Login

The login method for logging in manually.

If this setting is not specified, or if the text does not match the printer security settings, then this setting is set to Disabled.

Realm

The location of the user account. Configure this setting when using Active Directory, Kerberos, or LDAP+GSSAPI.

Admin Login

The login method for the administrator login.

Make sure that you have configured a local administrator account for the printer and that you have configured the permissions for the Device Admin Group. By default, some functions, and administrative and device management menus are permitted for this group. However, this setting is disabled by default.

Authorized Group

The group that can use the administrator login feature. This feature is applicable only to user name, and user name and password accounts.

Show on Screen Saver

Shows the Admin Login button on the screen saver.

Web Service settings

If Card Validation is set to Web Service, then the following are used to communicate to the web server:

Note: These settings also determine the Web Service call version for user authentication.

Setting

Description

Server URL

The web service address used to register and to validate the badge ID.

Notes:
  • From LPM 2.14.2.0 onwards, MFPAuthService is no longer supported. Web Service can still be used with a custom web server for badge validation and registration.
  • Identity Service is the recommended card validation method.

Timeout (seconds)

The timeout in seconds used for connecting to the web service. The default value is 15 seconds. To disable the timeout, set the value to 0.

Registration Interface

Possible values

  • Version 2

  • Version 1

The default value is Version 1. Version 2 adds tracking to the IP address and host name of the printer used to register the badge.

Note: Version 2 is applicable only to Print Release version 2.3 or later.

Lookup Interface

Possible values

  • Version 2

  • Version 1

The default value is Version 1. Version 2 adds tracking to the last time the badge is used and from what printer.

Note: Version 2 is applicable only to Print Release version 2.3 or later.

Configuring the Identity Service settings

  1. From the Embedded Web Server, navigate to the configuration page for the application.

  2. From the User Authentication section, set Card Validation to Identity Service.

  3. From the Identity Service Settings section, set the identity service provider address to https://serverIP/idm, where serverIP is the IP address of the LPM server.

  4. If the LPM server is configured with SSL, then set the badge service provider address to either of the following:

    • https://serverIP/lpm

    • https://serverIP:9780/lpm

    Where serverIP is the IP address of the LPM server.

  5. Set Client ID to esf-cardauth-app.

    Note: You can update the client ID.

  6. Set Client Secret with the value from <install‑Dir> \Lexmark\Solutions\apps\idm\WEB-INF\classes\idm‑production‑config.properties file, where <install‑Dir> is the installation folder of LDD.

    Note: You can update the client secret.

  7. Set Card Registration to Identity Service.

  8. Set Manual Login to Identity Service.

  9. Click Save.

PIN settings

Setting

Description

PIN Validation

Triggers PIN validation using LDAP or a web service.

Note: LDAP validation is applicable only when Required Credentials is set to PIN Only.

Required Credentials

Determines whether the following are required when a user logs in to the printer:

  • Userid and PIN

  • PIN Only

PIN Registration/Update

Authenticates the user account before registering or updating the PIN. When disabled, this setting does not allow PIN registration or PIN update.

If this setting is not specified, or if the text does not match the printer security settings, then this setting is set to Disabled.

Web Server Address

The server address where PIN is stored. Use the following format for its value:

https://LBaddr/api/1.0

Where LBaddr is the host name or IP address of the LDD load balancer server.

Notes: 1.0 is used for the LPM server to determine whether the Card Authentication PIN feature is used.

PIN Login Text

The custom message in the PIN Login screen.

The minimum number of characters is 0, and the maximum number of characters is 100.

Minimum PIN Length

The minimum required PIN length for registration or update. The default value is 4, but the supported range of value is from 4 to 16. Make sure that the value is consistent with the LPM administrator portal PIN settings.

Invalid PIN Length Error Message

The custom error message that appears when the PIN entered does not meet the PIN length requirement during PIN registration or update.

The minimum number of characters is 0, and the maximum number of characters is 256.

Invalid PIN Error Message

The custom error message that appears when an invalid PIN is entered.

The minimum number of characters is 0, and the maximum number of characters is 256.

Network Timeout

The length of time before connection with the server is established. The default value is 15, but the supported range of value is from 0 to 30. To disable the timeout, set the value to 0.

Socket Timeout

The length of time before response data from the server is received. The default value is 15, but the supported range of value is from 0 to 30. To disable the timeout, set the value to 0.

PIN Notification

When a user registers, this setting lets you show the PIN on the printer display, e‑mail it to the user, or both.

LDAP settings

Setting

Description

Use Address Book

Uses the LDAP settings configured in Address Book. For printers running on eSF version 5 or later, the LDAP settings in Network Accounts are used. If there are multiple network accounts, then the first in alphabetical order is selected.

Notes:
  • To access Network Accounts, access the Embedded Web Server, and then click Settings > Security > Network Accounts.
  • This setting is used only when Card Validation is set to LDAP, or when other user information attributes are necessary.

LDAP Server Setup

Setting

Description

Server Address

The host name or IP address of the LDAP server.

Server Port

The port number used to communicate with the LDAP server.

Common possible values

  • 389 (non-SSL)

  • 636 (SSL)

  • 3268 (non-SSL Global Catalog)

  • 3269 (SSL Global Catalog)

Use SSL

Uses SSL for communication.

Search Base

The directory where the LDAP search begins.

Login Username

The service account name used for logging in to the LDAP server. If this setting is not specified, then anonymous bind is performed.

Login Password

The service account password used for logging in to the LDAP server.

LDAP Attributes

The following LDAP attributes must be specified:

Setting

Description

User ID

The user’s Windows user ID. For Active Directory, this setting corresponds to samaccountname.

Badge ID

The user’s badge ID. This setting is used only when Card Validation is set to LDAP.

User Information

A comma-separated list of user attributes. This list is queried after the user has authenticated.

Group Membership Attribute

The groups where the user is a member of.

Group List

The groups shown in Manage Permission where the administrator can define permissions at a group level. If multiple groups are used, then the group names must be comma-separated.

User PIN

The LDAP attribute where the PIN validation is looked up against.

Login Screen settings

The following settings determine how the login screen is shown to the user:

Setting

Description

Use Custom Login Text

Shows the custom login text. To avoid redundancy, disable this setting when the text is included in the login screen image.

Custom Login Text

The text shown on the login screen. If this setting is not specified, then the default text is used.

Text Color

The color of the custom login text.

Possible values

  • White

  • Black

To maximize usability, select a color that contrasts with the color of the login screen image.

Use Custom Image for Login Screen

Uses the custom image background on the login screen.

Login Screen Image

The image shown on the login screen. The image can be in a GIF, PNG, or JPG format that is 800 x 480 pixels and does not exceed 100KB. If this setting is not specified, then the default image is used.

Manual Login Text

The text shown on the login screen for manual login. If this setting is not specified, then the default text is used.

The minimum number of characters is 0, and the maximum number of characters is 100.

Allow Copy Without Login

Lets users perform a copy job without authenticating.

Note: This setting is applicable only to printers that support the copy function.

Allow Fax Without Login

Lets users perform a fax job without authenticating.

Note: This setting is applicable only to printers that support the fax function.

Lock Screen settings

The following settings determine how the lock screen is shown to the user:

Setting

Description

Text Location

The location of the login text on the lock screen.

Possible values

  • Top

  • Middle

  • Bottom

Login Profile

The profile that is launched automatically after a successful login.

Possible value

Print Release

Custom Profile settings

Setting

Description

Name or ID

The application or printer function that users can access from the lock screen. The application name is case sensitive.

Icon Text

The custom name for the icon that is shown on the lock screen.

Use Custom Icon

Shows the custom icon.

Icon upload field

The custom icon image that is shown on the lock screen for Custom Profile. The image can be in a GIF, PNG, or JPG format that is 140 x 140 pixels and does not exceed 40KB.

Advanced Settings

Setting

Description

Badge Logout Delay (seconds)

The length of time before the printer registers a succeeding tap as a logout. The default value is 2. To disable the timeout, set the value to 0.

The minimum time in seconds is 0, and the maximum time in seconds is 10.

Use Selected Realm

Adds the selected realm during registration and when users log in manually. For example, userid@realm. The feature is applicable only if the login methods for card registration and manual login are Kerberos, Active Directory, or LDAP+GSSAPI.

For card registration, if this feature is enabled, then the badge ID that is registered is in username@realm format. For manual login, if this feature is enabled, then the user name shown in the printer control panel is in username@realm format.

Note: This setting is not applicable when logging in or registering using a PIN.

Enable Beep for Successful Login

Enables a sound when the badge reader reads a badge successfully.

Beep Frequency

The sound frequency of the printer beep when a badge is read successfully. The default value is 2000.

The minimum frequency in Hertz is 0, and the maximum frequency in Hertz is 65535.