Synchronizing user and group details
One of the most important tasks when managing PaperCut is to configure the User and Group synchronization options. PaperCut synchronizes user and group information from a source such as Windows Active Directory (Windows domains). This simplifies the administration of the system because you do not need to manage a separate database of users and groups. If a user is added to the domain or is removed from a group then PaperCut automatically synchronizes this information without any intervention from the administrator. For example:
-
Jason configures PaperCut to assign an initial credit of $10 to users who are members of the "Students" windows security group.
-
At the start of the new school year Jason has just added 100 new students to the Windows Active Directory.
-
Jason also adds all the users to the "Students" Windows security group.
-
When PaperCut next synchronizes with Active Directory, the 100 new users are added to PaperCut and automatically assigned the $10 initial credit. This is done automatically without any additional work by Jason.
Synchronization settings are configured via the Options > User/Group Sync tab.
Usernames are stored in PaperCut MF as all lower case, regardless of the capitalization of the username in the source directory. Entry of a username by an end user, however, is not case sensitive as it is converted to lowercase before the account is validated.
Sync source
The settings in the Sync Source area define where PaperCut imports users and groups from.
Use the Primary sync source list to select the type of directory server to be used. Options include:
- Windows Active Directory
- LDAPThe Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. The LDAP directory service is based on a client-server model. (Apple OpenDirectory, Novell eDirectoryAlso called Netware Directory Services, Novell eDirectory is directory service software that is used to centrally managing access to resources on multiple servers and computers within a network. The eDirectory software is part of the Novell Compliance Management Platform., OpenLDAP, etc.)
- Windows Standard (local users and groups for workgroup environments)
- SambaSamba is a Windows interoperability suite of programs for Linux and Unix. It is used to integrate Linux/Unix servers and desktops into Active Directory environments. It can function as both a domain controller or as a regular domain member.
- Unix Standard (local users and groups / NIS / POSIX)
The Import users from selected groups option allows you to import users from a list of selected groups in the domain, rather than importing all the users in the domain. This is useful if the domain contains old users or users who do not print.
If you are using Active Directory and have a long list of groups, you can set the config keyA config key stores information about a specific advanced setting in PaperCut. Config keys are editable by an administrator in the Config Editor. user-source.ad.group-ou-filter to only display groups under a certain organizational unit. For example, if you set it to "myorganization.local/Import OU/Sub Import OU" then it displays only groups under "Sub Import OU".
If the PaperCut server is a member of an Active Directory domain, you should use the Windows Active Directory option. The advantages over the Windows Standard option include:
-
Allows use of Active Directory organizational units.
-
Supports nested groups for simplified user management.
-
Allows importing users from other trusted Active Directory domains.
By default, PaperCut MF automatically syncs user and group information with your directory each night. However, you can perform additional full user/group syncs by scheduling a script to run the appropriate server-command command. For more information on using the server-command, see Tools - database, server-command scripting, and APIs (Advanced).
Sync options
The options listed in the Sync Options area control how the synchronization will take place.
-
Update users' full-name, email, department and office when synchronizing—if a user's details in PaperCut do not match those in the synchronization source, they are updated.
-
Import new users and update details overnight—when selected, synchronization automatically occurs each night at approximately 12:55am. This option never deletes users from PaperCut.
-
Delete users that do not exist in the selected source—deletes users from PaperCut if they no longer exist in the selected synchronization source.
This option applies only to manual synchronization (click Synchronize Now) and does not delete users when automatically synchronizing overnight. Enabling this option also applies only once (i.e. the option must be clicked before a manual sync each time when users are to be deleted).
This option affects only users added via the synchronization source (e.g. the domain) and does not delete Printing solutions for guests and anonymous users.
Secondary sync source (advanced)
Enabling a secondary sync source allows PaperCut to merge the results from two independent sources. Examples of where this is useful include:
-
A school with an Active Directory domain for the majority of users and a separate LDAP server that is used and managed by one department.
-
An organization with a new LDAP server and an old legacy LDAP server with separate but unique users who have not been migrated to the new server.
-
A university with an Active Directory for the Windows student workstations and an Open Directory for the staff Mac workstations.
When enabled, PaperCut queries both sources to find users and groups. Usernames are treated as globally unique, so the same username existing in both sources is treated as the same user (in this case, the details for the user are merged, with the primary sync source taking priority). If there is an error connecting to or synchronizing against either source then no actions takes place.
Manual synchronization
By default, PaperCut MF automatically re-syncs the user and group information each night, however, the sync process can also be initiated manually. To initiate a manual sync:
Select Options > User/Group Sync.
The User/Group Sync page is displayed.
Click Synchronize Now.
The sync process starts and a status window is displayed showing the status of the sync process.
Card/identity numbers sync
Card and ID numbers are used as an alternative to usernames/passwords for authentication at software Release Stations, or at hardware terminals attached to photocopiers. The card/ID number can also be searched in the user quick-find in the User List page. See User card and ID numbers for more information.
In PaperCut MF, you can associate one or two unique card/ID numbers with each user. These are known as the Primary and Secondary card/ID number. You can automatically import or generate these card/ID numbers for each user.
Often card/ID numbers are already assigned by other systems, in which case you must import these numbers into PaperCut from Active Directory or LDAP. Unlike other fields, such as, full-name and email address, there is no standard field used exclusively for card numbers. For this reason PaperCut allows specifying the field from which to import the card/ID number.
To enable importing the primary card/ID number:
-
In the Sync Options area, select the Update users' full-name, email, home directory, department and office when synchronizing check box.
-
In the Sync Source area, complete the following fields:
- Primary number—select Sync from AD/LDAP field.
- AD/LDAP field name—enter the field name from which to import the card/ID number.
For more information on the field names to use, see the sections on Active Directory and LDAP below.
-
Click Apply.
PaperCut also allows you to generate a random card/ID number for either the primary or secondary card/ID number. To auto-generate card numbers:
-
In the Sync Source area, complete the following fields:
-
Primary number—select Auto-generate random ID (if blank).
-
Length—enter the number of digits.
Short numbers are easier to remember and faster to key in, but it is also easier to guess someone else's number. If your number is too short, PaperCut cannot generate sufficient numbers to cover all your users.
-
-
Click Apply.
The card/ID number must uniquely identify a user, so you should ensure that no two users have the same card/ID number. Make sure the card/ID numbers you have defined in your user source are unique. If PaperCut MF finds a non-unique card/ID number it does not update the user's details, and displays a warning in the synchronization results. When generating card/ID numbers, you are asked to specify the length or number of digits you require in the generated numbers.
Importing the Card/ID number from Active Directory
Active Directory has a number of user fields that can store the user's card/ID number. Some of these fields are editable in the user's properties in the Active Directory Users and Computer tool, but others can only be updated with other tools. By default, PaperCut MF imports the primary card/ID number from the user's pager number field (i.e. the pager field). This field was chosen because it is rarely used and is also editable in the Windows user interface. If this field is not suitable, you can choose any valid Active Directory user field.
The list of standard Active Directory user fields is on the Microsoft web site here: http://msdn2.microsoft.com/en-us/library/ms683980.aspx. The field name entered in PaperCut MF must be in the LDAP display name format. For example, if you want to use the Employee-Number field, then the field name entered into PaperCut MF should be employeeNumber as shown on the Employee-Number attribute page here: http://msdn2.microsoft.com/en-us/library/ms675662.aspx
You can specify a secondary card number field by selecting Sync from AD/LDAP field under Secondary number.
If you enter the field name incorrectly, the synchronization will fail. It is therefore important to test your configuration changes. To test the changes, click Test Settings. If the card number is retrieved correctly, then it is the 4th user field in the test output.
Importing the Card/Identity number from LDAP
LDAP provides a very flexible way to store a variety of user related information. The fields available depend on LDAP server being used and how that is configured. Many LDAP servers also allow administrators to create custom fields to store additional custom user information. It is recommended you consult your LDAP server's documentation or talk to your LDAP administrator to understand which LDAP field your stores the user card/ID number.
By default, PaperCut MF uses the employeeNumber field to retrieve the primary card number. This is a standard LDAP field, but if this is not suitable, you can choose any valid LDAP user field.
To specify a secondary sync source:
-
In Sync Source, in Secondary number, select Sync from AD/LDAP field.
If defined, then the same regular expression that is applied to the first card number is applied to the second card as well.
-
Click Apply.
It is important to test the card numbers are being retrieved correctly. To test the changes, click Test Settings. If the card number is retrieved correctly, they are listed as the 4th user field in the test output.
Using a regular expression to extract the card/id number from an LDAP/AD field
The vast majority of sites store the full card number in a single field in AD/LDAP. In this situation, you do not need to use a regular expression (regex) to extract the card number. A regular expression is only required under some unusual specific circumstances, including:
The field contains more then just the card number. For example, if the field contained a card number and student number separated by a comma (e.g. 12345678,0003456).
The multi-valued LDAP/AD field contains multiple values and only one representing the card number. e.g. Some third party authentication management systems store external IDs (like card numbers) in a single multi-valued LDAP field. :
Note:For multi-value fields, PaperCut imports all the field values separated by TABs by default. Use the regex to extract the required portion of the field.
To use a regular expression to extract the card/id number, on the User/Group Sync page, select the Apply regular expression to extract card number check box . Then enter the regular expression used to extract the card number. The regular expression must contain a capture group (represented by parentheses), that represents the part of the field that the card number is extracted from.
The simplest way to create a regular expression is to start from one of the examples that follow.
Regular Expression | Description |
---|---|
([\d]+) | Extracts the first sequence of digits. e.g. if the field contains 12345678,005678 then 12345678 is extracted. |
([\d]{5}) | Extracts the first sequence of 5 digits. e.g. if the field contains 12345678 then 12345 is extracted. |
=([\d]+) | Extracts the sequence of digits after the = character. e.g. if the field contains 12345678=56789" then 56789 is extracted. |
([\d]+)::abc | Extracts the sequence of digits preceding the text ::abc. This is a common notation when storing identities in a multi-valued field in LDAP. The ::abc notation is used to indicate the different identity types. In this example, if the field contains 1234::xyz 5678:qrs 9876::abc then 9876 is extracted. |
Regular expressions are an advanced topic. For more information on regular expressions and a test tool, see http://www.fileformat.info/tool/regex.htm. If you need assistance, please contact support.
On demand user creation
The On Demand User Creation setting defines if and when PaperCut MF creates new users. The settings applied to newly created users are defined by their group membership (for more information see Setting new user creation rules). By default, new users are created automatically when they print for the first time, authenticate via the User ClientThe User Client tool is an add-on that resides on a user's desktop. It allows users to view their current account balance via a popup window, provides users with the opportunity to confirm what they are about to print, allows users to select shared accounts via a popup, if administrators have granted access to this feature, and displays system messages, such as, the "low credit" warning message or print policy popups., or log in to the user web tools. This makes administration much easier, as there is no need for additional administration when new users come along; they can use PaperCut straight away.
In some situations it might be preferable to change the way new users are treated. For example, when just one department is being tracked, but there are other departments using the same printers, you might want to allow the other departments' users to print, but not to track them using PaperCut MF.
There are three options available for the setting When the user does not exist
create the user on demand (default) - users are created when they interact with PaperCut MF for the first time. E.g. when they print for the first time.
do not create the user and allow usage - users interacting with PaperCut MF who do not already exist are not created, but their usage is allowed. The usage is not logged.
do not create the user and deny usage - users interacting with PaperCut MF who do not already exist are not created, and their usage is denied. The usage is not logged.
To change the behavior, select the desired option; then click Apply.
Using Active Directory for user synchronization
PaperCut MF's Active Directory integration is performed at a native level and supports advanced features such as nested groups and OU's. Some additional options provided with the Active Directory interface include:
Import disabled users - If set, all users, including disabled accounts are imported from the domain. In an education environment it is recommended to leave this option on as often student accounts are disabled for disciplinary actions, and removing the account from PaperCut MF is not appropriate.
Enable multi-domain support - This is an advanced option and is appropriate for larger sites running multiple trusted domains. For example, in an education environment it is common to have separate domains for students and staff/teachers with a one-way trust relationship. This option can bring in groups, OU's and users from both domains.
The list of domains is semicolon separated (;). This list should contain the name of the domains in DNS dot notation, and should include the name of the current domain if importing from this domain is desired.
Trust domain relationships are a complex area. Click Test to verify that the settings result in the desired behavior. The total number of user accounts is a good measure.
Import other email addresses - import a user's other (secondary) email addresses from a custom field. The field is configured using user-source.ad.other-emails-field.
Specify a custom attribute for the primary email address - use a custom attribute for the primary email address instead of the mail attribute. The field is configured using user-source.ad.email-address-field.
Using LDAP for user synchronization
LDAP (Lightweight Directory Access Protocol) directories usually store information about user and groups in an organization. One of the most common uses of LDAP is to provide single sign-on on a network that comprises multiple platforms and applications. When a network consists of only Windows computers, then you can use an Active Directory domain. But when there is a mix of Windows, Apple and Linux machines then LDAP can provided the single source of user, group and authentication information. (It is worth noting that both Active Directory and Novell eDirectory implement the LDAP protocol).
PaperCut MF can use an LDAP directory for user authentication and as a source of user and group information. LDAP can either be enabled at installation time, or by changing the user source option in Options > User/Group sync. When enabling LDAP, a number of configuration settings must be specified to allow the application to connect to the LDAP server. Ask your LDAP administrator what values to use for the various options:
-
LDAP Server Type - Determines which LDAP fields are used to get user and group information.
-
LDAP Host address - The hostname or IP address of the LDAP server.
-
Use SSLSecure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. To be able to create an SSL connection a web server requires an SSL certificate. When you choose to activate SSL on your web server you will be prompted to complete a number of questions about the identity of your website and your company. Your web server then creates two cryptographic keys - a Private Key and a Public Key. - Indicates if an encrypted SSL connection is used to connect to the LDAP server. The LDAP server requires SSL support to be enabled and should accept connections on the standard LDAPS port 636.
-
Base DN - This is the Base DN of the LDAP server. This is the equivalent of the "suffix" config setting of the OpenLDAP server. For example, if the domain hosted by the LDAP server is "domain.com" then the Base DN might be DC=domain,DC=com. The format of the Base DN can differ significantly depending on configuration. Some older Novell eDirectory installations require a blank Base DN to operate. Some examples:
DC=myschool,DC=edu,DC=au DC=myorganization,DC=com OU=OrgUnit,DC=domain,DC=com DC=local
-
Admin DN - The DN of the user who has permission to connect to and query the LDAP server. This is typically an administrative user, although it can be a user that has only read-only access to the LDAP server. An example of the DN of the Administrator user on a Windows AD domain "domain.com", would be CN=Administrator,CN=Users,DC=domain,DC=com. The exact format of the DN depends on the LDAP server. Some examples:
-
Windows Active Directory: CN=Administrator,CN=Users,DC=domain,DC=com
-
Windows Active Directory (in organizational unit):
CN=administrator,OU=OrgUnit,DC=domain,DC=com
-
Mac Open Directory: uid=diradmin,CN=users,DC=domain,DC=com
-
Unix Open LDAP: uid=root,DC=domain,DC=com, or uid=ldapadmin,DC=domain,DC=com
-
Novell eDirectory: CN=root,DC=domain,DC=com, or CN=ldapadmin,OU=users,DC=domain,DC=com.
The Admin DN and password is optional if your LDAP server allows anonymous binds for querying.
-
-
Admin password - The password for the above user.
Some LDAP servers are configured to allow 'anonymous' LDAP query access. In these situations, you can leave Admin DN and Admin password blank.
PaperCut MF supports the following server types:
-
Novell eDirectory
-
Microsoft Active Directory
-
Unix / Open Directory
However, it is easy to support other server types by adjusting the LDAP fields PaperCut MF searches. For more information, see Advanced LDAP configuration.
Advanced features such as Nested Groups and OU are supported by the Windows Active Directory sync option. See Using Active Directory for user synchronization