Thank you for your feedback

How to Configure the MFP for LDAP Authentication and Authorization

Document ID:HO3650

Usergroup :External


Table of Contents


Before you begin

LDAP Authentication and Authorization Setup

Related Articles and Help Documentation

NOTE: The following LDAP configuration information is provided for guidance purposes only.


Before you begin


You will first need to successfully configure the Address Book and successfully query the LDAP server. Click here for instructions.

EWS(web page) Address Book Setup locations, to include:

  • - Settings(Configuration) > Network/Ports > Address Book Setup, or
  • - Settings > Security > Security Setup > LDAP > Address Book Setup, or
  • - Configuration > Manage Function Access > LDAP Setup (Older Generation MFPs)



 Summary of Required Authentication and Authorization Settings



Examples Setting Function

UserID attribute*


  • sAMAccountName used for most Active Directory (AD) environments.
  • cn, uid, or other value may be used in other LDAP environments.
NOTE: Do not assume "sAMAccountName" is accurate in all cases. Improper selection may result in a message similar to this one:   "LDAP ADDRESS BOOK SETTINGS ERROR: No results were found in the specified Object Classes with the specified Search Attributes".
Tells the MFP what attribute to search for when authenticating users’ credentials


Full name attribute


  • cn or common name is used in almost every AD environment and contains the full name.
  • Other possible values in other LDAP environments.



The cn(full name) comprises the given name and surname as one would see with an LDAP browser.   

Tells the MFP which attribute holds the users full name 


These values can also be found using Softerra™, ADSI edit, or under Active Directory's "Users and Computers"

Group Search Base




This setting is not required if group-based Authorization is not necessary.

Similar to the Search Base, Group Search Base tells the MFP where in the directory “tree” to start searching for a particular group.





  • User-defined value
  • Name for a group
  • This group to be associated with the group identifier
Required when the environment requires access restrictions to functions and features.

Group Identifier



Important! DN format with no spaces.

Tells the MFP what container(CN) or organization unit (OU) it needs to search to validate if an authenticated user is a member of an authorized group.

* Lexmark is not responsible for identifying any of configuration settings referenced in this article. See your LDAP administrator to obtain these values.




Back to top

LDAP Authentication and Authorization Setup


Step 1:
Building Block Creation and Validation


Steps Action

Open the MFP web browser.

 2. Click on Settings > Security > Security Setup > LDAP.
 3. Building Block Creation

Click on Add an LDAP Setup.

 4. Enter any name next to the Setup Name.
 5. Enter DNS server address. See address book setting.

Enter Server Port. See address book setting.

NOTE: 3268 recommended in global catalog server (GCS) AD environments.

 7. Enter Userid Attribute, e.g., "sAMAaccountName" will be used in most Active Directory environments.
 8. Enter Mail Attribute. See address book setting, but "mail" is used in most Active Directory environments.

Enter Full Name Attribute. The "cn" is used in most Active Directory environments.

NOTE: "Common Name = Given Name + Surname in a AD environment"


Enter Search Base. Repeat this Address Book Setting.

HINT: Often this setting is the same as that which is found via My Computer > Properties > Computer Name.

Semi-colons(;) can be used to enter multiple search bases.


Under Device Credentials, you must again provide the full distinguished user name and password.


You may click Submit if not limiting LDAP access to specific groups.

Click here for a sample illustration.


If finished, Click on Test LDAP Authentication Setup

Click here for failure screen shot. 

Click here for success screen shot. 

Under LDAP Group Names

NOTE: If successfully configured, the MFP will be able use LDAP to perform simple authentication associated with this building block along with user and group-based authorization.

 14. Enter the Group Search Base. Similar to the Search Base, but point to the container.

Enter Short Name. Any name to identify this user or group of users that may be tied to a specific access control. 

 16. Enter Group Identifier.
 17. Again, to test the building block, click the Submit button, The page will refresh and return to the Manage LDAP Setups page.
Click on the Test LDAP Authentication Setup button next to the corresponding Setup Name.

NOTE: Additional Short Names for groups and Group Identifiers can be put in the fields to allow access for
advanced environments.

Click here for a sample illustration.



Step 2: Security template configuration or appending a building block to a security template


  1. Follow this path Settings > Security > Edit Security Setups > Security Templates > Add a Security Template
  2. Name the Security Template (i.e., it can be anything).
  3. From the drop-down menu, select the Authentication Setup you want use with the Security Template.
  4. From the drop-down menu select the Authorization Setup you want use with the Security Template.
  5. Click the Modify Groups buttons.
  6. Highlight the Group names that you want to use with this template

NOTE: Use the Ctrl button on the keyboard to highlight multiple groups.

  1. Click the Save Template button.


Click here for sample illustration.


Step 3: Assign LDAP security template to access controls


  1. Follow this path: Settings > Security > Security Setup > Access Controls 
  2. Locate the Access Control(s) for which you would like to assign a Security Template.
  3. From the drop-down menu, select the applicable Security Template.
  4. Click Submit.


Click here for a sample illustration.





Back to top

LDAP Authentication and Authorization Overview



What is LDAP authentication?

This form of authentication verifies user credentials (Username and Password) against the LDAP server's directory structure. Other authentication types such as internal authentication, Kerberos, CAC, or biometrics do not allow for simultaneous e-mail look-ups.

Are there more secure forms of authentication?

LDAP + GSSAPI, SLDAP with SSL or IPsec are all more secure than LDAP authentication alone.


  • - Works well to limit or secure MFP functions such as “Scan-to” functions.
  • - Prevent unknown user access.
  • - Enables administrators to track the e-mail use per authenticated user versus the default behavior which allows anyone to walk up to the MFP and send an e-mail.
  • - Default behavior or functionality allows e-mail can be traced back to the MFP but not to the user.
  • - Other data and auditing tracking is possible. 


What is authorization?

Authorization determines the rights and abilities of a logged-in user.

What is it used for?

Authorization supplements the authentication process by determining whether or not a user and/or a group has access to a particular function and/or feature on a MFP. It is sometimes referred to as “Role Based” rights or restrictions.

MFP Support?

At this time, only the X46x*, X73x, X86x Series MFPs support authorization.

*An x denotes any number within a given series; for example, X466dte.

How does it work?

Specific User and/or Group names utilized for Authorization are created within and can only be used with LDAP, LDAP+GSSAPI and Internal Account authentication mechanism building blocks.

Lexmark's card-based solutions also utilize and take advantage of this authorization functionality. 





Related Articles & Help Documentation

Click here for LDAP Setup and Authentication on  X4500 & X7500 scanner-based MFPs.

NOTE: This guide also includes some basic troubleshooting tips.


 Back to top

Still Need Help?


If you need additional assistance, please contact Lexmark Technical Support. NOTE: You will need to provide your MFP's model/machine type and serial number (SN) when calling for support.

Please have access to the LDAP directory server and printer's embedded web server in case the technician on the phone requests that you performing a task involving one of these locations.


Please enter the email address you would like to send a copy of this page to.