Canon imageRUNNER ADVANCE C5051 Series Service Manual page 184

2
Technology■>■MEAP■>■Login■Service■>■Access■Mode■in■Sites
● System■Manager■Linkage■(automatic■ID■allocation■to■System■ ■
Managers)
SSO■provided■the■automated■function■conventionally■on■Security■Agent■(hereinafter■"SA")■to■
authenticate■System■Manager■by■allocating■IDs■set■on■SA■to■domain■authentication■managers■
(users■belonging■to■Canon■Peripheral■Admins■group).■However,■SSO-H■does■not■support■this■
function.
■ Access■Mode■in■Sites ■
With■SSO-H,■access■to■Active■Directory■within■site■can■be■prioritized■or■restricted,■so■there■
is■a■setting■called■'Access■Mode■in■Sites'.■Sites■programmed■in■Active■Directory■comprise■
multiple■subnets.■In■this■mode,■SSO-H■uses■site■information■to■access■the■same■site■as■the■
device,■or■the■subnet■Active■Directory.
•■ The■SSO-H■default■setting■is■with■the■site■internal■access■mode■OFF.
•■ Access■Active■Directory■within■same■site■only.
•■ If■there■is■no■Active■Directory■within■the■same■site,■or■if■connection■fails,■there■will■be■an■
authentication■error.
•■ Access■another■site■if■Active■Directory■within■the■same■site■cannot■be■located.
•■ If■there■is■no■Active■Directory■within■the■same■site,■or■if■connection■fails,■an■Active■Directory■
external■to■the■site■will■be■accessed.
•■ If■all■attempts■to■access■Active■Directory■fail,■there■will■be■an■authentication■error.
The■operating■specifications■of■the■site■internal■access■mode■are■as■described■below.
When■first■logging■in■to■the■login■service■after■booting■iR,■the■domain■controller■(DC)■is■
obtained■from■the■site■list.
However,■upon■the■first■login,■even■if■the■site■functionality■is■active,■connection■to■DC■is■
random.■(This■is■because,■if■connection■to■DC■should■fail,■the■site■to■which■the■device■belongs■
cannot■be■ascertained.)
If■the■device■IP■address■or■the■domain■name■are■changed,■the■site■settings■are■acquired■once■
more.
In■this■mode,■at■the■first■login■(first■authentication■of■domain■to■which■the■device■belongs)■
LDAP-Bind■is■performed■directly■to■DC■and■site■information■acquired■by■LDAP■from■DC.
From■the■acquired■site■list,■the■site■to■which■the■device■subnet■belongs■is■extracted■and■this■
becomes■the■site■to■which■device■belongs.■Active■Directory■address■is■acquired■(retrieved■
from■DNS)
2 Technology■>■MEAP■>■Login■Service■>■Access■Mode■in■Sites
Note:
•■ The■Active■Directory■subnet■is■assumed■to■be■the■same■subnet■as■the■device■sub-net.
•■ In■the■Active■Directory■addresses,■the■Active■Directories■of■the■same■site■are■listed.
•■ Active■Directories■of■the■same■subnet■as■the■device■are■listed■first.
•■ If■there■is■no■Active■Directory■with■the■same■subnet■as■the■device,■Active■Directories■
belonging■to■different■subnets■than■the■device■are■listed.
•■ The■Active■Directories■within■the■same■site■are■accessed■in■order.■Note,■however,■that■
where■there■are■multiple■Active■Directories■within■the■same■site,■access■to■those■Active■
Directories■will■be■in■the■order■in■which■the■address■list■was■obtained.
•■ If■there■is■no■Active■Directory■within■the■same■site,■if■access■outside■of■the■site■is■
programmed,■Active■Directories■outside■of■the■site■will■be■accessed■in■the■order■in■which■
the■address■list■was■obtained.
● Site■list■acquisition ■
After■booting■up,■upon■the■first■login■by■LLS■or■ILS/■RLS,■the■site■list■is■obtained■from■the■
Active■Directory.■In■order■to■obtain■the■site■list■from■the■Active■Directory,■Active■Directory■
needs■to■be■accessed■in■LDAP,■so■SASL-Kerberos-Bind■is■used■by■the■login■user■account.■If■
authentication■by■Active■Directory■should■fail,■an■authentication■error■will■be■generated■and■
the■site■list■will■be■acquired■again■from■Active■Directory■upon■the■next■login.
In■SSO-H,■the■Active■Directory■to■be■accessed■when■acquiring■the■site■list■cannot■be■
specified.■In■other■words,■if■there■is■no■site■list,■which■site's■Active■Directory■is■accessed■
depends■upon■the■order■of■the■Active■Directory■addresses■returned■by■DNS.■Therefore,■when■
acquiring■the■site■list,■LDAP■may■access■the■Active■Di■rectory■of■a■different■site.■Therefore,■in■
such■cases,■it■is■sometimes■necessary■to■access■across■sites■or■subnets,■which■means■that
LDAP■protocol■needs■to■have■continuity■across■sites■(subnets)■(normally,■LDAP■is■port■No.■
389).■Further,■if■connection■with■Active■Directory■fails■when■acquiring■site■information,■another
Active■Directory■will■be■accessed.
Site■information,■once■it■has■been■acquired,■is■cached■within■the■device.■The■life■settings■of■
the■cache■can■be■set■so■that■site■information■in■the■cache■is■updated■upon■the■first■login■after■
the■device■boots■up,■or■so■that■the■cache■is■not■updated■once■acquired.
2-148
2-148