HP LaserJet Pro MFP M521 and Color MFP M570- LDAP Feature Description

The LDAP (Lightweight Directory Access Protocol) feature adds an additional level of access control and is specifically targeted at providing control over who can use the front panel to copy, scan, fax, etc. It does not overlap with the embedded firewall and admin password controls already in place. With the LDAP feature enabled the walk-up user will be presented with a Sign In screen where they are allowed to enter their normal network username/password or an Access Code. The technology embedded in the device interacts with standard network infrastructure to get confirmation that the credentials are valid (i.e. Authentication). In a similar way to what happens behind the scenes when logging onto a Windows computer. Administrators will decide in advance which of the device’s control panel activities will result in a network Sign In prompt, or Access Code Sign In prompt, or simply left open for public use. Currently the 8 walk-up functions/activities that can have access controls (login) are:

1. Copy
2. Scan to USB Drive
3. Scan to Network Folder
4. Scan to E-mail
5. Print from USB Drive
6. Fax
7. Apps
8. Scan to HP Flow CM (feature does not exist on all products)

Lightweight Directory Access Protocol (LDAP) is used to gain access to a database of information. When the MFP uses LDAP for Scan to E-mail, it searches a global list of E-mail addresses. While typing the E-mail address, the LaserJet Pro products LDAP uses a search mechanism that supplies a list of E-mail addresses that match the characters typed. While typing additional characters and performing a new search, the list of matching E-mail addresses becomes smaller. The LaserJet Pro LDAP feature does not include the E-mail “auto-complete” functionality that is seen in some of the LaserJet Enterprise products.

The HP LaserJet Pro MFP’s that support the LDAP features do not require a connection to an LDAP server in order for the MFP to be able to send to E-mail. A standard “outgoing E-mail profile” is setup and used in this case.

When users authenticate they use their normal username and password just as if they were logging into their workstation or laptop. The forms of authentication that will be supported by HP LaserJet Pro devices are:

1. LDAP Authentication (with SSL). User name and Password will be required.
2. Windows (Kerberos with fall back of Digest-MD5) Authentication. Requires Windows Domain, User Name, and Password.

With either form of network authentication (Windows or LDAP) the user will be prompted to Sign In with their network username and password. The Windows Authentication method, however, also requires a domain (e.g. domain.name.net). The HP LaserJet Pro device can only be associated with one Windows Domain at a time and it is established by the administrator by either the initial Embedded Web Server or WJA device setup. This domain is combined with the Windows username and password when authenticating a Walk Up user.

HP LaserJet Pro devices will support a 4 to 8 Digit Access Code for local authentication. This is offered as a more convenient alternative to the more secure network authentication and might be assigned to a feature for administrators/users that want at least some access control but do not want to burden the users with a full username/password Sign In session. The device's single 4 to 8 Digit Access Code can be assigned by the administrator at the time the device is setup and any user that knows that single 4 to 8 Digit Access Code can access any control panel feature configured as allowing Access Code Authentication.

Generally speaking the HP LaserJet Pro LDAP feature provides Category Authorization. For the most part the device only varies its behaviour based on three categories of users:

1. The person standing at the device with network credentials (username/password), or
2. The person with knowledge of the single device 4 to 8 Digit Access Code, or
3. The person with no credentials at all.

The device does not differentiate its access control based on specific network User 1 versus specific network User 2; this would be User Authorization. Instead the devices views both User 1 and User 2 as being associated with the single category of users that have network credentials. If the device administrator had set the device up to require network credentials for Copy then that feature behaves the same independent of whether it was User 1 or User 2 that had signed in. HP LaserJet Enterprise devices allow Authorization which allows differentiation of features based on user and allowing administrators to grant User 1 the ability to do color copies while User 2 is restricted to black & white copies, etc. An HP LaserJet Enterprise device recognizes that both User 1 and User 2 have network credentials (category) but also within that general category enforce some differences between User 1 and User 2 (as Individuals). HP LaserJet Pro device, on the other hand, does not offer this level of differentiation.

Again, the differentiation HP LaserJet Pro devices will provide is between the three general categories of users:

• Category 1 - The User has network credentials.
• Category 2 - The User has knowledge of the device's single 4 to 8 Digit Access Code.
• Category 3 - The User has no credentials.

The administrator of the HP LaserJet Pro device can define (as just one example) that anyone in the first category can do both Scan-to-Email and Scan-to-Network Folder while anyone in the second category can do Fax operations and anyone in the third category can do the features that remain and are left open (no Sign In). But again there is no differentiation between first-category-User 1 and first-category-User 2. And no differentiation between the various users that all know the device's single 4 to 8 Digit Access Code, yet there is differentiation between those two categories.

If a user presses one of the 8 Walk Up user icons that have been configured with restrictions a pop up Sign In screen will be presented. There are two forms of Sign In screen that can be presented depending on whether the administrator specified 4 to 8 Digit Access code authentication or specified Network authentication within the Access Control Table. After Sign In the device continues to use static control panel icons and menu options and no icons will be 'X'd out, or greyed out, or deleted to reflect the permissions of the user currently signed in. If Larry signs in with the device 4 to 8 Digit Access Code and completes a Copy, and then decides to "Scan-to-Email", he will find the icon there despite the fact that his credentials might not qualify him to use that feature. Once he presses the icon, however, he will be prompted for the required Sign In credentials if the Access Code credentials he already provided doesn’t satisfy the restrictions specified by the Access Control Table settings.

The footer button switches to the network authentication Sign In screens and would be appropriate to those that don’t have the particular device’s 4 to 8 Digit PIN memorized for the Walk Up user that want the benefit of “From:” field completion for the email the intend to send.

注意：

If the deice does not actually have network Authentication setting s in place (via Embedded Web Server/Web JetAdmin) then this button would not be shown. Also this footer assumes that the Access Control Table has the “allow user to choose alternate sign-in method” selected.

There are only two ways the printer will Sign Out a user.

1. The user presses the "Sign Out" button.
2. The user walks away and is automatically signed out after 60 seconds of control panel inactivity.

The footer "Sign Out" button activates when a Walk Up user initially signs in and is only visible from the Home screen and is not present when viewing deeper levels of the menu hierarchy. To cover the situation that a user forgets to Sign Out and walks away -- an Auto-Sign Out is initiated by the device if the control panel inactivity timer expires.

Fax is itemized as one of the 8 functions that can be assigned access restrictions (Sign In). If the admin leaves the fax function open (factory default, no access control restrictions) then all of the standard fax features are available to the user; no functional changes. If, however the administrator has configured fax to require Sign In then some functions are only available after successful Sign In while others continue to remain open; here is an itemized list.

Open (never requires Sign In):

• Fax receive when in auto answer mode, faxes will be printed or uploaded.
• Fax reports menu, will be duplicated under the main reports menu; this is new, but a good addition.
• Setup/Fax Setup menu includes fax setup utility, basic setup, advanced setup. The fax setup utility includes the fax test also.
• Fax upload to a PC, if user has configured this, it will still upload received faxes without authentication.
• Fax download, user can download a fax from a PC and it will send.
• Fax receive when in manual mode, a separate Incoming Call screen will be shown with a [Start Fax] button. When the [Start Fax] button is pressed, then fax will be received.

Access Control Available (Sign In can be turned on):

• Sending faxes, including delayed fax and broadcast fax
• Fax phonebook, add entries
• Fax Block list, add entries
• Fax Job Status, available under Fax Menu/Send Options
• Polling receive
• Forward faxes, cannot change setting
• Reprint faxes (see NOTE below).

注意：

One implication to having Reprint faxes in this set is that users that get faxes via auto answer mode (no Sign In required) will suddenly find themselves having to Sign In to get the faxes that are held because they couldn't be printed due to low toner for example.

With a few exceptions there are no changes in the way the outgoing email distribution lists are populated or in the way the Scan-To-Email menu sequencing progresses under LDAP versus Outgoing Email Profiles. The exceptions are as follows.

• If the user has signed in with network credentials the user's email address is retrieved from the LDAP database and is available for auto-populating the "from:" field.
• If the administrator has selected the Embedded Web Server checkbox to force "To:" field to email address of the network authenticated user then it causes Scan-To-Email menu sequencing to consider the “To:” field fixed and not editable to the user.
• In cases where the “To:” field is modifiable there is an icon presented to the far right that is a magnifying glass symbol representing the new email search provided by the LDAP feature set. When pressed the user is taken to a screen that allows entry of a fragment. It should be noted that the best-match list generated by the search is based on the first few characters the user has typed. The entry selected will be added to the “To:” list. The display then transitions back to the screen containing the magnifying glass where the user is allowed to continue building the “To:” list and establishing a “Subject:” line and ultimately pressing the Next button to proceed through the Send To Email session. The search is applied to the network address book (if available).

The HP LaserJet Pro LDAP solution will allow the administrator to establish how the To: field is populated. This mode has the effect of forcing the outgoing email to have the senders email address only. This mode assumes that the Walk Up user has signed in with network credentials. Then at Sign In the user's email address is retrieved from the LDAP database and is available for auto-populating both the "from: and the "to:" fields of the outgoing email.

During a Scan-To-Email operation the "from:" field is always filled in by the device. It is never user editable. It either represents the email address pre-established (by the administrator) in one of the device's Outgoing Email Profiles or it represents the email address auto-populated by an LDAP lookup of the network authenticated user email address. The Outgoing Email Profiles stored in the device are only used to establish the "from:" field when there is no network authenticated user signed in.

The administrator can establish a default from: address that will be used in cases when the system does not know the email address of the Walk Up user. However, for any Walk Up user that has signed in with network credentials there is a user specific email to use but in other scenarios the system will either use the default from: preloaded by the administrator or as a last resort would come from one of the preloaded Outgoing Email Profiles (if any exist). Note that typically when an administrator sets up a default from it will something like MFP_at_PostL3@whatever.com or something roughly identifying the printer that sourced the email.

All emails that are sent from the device will always have some value inserted into the “from:” field. The value used will always come from one of three places which are prioritized as follows:

1. If the Walk Up user is signed in with network credentials then the system will retrieve that user’s email address from the LDAP server and populate the “from:” field.
2. Otherwise, if the system administrator has established a “default from:” (as well as default SMTP settings) they are used instead.
3. Otherwise, if the administrator has established any outgoing email profiles they are presented for user selection (which would provide the “from:” as well as the SMTP settings).
4. Otherwise, as a last resort, an error is reported to the user indicating that there is no available “from:” field available to the system. There is never the opportunity for the Walk Up user to manually enter the “from:” field.

The network address book email lookup available from the control panel is not made available to the Embedded Web Server email address entry fields.

The Default SMTP Configuration screen will be in addition to the set of SMTP settings stored in each of the device's Outgoing Email Profiles. The Default SMTP Configuration settings are used whenever a network authenticated user is doing a Scan-To-Email. In the case of a network authenticated user, the user's actual email address has been retrieved from the LDAP server and the scan-to-email function will auto-populated the "from:" field without using one of the device's Outgoing Email Profiles (which would normally provide the "from:" field as well as SMTP settings). As mentioned SMTP settings will also exist in the Outgoing Email Profiles but will be used only when the Outgoing Email Profile is used. The Scan to Email Wizard found in the Windows Program group serves only to setup the Outgoing Email Profiles.

The LaserJet Pro network address book lookup feature is independent of the authentication feature. They can both be setup by the administrator and used without the other. They are related only in that they both tap into the LDAP network infrastructure in their own unique ways. Many users may choose to setup the device so that the scan-to-email feature can be used without Sign In and yet still allow the benefits of front panel email network address book access.