Friday, July 6, 2012

Syncthru LDAP to 2008 active directory

I had the opportunity recently to work with one of the newer large multifunction Samsung copiers this month.  The Syncthru web interface is fairly feature rich but the documentation really could use more examples in some places.  My bane for 2 hours was figuring out how to populate the address book inside it by doing an LDAP pull from Active Directory.
The initial setup of the LDAP connector went through pretty quickly.  I just went to Security -> Network Security and then down to LDAP Server on the left menu.  I then clicked Add to enter in my LDAP server.  I added in the IP address of one of my domain controllers and then used Port number 3268 to start with because you want to keep it simple initially and introduction SSL LDAP would just add one more thing to troubleshoot.  Fill in your AD Domain name in DC=yourdomain,DC=com format.  Choose simple and enter in your username in DOMAINNAME\username format.  Note that this is the first oddity in that we're mixing netbios/domain name\username format and LDAP convention on the same form.


On the second half of that window, don't check the LDAPS yet!!!  


Click on the TEST button at the very bottom and make sure you get all OK/Success. 

Once that works, then click the Apply button at the top to save these settings.

So now we're halfway done and ready for the twists.  Go to the Address book and then click on the LDAP button at the top right.


Now for the GOTCHAS!   
a)  I couldn't get it to search recursively
b)  It only worked when the user account I used to authentication against AD was in the same ORG that I was searching.  (My AD is set to not allow anonymous searching so I have to use authentication)
c)  The login ID is in CN=firstname lastname format.  This is different than the domainname\username from the other LDAP screen.
d)  The search root is the full path to the exact ORG that you want to pull from. (note the OU=test, OU=US prepended)


To keep it simple, I used (mail=*) for my search filter.  Click on the Search button when done and IF you are successful, a list of people will show up.  Just click the Apply button to pull them all into the Address book (you can always delete the ones you don't want later from inside the copier).  If you botched it, you'll get Incorrect Filter errors.

Repeat for your other ORG units, remembering to use an account inside each one for the Login ID.  If you make it past the inconsistencies of the interface and the limitations of the AD implementation of LDAP you're home free.  Once you're done you'll have a fully functional Scan to Email function that works great.










8 comments:

Vadim Ivanov said...

Mate! you rock! it works!
I spent 2 fucking hours trying various combinations. I saw "LDAP Filter Input is incorrect" hundred times. I would put a board "LDAP Filter Input is incorrect" above the gates to hell for samsung software engineer! They must suffer!

Anonymous said...

Thanks for your Post. :)
But I made it with these Settings:

DC=domain, DC=local
CN=Administrator, CN=Users
Filter: (mail=*)

Crazy Web Interface... :/

Not For Ourselves, But For Others said...

Thank you! Thank you! Thank you! Samsung's documentation is the worst I've ever seen. I've just about had an aneurysm trying to get this to work. Doing great now.

Anonymous said...

Agreed - documentation is not the best but the devices are working well. In our environment the commas around the filter field must be eliminated i.e. mail=* instead of (mail=*) as in above thread, otherwise it triggers "LDAP input filter is incorrect"

David Grenon said...

YOU FUCKING ROCK. Thanks! SHORT, CLEAR and it does what exactly what we want. What a silly interface for an MFP like that, but you helped me out with this !! THANKS AGAIN!!!

Anonymous said...

Thanks for your Post, it helped me really well!
Is it possible to get other Information than the Name and Mail Adress? e.g the Fax Number?

giz said...

This works (using administrator) however we're getting a 'LIMIT EXCEEDED' message - after about 24 addresses. Anyone else seeing this? Any tips?

Oz said...

Hi guys,

Your configuration works fine but I have a question.

Before of I have seen this post, I had configured the LDAP using SAMACCOUNTNAME in the field: "Match User's Login ID to the following LDAP attribute:" and the LDAP Test worked fine.

Why using SAM Account Name didn't work in Import Address From LDAP?