LDAP Import
With LDAP import you can import user data from an Active Directory. Several LDAP imports can be created for the same directory service, e.g. to use different search bases (entry points). Create an LDAP import source as follows.
Open Web Administration
To open the web administration, enter http://<hostname>/webadmin in the web browser (where hostname corresponds to the server on which IQ4docs WebAdmin was installed).
Open User Import
In web administration, click on Users > User Import in the menu.
Create user import
Click Create User Import and select User Import via LDAP.
User import via LDAP
During import, values are taken from the fields of the directory service. If a field is not specified, this value is not imported (the existing value in the user data record in IQ4docs is retained).
General
| Field | Description |
|---|---|
| Name | Enter the display name to be used for displaying the import source in the import source list. |
| Execution interval | Enter the execution interval here. When set to Never, the execution must always be started manually. |
LDAP settings
| Field | Description |
|---|---|
| Hostname | Specify the IP address or DNS name of your directory service server. |
| Port | Specify the TCP/IP port used by your directory service. The default connection is established via port 389. For SSL encrypted transmission, use port 686. The directory service must be set up appropriately for encrypted transmission. |
| User | The defined name of the user whose ID is used to access the directory service. Please get this information from the administrator responsible. This may create a special user for this access. The user must have the necessary read permissions for all relevant locations (e.g., including deleted objects) in the directory service. |
| Password | Password of the user with which the directory service is queried. |
| Search bases | You can specify multiple search bases under which the users and groups are searched. A base is the root of later operations within the directory in the Distinguished Name. Example: OU=Organizational Unit, DC=Company, DC=en. |
| User filter | By means of user filters, you can influence which user data records are read from the directory service. Set a filter that only reads the data record relevant for IQ4docs from the directory to minimize resources used for the automatic import. Example: (&(objectCategory=person)(objectClass=user)) This filter only selects objects in the Microsoft Active Directory that are persons and are created in the directory as users. |
| Group filter | You can use group filters to influence which groups are read from the directory service. Set a filter that only reads the groups relevant for IQ4docs from the directory to minimize resources used for the automatic import. The groups of a user are imported as user keywords by default. Example: (&(objectCategory=Group)(objectClass=group)) With Microsoft Active Directory as the directory service, this filter only selects objects that are a person and have been created as a user in the directory. If groups are excluded by this filter, they are also not available for any further use (e.g. assignment of rights based on group membership or keyword import). |
User Data
| Field | Description | ||||||
|---|---|---|---|---|---|---|---|
| Name | Attribute for the display name of the user (e.g. displayName). | ||||||
| Attribute for the user’s e-mail address. If the entry in the directory service is empty, the e-mail address in IQ4docs is removed (e.g. mail). | |||||||
| Department | Attribute for importing a department for the user. If the department does not yet exist, it will be created (e.g. department). | ||||||
| Personal folder | Attribute for the user's personal folder (the value in the specified directory is used as the personal folder, e.g. homeDirectory). You have the option of mixing fixed strings and attribute contents. To do so, use double quotation marks (") at the beginning and end and enclose the attribute names in percent signs (%). Examples (Login name is mmartin, pager is scandir, homeDirectory is \\server_name\users\mmartin)
Only %attribute_names% but no %variables% can be used. |
||||||
| Pin code | If the Generate Pin Code option is enabled, a new pin code is generated automatically for all users who do not yet have a pin code. All allowed characters are used randomly to generate the pin code, see Define complexity of pin codes). If a user already has a pin code, a new one is not generated automatically. Alternatively, the pin code can be imported from an attribute. This value then overwrites any existing pin code. If the entry in the directory service is empty, the user's pin code is removed. |
||||||
| User keyword mapping | The names of the groups in which a user is a member are automatically imported as keywords. In this field you can restrict the names of the groups from which keywords are generated. Examples: * - All group names are imported as a keyword Print* - All group names starting with Print are imported as a keyword *IQ* *doc - All group names containing IQ or ending in doc are imported as a keyword At this location, only those group names can be made into keywords that have been allowed by the group filter, see LDAP settings. |
||||||
| Administrative identifier | Specify the administrative identifier to be assigned to the user in the directory service in dependence on a group membership (see also Administrative identifiers). Example: If you enter Berlin in the first field and Group1 in the second field, the user is assigned the administrative identifier Berlin if he is a member of the Group1 group in the directory service. You can assign as many administrative identifiers as you like with  . However, a user can have only one administrative identifier. If a user is in more than one group, the administrative identifier of the last group is used. |
User-Defined Fields For Users
Specify the fields whose contents are to be imported into user-defined fields. User-defined fields are used during import just like other fields; see also Create Custom Fields For Users.
This area is only available if user-defined fields have already been defined for users.
Access cards
| Field | Description |
|---|---|
| Card Number | Attribute for the card number. If the attribute does not contain a value, this means that no card should be imported for this user, or that the card already imported for this user should be deleted (manually created cards are retained). The maximum number of access cards can be restricted, see Set number of registrable cards per user (meaning in this case that existing cards of the user can be automatically deleted by the import of a card). |
| Valid Until | Here you have the possibility of specifying an attribute the value of which indicates until when a card is to be valid. With Microsoft Active Directory, for example, you have the possibility of referencing the attribute accountExpires. However, you also have the possibility of selecting an attribute in which a date was manually entered. The format of the date must, however, correspond to the country settings of the server on which the UserService is installed. If the attribute has no value, the card never expires. If the entry in the directory service is empty, it is also cleared in IQ4docs. |
Login Data
| Field | Description |
|---|---|
| Login name | Attribute for the login name. The default value is sAMAccountName for Active Directory and userPrincipalName for Azure AD. If the entry in the directory service is empty, the existing value in IQ4docs is retained during the update. |
| Valid Until | Here you have the possibility of specifying an attribute the value of which indicates until when the login is to be valid. With Microsoft Active Directory, for example, you have the possibility of referencing the attribute accountExpires. However, you also have the possibility of selecting an attribute in which a date was manually entered. The format of the date must, however, correspond to the country settings of the server on which the Utility Service is installed. If the attribute has no value, the login never expires. If the entry in the directory service is empty, it is also cleared in IQ4docs. |
Cost Center
| Field | Description |
|---|---|
| Display Name | Display name of the cost center - the user will see this name. |
| Cost Center | Field to import a cost center for the user. If the cost center does not yet exist, it will be created. |
| Keyword | Keywords can be generated automatically for the user during import. The value in the specified field is used as a keyword (this is always placed first in the user's keyword list). Additionally, group names in which the user is located can be used as keywords. |
User is allowed to...
The user rights listed in the table below can always be granted (i.e. set for each imported user), imported into the directory service in dependence on group membership, or managed manually.
- Always grant: Switch on Always Grant (the LDAP Group Name field is ignored and grayed out).
- Import depending on group membership: Turn off Always Grant. Then enter the name of the group in the LDAP Group Name field (e.g. PrintAdmins for the group CN=PrintAdmins,CN=Users,DC=company,DC=com). If the user is in the specified group, the permission is set, if not, it is removed. Note that the search for groups is only carried out in the areas specified under Search bases.
- Manage manually: If you do not want to import the right at all (but want to assign the right manually in the user data record of IQ4docs), switch off Always Grant and do not enter a group name.
| Field | Description |
|---|---|
| Print in color | The user is able to print in color. |
| Copy in color | The user is able to copy in color. |
| Edit direct printer favorites yourself | The user can choose their own direct printer favorites in the WebClient, see Select favorites and direct printer. |
| Change system settings on device | If a user logs in to the device via the Embedded Client and this right is available, the user has administrative rights on the device (e.g. to make system settings on the device). The right is interpreted differently for each manufacturer/device, e.g. for Toshiba/OKI devices, when this right is set, all other rights are also set. |
| Use own address book | The user has the possibility to maintain their own address book via the WebClient and use the entries on the device, see My address book. Without this right, the My Address Book area is not visible in the WebClient. |
| Create own workflows | The user is permitted to derive and save a new workflow from an existing workflow on the device. Without this right the button is not visible. |
| Set workflow as favorite | The user is allowed to mark a workflow on the device as a favorite. Without this right the button is not visible. |
| Use device function | The user is allowed to leave the Embedded Client via the Copy menu > Device Function and use the device functions (menu of the device). Without this right the button is grayed out. |
| Show recent workflows | The user can call up recently executed workflows on the device from the Last Used area. Without this right, this area is empty. |
| Save Changes To Device | The user is allowed to save changes to the settings (e.g. language) permanently. Without this right, for example, the language can be changed temporarily, but after logging out, it is automatically reset to the default language. |
| See WebClient area "My scan jobs" | The user can view the Scan Jobs area in the WebClient (see My Scan Jobs). Scans with the My Web scan destination are displayed here (see also Scan destination My Web module). |
| See WebClient area "My Tasks" | The user can view the My Tasks area in the WebClient (see My Tasks). The documents of a document review are displayed here (see also Document review). |
| See WebClient area "Device Overview" | The user can see the Device Overview area in the WebClient (see Device overview). This page allows the setting of direct printers, among other things, and the printing method can be set (some functions must be authorized individually). |
| See WebClient area “Users" | The user can see the Users area in the WebClient (see User). On this page, you can authorize other areas individually (manage Microsoft account data (OneDrive), request a new pin code, change your password, manage your E-MailPrint addresses). |
| See WebClient area “Account statement" | The user can see the Account Statement area in the WebClient (see Account Statement). |
| See WebClient area "Process release" | The user can see the Process Release area in the WebClient (see Process approval). |
| Manage Microsoft account credentials (OneDrive) | The user can see the Microsoft Account Link (Office365/OneDrive etc.) area in the Users area and manage their account data (see User). |
| Generate new pin code | The user can see the Generate New Pin Code area in the Users area and request a new pin code generated automatically by the system (see User). |
| Change password | The user can see the Set New Password area in the Users area and change their password saved in IQ4docs (see User). |
| Manage own E-MailPrint addresses | The user can see the Address For E-Mail Print area in the Users area and store further e-mail addresses relevant for e-mail print (see User and E-MailPrint). |
Administrative rights
This section is used to define settings for the users who are to be IQ4docs administrators. Administrators can log in to WebAdmin and - according to their role - make changes to the system.
Roles
Roles can be assigned depending on group membership in the directory service, see also Role Management.
- Select the desired role from the drop-down list.
- Specify the group name (all members of this group are assigned the role).
- If several groups are to be assigned, click on
and then specify another role and group.
Restriction to the following administrative identifiers
If the administrator is only to have access to objects that are marked with an administrative identifier, you can also do this in dependence on a group membership, see also Administrative identifiers.
- Specify the administrative identifier.
- Specify the group name (all members of this group receive the administrative identifier).
- If multiple administrative identifiers are to be assigned, click and then specify another administrative identifier and a group.
Test user import
Before the import is executed, it should be tested to verify that the search base and object filter return the expected users. To do this, click the Test button. The data do not have to be saved for testing.
In the dialog that opens, you will see a list of users in which you can search for users - just as in the list of users (see also User List).
In the test dialog you have the option of changing the user and password for access to the directory service as well as the search base and object filter. You can reload the result with the 
button.
Perform an import
The import can be performed manually - independently of the automatic execution based on an interval. To do so, click 
Run in the list view for the desired import.