How to set up LDAP sync on any modern office copier
A connection guide for binding an office MFP to Active Directory or Entra ID Domain Services — service account configuration, search base scoping, attribute mapping, and the troubleshooting paths that matter when the bind fails.
An office MFP synced to Active Directory keeps its address book current automatically. New employees appear in the device's recipient list within a sync cycle. Departed employees disappear. Email addresses correct automatically when IT changes them upstream. The maintenance burden of address book updates moves from the device administrator to the AD administrator, where it already happens. The setup takes 30 to 60 minutes once and then runs untouched for years.
Prerequisites
What you need before starting
- An Active Directory or LDAP-compatible directory (AD, Entra ID Domain Services, OpenLDAP, FreeIPA)
- A domain controller's hostname or IP reachable from the MFP
- A service account with read access to the user OU (password-never-expires recommended)
- The Distinguished Name (DN) of the search base (typically the office's user OU)
- The MFP's administrator credentials for accessing its web interface
- LDAPS preferred — the AD CA certificate to install on the MFP if LDAPS is enforced
Connection parameters at a glance
| Parameter | Typical value |
|---|---|
| Server address | dc01.empresa.local or IP 192.168.1.10 |
| Port | 389 (LDAP) or 636 (LDAPS preferred) |
| Base DN | OU=Usuarios,DC=empresa,DC=local |
| Bind DN | CN=svc-mfp-ldap,CN=Users,DC=empresa,DC=local |
| Bind password | The service account password |
| Search filter | (&(objectClass=user)(mail=*)) |
| Search scope | Subtree (recurse through child OUs) |
| Authentication method | Simple (with LDAPS) or SASL |
Step-by-step setup
Open the MFP's web admin interface
Navigate to https://<mfp-ip> and sign in as administrator. Locate the LDAP configuration page — common paths: HP Networking → LDAP, Konica Minolta Network → LDAP Settings, Canon Address Book → LDAP Server, Ricoh Address Book Settings → LDAP, Xerox Connectivity → Setup → LDAP, Kyocera Network → LDAP Settings.
Configure the LDAP server connection
Enter the server address, port (636 for LDAPS strongly preferred), and connection security setting. If using LDAPS, upload the CA certificate that signed the domain controller's TLS certificate to the MFP's trusted certificate store first.
Enter the bind credentials
Use a dedicated service account with read-only access to the user OU. Type the DN format CN=svc-mfp-ldap,CN=Users,DC=empresa,DC=local for the bind DN. Avoid using a personal administrator account — when the admin leaves the company the LDAP sync silently breaks.
Set the search base and scope
The search base scopes which OUs the MFP queries. Setting too broad (the entire domain root) returns service accounts and computer objects alongside real users. Setting too narrow misses employees in sub-OUs. Typically OU=Usuarios,DC=empresa,DC=local with Subtree scope catches all real users without the system noise.
Define the search filter
The filter narrows results to actual users with valid email. Use (&(objectClass=user)(mail=*)) on AD to return only user objects that have an email attribute populated. This excludes disabled accounts implicitly when combined with (!(userAccountControl:1.2.840.113556.1.4.803:=2)) if needed.
Configure attribute mapping
Tell the MFP which AD attribute corresponds to which address book field. The defaults usually work but may need adjustment depending on the AD schema. See the mapping table below.
Test the connection
Most MFPs include a "Test Connection" button on the LDAP settings page. Click it and verify the device reports a successful bind and a count of users found. If the bind fails, the error message indicates whether the issue is connectivity, credentials, or search base.
Save and trigger initial sync
Save the configuration. Trigger an initial sync (some devices sync automatically on save; others require manual sync from a separate menu). The address book populates over the next few minutes for typical office sizes.
Standard attribute mapping
Email←mail
Fax number←facsimileTelephoneNumber
Phone←telephoneNumber or mobile
Department←department
Job title←title
Login name←sAMAccountName or userPrincipalName
Sync cadence configuration
LDAP sync runs on a schedule. Common cadences and trade-offs: every hour catches changes quickly but produces more network traffic and load on the domain controller; every 4 hours balances freshness and load; daily is sufficient for offices where staff turnover is slow but new employees may wait a day for address book inclusion.
For most Spanish SME offices, every 4 hours is the right setting. For larger organisations with frequent staff churn, every hour. For very stable offices, daily is sufficient. The setting lives in the LDAP configuration page under "Sync Interval" or "Refresh Frequency".
LDAPS versus plain LDAP
LDAPS (LDAP over TLS, port 636) encrypts the connection between MFP and domain controller. Plain LDAP (port 389) sends credentials and query results in cleartext. For any office with security expectations, LDAPS is the right choice. The setup requires installing the CA certificate that signed the domain controller's TLS certificate to the MFP's trusted store — most enterprise PKI deployments handle this through Group Policy on workstations but the MFP requires manual installation.
To install the CA certificate on most MFPs: open the web admin interface → Security → Certificates → Import Trusted Certificate → upload the CA's public certificate in DER or PEM format. After import, the MFP trusts certificates signed by that CA and LDAPS connections succeed.
Troubleshooting LDAP setup issues
Common problems and what to check
- Bind fails with "invalid credentials"The service account password may include special characters the MFP keyboard mis-rendered, or the DN format may be incorrect. Try
userPrincipalNameformat (svc-mfp-ldap@empresa.local) as an alternative to DN format. - Connection times outThe MFP cannot reach the domain controller on the configured port. Check firewall rules between the MFP VLAN and the DC. Verify the DC is responding on the configured port using
telnet dc01 636from a workstation. - Bind succeeds but no users foundThe search base is incorrect or the filter excludes all users. Try a simpler filter
(objectClass=user)to confirm queries work, then refine. - LDAPS fails with certificate errorThe CA certificate is not installed on the MFP, or the certificate has expired, or the certificate's CN does not match the configured server address. Install the current CA certificate and verify the hostname matches.
- Some users appear, others do notThe filter is too restrictive or some users lack the required attribute (usually email). Verify the missing users have email populated in AD.
- Sync runs but address book stays oldThe MFP may be caching the previous result. Force a manual sync from the LDAP settings page or reboot the device's network stack.
Service account best practices
The LDAP service account deserves attention because it persists across device generations. Use a dedicated service account named clearly (svc-mfp-ldap or similar), enable password-never-expires to prevent quarterly password rotation breaking the sync, grant read-only access to the user OU and nothing else (no domain admin rights), document the account in the office's privileged account inventory, and rotate the password annually as part of normal service account hygiene.
If the office uses Entra ID Domain Services (cloud-hosted directory service rather than on-prem AD), the same setup applies with the bind DN referencing the cloud DN structure. Note that Entra ID itself (not Domain Services) does not speak LDAP — for pure cloud directories, look at SCIM or vendor-specific cloud directory integrations instead.
Multi-domain considerations
Some Spanish offices operate in multi-domain forests, with users distributed across child domains. Most office MFPs support a single LDAP server entry — they cannot query multiple domains simultaneously. The workaround: configure the MFP to query the Global Catalog (port 3268, or 3269 for LDAPS) instead of a regular domain controller. The Global Catalog returns user objects from all domains in the forest in a single query.