[cups.development] [RFE] STR #2452: Mapping usernames via external code

Jon Peatfield jp107 at cam.ac.uk
Thu Jul 19 16:55:08 PDT 2007 

DO NOT REPLY TO THIS MESSAGE.  INSTEAD, POST ANY RESPONSES TO THE LINK BELOW.

[STR New]

Sorry I wasn't very clear was I.  When I wrote that I didn't realise
it was going to be posted to a mailing list :-) Not that that is an
excuse to be sloppy...

The setup I'm using has an existing mechanism to allow ('admit' if you
prefer), machines/end-stations onto the network, and as part of that
there is an authenticated-user associated with each machine.

If you want a more concrete example consider a network using 802.1x
based authentication or a captive-portal setup where authentication
has already happened (e.g. to a RADIUS server or web-based thingy).

Clearly something somewhere has a mapping from machine/end-station to
the authenticated user, and in our case we have various ways for apps
to ask 'who is the user on IP address .....'

BTW these are mostly users own laptops etc so their local login-name
will be pretty random (well ofen 'root'), I don't want users to be
able to cancel/redirect someone else's print job just because both of
them are logged in as 'fred' on their own laptop, but I also don't
want to require another authentication - if their IPP clients even
supported it.

Adding direct support for our lookup mechanism to CUPS would do for
us, but possibly not for other kinds of mapping so instead we added
code which gets cupsd to call an external program with the hostname
(and job-supplied username) and expects to read back the username to
use.

There may be better ways to do this, but our hack has been in service
here for some time (the cups-1.1 version anyway) and works well
enough.  If you don't define MapUsername in the cupsd.conf then
obviously it doesn't do the call-out and so we actually run with the
patch applied on lots of machines which don't use the feature.

Bad features of this patch include:

  an external call (with popen) for each connection to cupsd

  if the external code doesn't exit then cupds will hang

  it isn't flexible enough to allow some other kinds of lookup

  it can't (easily) be set to only happen on some printers or blocks
  of addresses etc.

Still as one of my bosses used to say the 'best' is the enemy of the
'good', and despite the drawbacks what we have might be useful to at
least a few other places.

Back before we used CUPS we used LPRng which had a config option to
pass the control-files through a 'filter' which we used to achieve the
same mapping.  In part this patch was inspired by the lack of any
other way to do what we previously could...

[ remind me _again_ not to reply to the copies I get by mail... ]

 -- Jon

Link: http://www.cups.org/str.php?L2452
Version:  -feature

More information about the cups-devel mailing list