[cups.development] Kerberos multiple personalities
Andy Polyakov
appro at fy.chalmers.se
Thu Nov 6 01:36:23 PST 2008
As much as we like to deploy Kerberos authentication for printouts, we
would also like to deploy it even for web-based administration. Trouble
is that cupsd assumes ipp at server identity, while web-browsers ask for
HTTP at server. Of course it's possible to instruct cupsd to assume
HTTP at server identity by specifying GSSServiceName HTTP in cupsd.conf.
But then one would have to convince all cups clients to ask for tickets
to HTTP at server, most notably by setting CUPS_GSSSERVICENAME environment
variable to HTTP. But in large and diverse environment (like ours) it's
not very practical. But is there anything that prevents cupsd from
assuming multiple identities? No! It's lesser problem to have a server
accepting requests to several identities (naturally provided that they
all reside in server's keytab). The password is gss_add_cred, as opposed
to gss_acquire_cred. Attached patch explores this possibility by adding
ipp at server credential in case when alternative GSSServiceName was
configured in cupsd.conf. Alternative approach could be to examine
User-Agent field in HTTP header and assume different personalities
depending on outcome, specifically if User-Agent is CUPS/*, then assume
ipp at server identity, otherwise HTTP at server. A.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: multipers.diff
Type: text/x-patch
Size: 2544 bytes
Desc: not available
URL: <http://lists.cups.org/pipermail/cups-devel/attachments/20081106/5f13e525/attachment.bin>
More information about the cups-devel
mailing list