[cups-devel] SSL-encrypted CUPS IPP Basic Authentication via Active Directory
Michael Sweet
msweet at apple.com
Wed Apr 1 16:46:48 PDT 2015
Rick,
Since IPP (and HTTP) has no notion of a login or session, every IPP request issued by the client (Get-Printer-Attributes, Get-Job-Attributes, Create-Job, Send-Document) gets authenticated, so you'll see a PAM call for each request that is processed by cupsd.
> On Apr 1, 2015, at 5:33 PM, Rick Cochran <rcc2 at cornell.edu> wrote:
>
> Hi,
>
> I have a campus full of OS X and Linux users whose print job submissions I would like to authenticate via Active Directory. The good new is that I already have this working. I would just like to make sure I'm doing it optimally.
>
> What I have working is CUPS using pam_krb5 to authenticate to AD. The strange thing I am seeing is that each print job authentication results in 21 Kerberos ticket cache files created in /tmp, and 21 "authentication succeeds for 'rcc2'" messages and 21 "TGT verified" messages logged to /var/log/messages.
>
> It seems as though CUPS is making 21 authentication calls to PAM. This seems rather excessive. Perhaps there is a way to reduce it.
>
> Another possibility would be to use pam_ldap instead of pam_krb5. Is there some reason to believe that would be a better solution?
>
> Thanks for any help.
> -Rick
> _______________________________________________
> cups-devel mailing list
> cups-devel at cups.org
> https://www.cups.org/mailman/listinfo/cups-devel
_________________________________________________________
Michael Sweet, Senior Printing System Engineer, PWG Chair
More information about the cups-devel
mailing list