Multiple seperated networks

Aukjan aukjan at vanbelkum.no.spam.nl
Wed Feb 14 02:48:14 PST 2007 

Hello all,

I am working on setting up the following:

* One printer network (P), which contains about 500 printers.
* These printers are only accessible via 1 (or a cluster of) cups 
server(s) (P-C).
* This central cups server will provide printing for several non-related 
networks (X1, X2 .. XN), which might not be under my control.
* From each of these Networks, printing should be possible to a 
specified subset of the printers in P.
* Also, multiple networks can print using the same printer/queue. For 
this reason, banner pages should be created on a per-queue basis. These 
banners can and will contain information only accessible within their 
respective networks.
* Each network should only see their own jobs, and users within those 
networks should only be able to access their own jobs.
* The P-C does not know anything (and doesn't want to know) about the 
users in the X networks. This forces Authentication/Authorization to be 
done in each of the networks.


Now I am contemplating the do the following:

* P-C will be a CUPS server (version 1.2.7), with the following settings:
	+ policies enabled, which will allow or disallow printing and access 
from the X networks.
	+ Browsing enabled from each of the allowed networks to discover 
printers specified for their networks.
	+ Printing of banners, but using the alternate pstops, for printing 
banners and printjob in one job. Extra information will be extracted 
from the options.
	+ Access to jobs will only be allowed from the CUPS servers in the X 
networks, This will disallow single hosts from connecting directly to 
the P-C.


* Networks X1 .. XN will each have their own CUPS server, using their 
own specific versions with the following options:
	+ Printer discovery will be done by polling P-C for available printers.
	+ User Auth will be done using a local method, and this will allow the 
user to view/cancel their own jobs.
	+ The ipp backend will be replaced by a wrapper script which adds extra 
options (user specific information) to the job and invokes the original 
ipp.



Now the I have the following questions:

1. Is it possible to allow only certain printers to be discovered by 
network Xi by setting policies, or will each network find all available 
printers?
2. Is it possible to allow users in the X networks access to their jobs 
through their local cups server? Or will the C-P require authentication 
as well? Should Basic Authentication be set in the policies for the 
printers?
3. Will all users in network Xi only see jobs submitted from Xi, or will 
they also see jobs from Xj .. Xn ? If so, is there something that can be 
done?
4. Is the wrapping of the ipp backend the only thing that can be done to 
pass extra options (specific for each user) on to the C-P?
5. Are there other obstacles that anyone can see using this kind of setup?


Thanks in advance for taking the time to read this 'long' post!

Aukjan

More information about the cups mailing list