CUPS authentication

[David]

Hi. Where can I find detailed documentation about CUPS authentication? I've been searching for weeks and I haven't been able to find what I need.

We have a lab with XP and Ubuntu 7.10 (CUPS 1.3.4) clients printing to a printer with a network hw printserver. I'm trying to set up a CUPS + PyKota print server to get print accounting for that lab. To keep this short let's say session authentication is not reliable for clients, so I want the users to be asked for login/password whenever they send a job so that the server can authenticate them against our LDAP server. Is this possible? Maybe it's quite an extreme solution but it would do the trick; if needed I'll detail the whole lab setup for a more subtle approach.

I'm using Debian Etch (CUPS 1.2.9) in the server with the defauld cups.confd. I've tried several options for the job-related section of the default policy (AuthType Basic/ Require valid-user/Order allow,deny/Order deny,allow... and combinations of them). I've tried some of them for CUPS-Authenticate-Job too. But I haven't been able to deny printing for non-authorized users.
I'm using a virtual PDF printer for testing, printing to /var/lib/cups/cups-pdf/${USER}. I think LDAP authentication (through PAM) is working fine at the server as authorized users get their jobs printed at their own directories while non-authorized users (e.g. administrator from XP machines) get theirs at the ANONYMOUS directory. Yet, while jobs are being printed the correct usernames are showed for each job at the queue for all users (there are no jobs from ANONYMOUS users).
Do I have to use the Location directives instead?

That's all for now :) Any advice is welcome. Thanks in advance.
David