CUPS authentication

David drjato at correo.ei.uvigo.es
Thu Feb 7 05:10:05 PST 2008 

It looks like authentication at the clients is not so flawed so I might not need to ask for login/password for printing. I'm still interested in knowing if it's possible and how to do it.

I still have to deny printing for non-authorized users. Only a subset of users should be allowed to print. This check is done at the server through pam_ldap authentication. As I said in my last post this is working fine as non-allowed users are getting their jobs printed as ANONYMOUS. I want to deny this ANONYMOUS printing.

Should I use <Location /printers> too/instead? This has (mostly) worked for another lab, but it makes the printer harder to install as login/pass are required at the moment of installation (and, at least under KDE, jobs were always sent with the installer's credentials no matter which actual user was printing).
Directive descriptions in the documentation are fine (really), but you can't learn how to use them together.

This is my current cupsd.conf (just trying out every single directive):

# Show troubleshooting information in error_log.
LogLevel debug
SystemGroup lpadmin
# Allow remote access
Port 631
Listen /var/run/cups/cups.sock
# Share local printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAddress @LOCAL
DefaultAuthType Basic
<Location />
  # Allow shared printing...
  Order allow,deny
  Allow @LOCAL
</Location>
<Location /admin>
  Encryption Required
  # Restrict access to the admin pages...
  Order allow,deny
  Allow localhost
</Location>
<Location /admin/conf>
  AuthType Basic
  Require user @SYSTEM
  # Restrict access to the configuration files...
  Order allow,deny
  Allow localhost
</Location>
<Policy default>
  <Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
    Encryption Required
    AuthType Basic
    Require valid-user
    Require user @OWNER @SYSTEM
    #Order allow,deny
    Order deny,allow
  </Limit>
  <Limit Pause-Printer Resume-Printer Set-Printer-Attributes Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Add-Printer CUPS-Delete-Printer CUPS-Add-Class CUPS-Delete-Class CUPS-Accept-Jobs CUPS-Reject-Jobs CUPS-Set-Default>
    Require user @SYSTEM
    Order deny,allow
  </Limit>
  <Limit CUPS-Authenticate-Job>
    Encryption Required
    AuthType Basic
    Require valid-user
    Require user @OWNER @SYSTEM
    #Order allow,deny
    Order deny,allow
  </Limit>
  # Only the owner or an administrator can cancel a job...
  <Limit Cancel-Job>
    Order deny,allow
    Require user @OWNER @SYSTEM
  </Limit>
  <Limit All>
    Order deny,allow
  </Limit>
</Policy>
Printcap /var/run/cups/printcap


> Hi. Where can I find detailed documentation about CUPS authentication? I've been searching for weeks and I haven't been able to find what I need.
>
> We have a lab with XP and Ubuntu 7.10 (CUPS 1.3.4) clients printing to a printer with a network hw printserver. I'm trying to set up a CUPS + PyKota print server to get print accounting for that lab. To keep this short let's say session authentication is not reliable for clients, so I want the users to be asked for login/password whenever they send a job so that the server can authenticate them against our LDAP server. Is this possible? Maybe it's quite an extreme solution but it would do the trick; if needed I'll detail the whole lab setup for a more subtle approach.
>
> I'm using Debian Etch (CUPS 1.2.9) in the server with the defauld cups.confd. I've tried several options for the job-related section of the default policy (AuthType Basic/ Require valid-user/Order allow,deny/Order deny,allow... and combinations of them). I've tried some of them for CUPS-Authenticate-Job too. But I haven't been able to deny printing for non-authorized users.
> I'm using a virtual PDF printer for testing, printing to /var/lib/cups/cups-pdf/${USER}. I think LDAP authentication (through PAM) is working fine at the server as authorized users get their jobs printed at their own directories while non-authorized users (e.g. administrator from XP machines) get theirs at the ANONYMOUS directory. Yet, while jobs are being printed the correct usernames are showed for each job at the queue for all users (there are no jobs from ANONYMOUS users).
> Do I have to use the Location directives instead?
>
> That's all for now :) Any advice is welcome. Thanks in advance.
> David

Btw, CUPS versions are 1.2.7 for the server and 1.3.2 for the clients :)

More information about the cups mailing list