Authenticated Printing (Linux on Linux) using CUPS and IPP

Michael Lackner michael.lackner at unileoben.ac.at
Mon Mar 31 06:38:41 PDT 2008 

Hello!

I'm currently trying to set up authenticated printing (currently without SSL to eliminate another source of error). The Server is CentOS 5 with CUPS and an IPP printer share.

The clients are of different Linux flavors, but I'm currently using a Fedora Core 4 Client machine for testing.

CUPS version on CentOS 5 server: cups-1.2.4-11.14.el5_0.1
CUPS version on Fedora Core 4 client: cups-1.1.23-15.4

The Server also hosts an OpenLDAP server containing all User information. However, most clients do no system authentification against LDAP, so the users credentials will have to be transmitted using the IPP URI. On top of that, "Papercut" is installed on the server, for print accounting and some sort of billing system. However, i tried to use this with AND without the Papercut/CUPS backend wrapper, same results, so Papercut shouldn't really be the cause of my problems.

So, what I am trying to do is this:

Client connects to IPP Printserver and transmits its User Credentials. Like this:
====

ipp://<user>:<pwd>@printerhost:631/<printqueue>


Now, the server should check its own LDAP database, and look for the user and check his or her PWD. Should the credentials match, printing should occur.

On the server, the /etc/cups/cupsd.conf looks like this (iR3025N is the queues name, modified, added "AuthType" line):
====

<Location /printers/iR3025N>
  AuthType Basic
  Order Deny,Allow
  Deny From All
  Allow From All
</Location>

Again on the server, /etc/pam.d/cups looks like this (modified, added pam_ldap.so lines, commented the system-auth lines out):
====

#%PAM-1.0
#auth   include         system-auth
#account        include         system-auth
auth    required        pam_ldap.so
account required        pam_ldap.so


The server queue uses the appropriate PPD file from Canon to render the printjobs for the iR3025N.

Now, i open Acrobat Reader on the client machine with just some file, and say "print". I select the iR3025N (it's not the default printer), and AS i select it, the print dialog hangts. As i have started Acrobat Reader from a BASH shell, i can now see a message on the shell i started Adobe Reader. It says:
====

Password for <user> on <printhost>?


Here i can enter my users password, and the printer gets selected, the printing dialog no longer hangs. Same goes for actually sending the printjob, I am again asked for my password on the shell. So, entering UN:PWD within the IPP URI doesn't seem to work at all.

On top of that, why am I not being asked with some sort of GUI popup? If i hadn't started Adobe Reader from the bash, i would have never seen the CLI dialog prompting me for a password to authenticate against the server...

I would love some solution that works seamlessly (please advise as what exactly i have to do, and how i have to configure OpenLDAP, CUPS and the CUPS clients to make this work).

It would also be nice to be able to store passwords in some hashed form (like CRYPT or SSHA), so that it's not readable as blank from the clients /etc/cups/printers.conf.

Thanks a lot for your help, i tried several guides on the web, but failed to do this so far. I guess I'm somehow missing a few details (or even the "big picture"?) here..

More information about the cups mailing list