CUPS ldap group authentication not working
John A. Sullivan III
jsullivan at opensourcedevel.com
Sat Feb 13 01:58:29 PST 2010
Hello, all. We're in the midst of building a multi-tenant CUPS printing environment where we need very granular control over who can print to what. All of the users and groups are held in a CentOS Directory Server LDAP database.
User authentication works just fine but we cannot get group authentication to work. Perhaps we misunderstand the syntax but we have tried all sorts of combinations. Our goal is to allow authentication based solely upon LDAP group membership.
The print server is running on Debian Lenny inside a VServer using the latest CUPS from repository. libnss-ldap.conf, pam_ldap.conf, and nsswitch.conf are set up properly. id <uid> returns all group information for a given uid.
We would have thought we simply needed to do something like:
<Location /admin>
Order allow,deny
Require group somegroup
Allow from 172.16.18.0/28
</Location>
But, when users enter their credentials for the web admin interface, their credentials are not accepted. If we change it to:
<Location /admin>
Order allow,deny
Require user someuser
Allow from 172.16.18.0/28
</Location>
it works perfectly with LDAP defined users. We then thought perhaps the user needed to be authenticated as well as defining group membership so we did:
<Location /admin>
Order allow,deny
Require user someuser
Require valid-user
Allow from 172.16.18.0/28
</Location>
The user was allowed in but, when we changed the group to a group to which the user did NOT belong, the user was still allowed access!
So then we tried:
<Location /admin>
Order allow,deny
Require user someuser @somegroup
Allow from 172.16.18.0/28
</Location>
Once again, the user was allowed but, once we changed the group to a group to which the user did not have access, the user was still allowed.
What are we doing wrong? How does one allow access based strictly on LDAP groups? Thanks - John
More information about the cups
mailing list