[cups.general] CUPS ldap group authentication not working
Michael Sweet
msweet at apple.com
Sat Feb 13 07:51:23 PST 2010
On Feb 13, 2010, at 1:58 AM, John A. Sullivan III wrote:
> Hello, all. We're in the midst of building a multi-tenant CUPS printing environment where we need very granular control over who can print to what. All of the users and groups are held in a CentOS Directory Server LDAP database.
> ...
> We would have thought we simply needed to do something like:
>
> <Location /admin>
> Order allow,deny
> Require group somegroup
> Allow from 172.16.18.0/28
> </Location>
>
> But, when users enter their credentials for the web admin interface, their credentials are not accepted. If we change it to:
Do you have local groups (in /etc/group) of the same name? If so, you are running into STR #2967:
http://www.cups.org/str.php?L2967
Basically the getgrnam API does not coalesce local and LDAP groups, and there is no API to enumerate all groups with the same name, so we're going to have to come up with a way to cache group lookups for some (short) amount of time to get good performance using getgrent...
There *is* a proof-of-concept patch against CUPS 1.3.8 attached to the bug you can try, however it isn't the patch we'll ultimately use...
___________________________________________________
Michael Sweet, Senior Printing System Engineer
More information about the cups
mailing list