CUPS ldap group authentication not working
John A. Sullivan III
jsullivan at opensourcedevel.com
Sat Feb 13 09:37:12 PST 2010
> > On Feb 13, 2010, at 1:58 AM, John A. Sullivan III wrote:
> > > Hello, all. We're in the midst of building a multi-tenant CUPS =
> > printing environment where we need very granular control over who can =
> > print to what. All of the users and groups are held in a CentOS =
> > Directory Server LDAP database.
> > > ...
> > > We would have thought we simply needed to do something like:
> > >=20
> > > <Location /admin>
> > > Order allow,deny
> > > Require group somegroup
> > > Allow from 172.16.18.0/28
> > > </Location>
> > >=20
> > > But, when users enter their credentials for the web admin interface, =
> > their credentials are not accepted. If we change it to:
> >
> >
> > Do you have local groups (in /etc/group) of the same name? If so, you =
> > are running into STR #2967:
> >
> > http://www.cups.org/str.php?L2967
> >
> > Basically the getgrnam API does not coalesce local and LDAP groups, and =
> > there is no API to enumerate all groups with the same name, so we're =
> > going to have to come up with a way to cache group lookups for some =
> > (short) amount of time to get good performance using getgrent...
> ><snip>
> Thank you for such a swift reply. No, the groups are not duplicated. What should I look at next? Thanks - John
I thought it might be because we do not allow rootbinddn nor do we have a shadow password entry for root (for security reasons - the only way in is from the VServer host and, if someone gains root access, we do not want them manipulating our LDAP DIT). So I enabled both but still no difference. It is as if it completely ignores LDAP groups - John
More information about the cups
mailing list