CUPS ldap group authentication not working

John A. Sullivan III jsullivan at opensourcedevel.com
Sat Feb 13 10:30:09 PST 2010 

> > > On Feb 13, 2010, at 1:58 AM, John A. Sullivan III wrote:
> > > > Hello, all.  We're in the midst of building a multi-tenant CUPS =
> > > printing environment where we need very granular control over who can =
> > > print to what.  All of the users and groups are held in a CentOS =
> > > Directory Server LDAP database.
> > > > ...
> > > > We would have thought we simply needed to do something like:
> > > >=20
> > > > <Location /admin>
> > > >  Order allow,deny
> > > >   Require group somegroup
> > > >  Allow from 172.16.18.0/28
> > > > </Location>
> > > >=20
> > > > But, when users enter their credentials for the web admin interface, =
> > > their credentials are not accepted.  If we change it to:
> > >
> > >
> > > Do you have local groups (in /etc/group) of the same name?  If so, you =
> > > are running into STR #2967:
> > >
> > >     http://www.cups.org/str.php?L2967
> > >
> > > Basically the getgrnam API does not coalesce local and LDAP groups, and =
> > > there is no API to enumerate all groups with the same name, so we're =
> > > going to have to come up with a way to cache group lookups for some =
> > > (short) amount of time to get good performance using getgrent...
> > ><snip>
> > Thank you for such a swift reply.  No, the groups are not duplicated.  What should I look at next? Thanks - John
>
> I thought it might be because we do not allow rootbinddn nor do we have a shadow password entry for root (for security reasons - the only way in is from the VServer host and, if someone gains root access, we do not want them manipulating our LDAP DIT).  So I enabled both but still no difference.  It is as if it completely ignores LDAP groups - John
>
CUPS appears to be making a successful query but then is not using the information.  Here are the LDAP server access logs when we have "Require group Eng" and I login as john (names and ids changed for security):

500] conn=579665 op=43 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixGroup)(cn=Eng))" attrs="cn userPassword memberUid uniqueMember gidNumber"
500] conn=579665 op=43 RESULT err=0 tag=101 nentries=1 etime=0
500] conn=579665 op=44 SRCH base="uid=george,ou=Desktops,o=a0000-0100,o=Internal,dc=ssiservices,dc=biz" scope=0 filter="(objectClass=*)" attrs="uid uniqueMember objectClass"
500] conn=579665 op=44 RESULT err=0 tag=101 nentries=1 etime=0
500] conn=579665 op=45 SRCH base="uid=john,ou=Desktops,o=a0000-0100,o=Internal,dc=ssiservices,dc=biz" scope=0 filter="(objectClass=*)" attrs="uid uniqueMember objectClass"
500] conn=579665 op=45 RESULT err=0 tag=101 nentries=1 etime=0
500] conn=579665 op=46 SRCH base="uid=pete,ou=Desktops,o=a0000-0100,o=Internal,dc=ssiservices,dc=biz" scope=0 filter="(objectClass=*)" attrs="uid uniqueMember objectClass"
500] conn=579665 op=46 RESULT err=0 tag=101 nentries=1 etime=0
5

The result is denial even though the user is valid and a member of the Eng group.

Here is the log when cupsd.conf is set to "Require user john @a00" This should fail because john is NOT a member of a00 but it succeeds instead.  There appears to be no query for group a00:

conn=583402 op=1 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=shadowAccount)(uid=john))" attrs="uid userPassword shadowLastChange shadowMax shadowMin sh
conn=583402 op=1 RESULT err=0 tag=101 nentries=1 etime=0
conn=583403 fd=87 slot=87 SSL connection from 172.26.17.253 to 172.31.12.48
conn=583403 SSL 256-bit AES
conn=583403 op=0 BIND dn="uid=searcher,dc=ssiservices,dc=biz" method=128 version=3
conn=583403 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=searcher,dc=ssiservices,dc=biz"
conn=583403 op=1 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(uid=john)" attrs=ALL
conn=583403 op=1 RESULT err=0 tag=101 nentries=1 etime=0
conn=583403 op=2 BIND dn="uid=john,ou=Desktops,o=a0000-0100,o=Internal,dc=ssiservices,dc=biz" method=128 version=3
conn=583403 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=john,ou=desktops,o=a0000-0100,o=internal,dc=ssiservices,dc=biz"
conn=583403 op=3 BIND dn="uid=searcher,dc=ssiservices,dc=biz" method=128 version=3
conn=583403 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=searcher,dc=ssiservices,dc=biz"
conn=583402 op=2 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=shadowAccount)(uid=john))" attrs="uid userPassword shadowLastChange shadowMax shadowMin sh
conn=583402 op=2 RESULT err=0 tag=101 nentries=1 etime=0
conn=583403 op=4 UNBIND
conn=583403 op=4 fd=87 closed - U1
c

Unfortunately, I'm still stymied after two weeks on this project.  Any pointers about what I've done wrong would be most appreciated.  Thanks - John

More information about the cups mailing list