CUPS ldap group authentication not working

John A. Sullivan III jsullivan at opensourcedevel.com
Sat Feb 13 10:43:42 PST 2010


> > > > On Feb 13, 2010, at 1:58 AM, John A. Sullivan III wrote:
> > > > > Hello, all.  We're in the midst of building a multi-tenant CUPS =
> > > > printing environment where we need very granular control over who can =
> > > > print to what.  All of the users and groups are held in a CentOS =
> > > > Directory Server LDAP database.
> > > > > ...
> > > > > We would have thought we simply needed to do something like:
> > > > >=20
> > > > > <Location /admin>
> > > > >  Order allow,deny
> > > > >   Require group somegroup
> > > > >  Allow from 172.16.18.0/28
> > > > > </Location>
> > > > >=20
> > > > > But, when users enter their credentials for the web admin interface, =
> > > > their credentials are not accepted.  If we change it to:
> > > >
> > > >
> > > > Do you have local groups (in /etc/group) of the same name?  If so, you =
> > > > are running into STR #2967:
> > > >
> > > >     http://www.cups.org/str.php?L2967
> > > >
> > > > Basically the getgrnam API does not coalesce local and LDAP groups, and =
> > > > there is no API to enumerate all groups with the same name, so we're =
> > > > going to have to come up with a way to cache group lookups for some =
> > > > (short) amount of time to get good performance using getgrent...
> > > ><snip>
> > > Thank you for such a swift reply.  No, the groups are not duplicated.  What should I look at next? Thanks - John
> >
> > I thought it might be because we do not allow rootbinddn nor do we have a shadow password entry for root (for security reasons - the only way in is from the VServer host and, if someone gains root access, we do not want them manipulating our LDAP DIT).  So I enabled both but still no difference.  It is as if it completely ignores LDAP groups - John
> >
> CUPS appears to be making a successful query but then is not using the information.  Here are the LDAP server access logs when we have "Require group Eng" and I login as john (names and ids changed for security):
>
> 500] conn=579665 op=43 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=posixGroup)(cn=Eng))" attrs="cn userPassword memberUid uniqueMember gidNumber"
> 500] conn=579665 op=43 RESULT err=0 tag=101 nentries=1 etime=0
> 500] conn=579665 op=44 SRCH base="uid=george,ou=Desktops,o=a0000-0100,o=Internal,dc=ssiservices,dc=biz" scope=0 filter="(objectClass=*)" attrs="uid uniqueMember objectClass"
> 500] conn=579665 op=44 RESULT err=0 tag=101 nentries=1 etime=0
> 500] conn=579665 op=45 SRCH base="uid=john,ou=Desktops,o=a0000-0100,o=Internal,dc=ssiservices,dc=biz" scope=0 filter="(objectClass=*)" attrs="uid uniqueMember objectClass"
> 500] conn=579665 op=45 RESULT err=0 tag=101 nentries=1 etime=0
> 500] conn=579665 op=46 SRCH base="uid=pete,ou=Desktops,o=a0000-0100,o=Internal,dc=ssiservices,dc=biz" scope=0 filter="(objectClass=*)" attrs="uid uniqueMember objectClass"
> 500] conn=579665 op=46 RESULT err=0 tag=101 nentries=1 etime=0
> 5
>
> The result is denial even though the user is valid and a member of the Eng group.
>
> Here is the log when cupsd.conf is set to "Require user john @a00" This should fail because john is NOT a member of a00 but it succeeds instead.  There appears to be no query for group a00:
>
> conn=583402 op=1 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=shadowAccount)(uid=john))" attrs="uid userPassword shadowLastChange shadowMax shadowMin sh
> conn=583402 op=1 RESULT err=0 tag=101 nentries=1 etime=0
> conn=583403 fd=87 slot=87 SSL connection from 172.26.17.253 to 172.31.12.48
> conn=583403 SSL 256-bit AES
> conn=583403 op=0 BIND dn="uid=searcher,dc=ssiservices,dc=biz" method=128 version=3
> conn=583403 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=searcher,dc=ssiservices,dc=biz"
> conn=583403 op=1 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(uid=john)" attrs=ALL
> conn=583403 op=1 RESULT err=0 tag=101 nentries=1 etime=0
> conn=583403 op=2 BIND dn="uid=john,ou=Desktops,o=a0000-0100,o=Internal,dc=ssiservices,dc=biz" method=128 version=3
> conn=583403 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=john,ou=desktops,o=a0000-0100,o=internal,dc=ssiservices,dc=biz"
> conn=583403 op=3 BIND dn="uid=searcher,dc=ssiservices,dc=biz" method=128 version=3
> conn=583403 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=searcher,dc=ssiservices,dc=biz"
> conn=583402 op=2 SRCH base="dc=ssiservices,dc=biz" scope=2 filter="(&(objectClass=shadowAccount)(uid=john))" attrs="uid userPassword shadowLastChange shadowMax shadowMin sh
> conn=583402 op=2 RESULT err=0 tag=101 nentries=1 etime=0
> conn=583403 op=4 UNBIND
> conn=583403 op=4 fd=87 closed - U1
> c
>
> Unfortunately, I'm still stymied after two weeks on this project.  Any pointers about what I've done wrong would be most appreciated.  Thanks - John

I just tried setting SystemGroup Eng and then "Require user @SYSTEM" but that worked no better than "Require user @Eng" :-(((





More information about the cups mailing list