[cups] Odd cups/ldap interaction
LeFevre, David C
dlefevre at purdue.edu
Tue Jun 28 13:04:40 PDT 2016
Hello!
I've got an odd problem going on with a new installation of cups on RHEL7 and I am
having a weird interaction with ldap that I can't figure out. The version of CUPS
that RHEL7 packages is 1.6.3 right now.
First of all, I am *not* trying to set up CUPS to talk to ldap. I have CUPS set up
as plain Basic Authentication. I don't want any interaction at all between CUPS
and ldap.
Second, we still use the older pam_ldap setup and nslcd, not the sssd that Redhat actually wants us to use. (long story)
What happens is that after a certain period of time (usually 8-12 hours) ldap stops
being able to do lookups for users logging in. The log entry
when someone logs on looks something like this:
Jun 28 15:20:14 cupshost nslcd[2438]: [695dec] <authc="**something**"> <something,something>,dc=edu: lookup failed: Invalid credentials
ldapsearch continues to work.
It took me a while to even think about CUPS while looking into this, but I've
found today that restarting the CUPS daemon actually solves the issue with
the logins. Why would that be? I can't even figure out what to check.
I'll paste an obscured version of my cups.conf below. I'm still kind of new
with administering a cups server, so maybe someone can give me an idea of
what to look for. I've got a cronjob restarting cups to work around the issue,
but that is hardly an elegant solution.
--
######################################
######################################
MaxLogSize 0
#
# "$Id: cupsd.conf.in 7888 2008-08-29 21:16:56Z mike $"
#
# Sample configuration file for the CUPS scheduler. See "man cupsd.conf" for a
# complete description of this file.
#
# Log general information in error_log - change "warn" to "debug"
# for troubleshooting...
LogLevel debug
# Only listen for connections from the local machine.
Listen *:631
Listen /var/run/cups/cups.sock
# Show shared printers on the local network.
Browsing off
#BrowseOrder allow,deny
#BrowseDeny all
#BrowseAllow none
# Default authentication type, when authentication is required...
DefaultAuthType Basic
# Web interface setting...
WebInterface Yes
# turn this to on if in trouble
PreserveJobFiles Off
# Restrict access to the server...
<Location />
##left out, don't need to know
</Location>
<Location /admin>
##left out, don't need to know
</Location>
# Restrict access to configuration files...
<Location /admin/conf>
AuthType Default
Require user @SYSTEM
Order allow,deny
</Location>
# Set the default printer/job policies...
<Policy default>
# Job/subscription privacy...
JobPrivateAccess default
JobPrivateValues none
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
# Job-related operations must be done by the owner or an administrator...
<Limit Create-Job Print-Job Print-URI Validate-Job>
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default CUPS-Get-Devices>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
# Set the authenticated printer/job policies...
<Policy authenticated>
# Job/subscription privacy...
JobPrivateAccess default
JobPrivateValues default
SubscriptionPrivateAccess default
SubscriptionPrivateValues default
# Job-related operations must be done by the owner or an administrator...
<Limit Create-Job Print-Job Print-URI Validate-Job>
AuthType Default
Order deny,allow
</Limit>
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job Cancel-My-Jobs Close-Job CUPS-Move-Job CUPS-Get-Document>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
# All administration operations require an administrator to authenticate...
<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
# All printer operations require a printer operator to authenticate...
<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After Cancel-Jobs CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>
# Only the owner or an administrator can cancel or authenticate a job...
<Limit Cancel-Job CUPS-Authenticate-Job>
AuthType Default
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>
<Limit All>
Order deny,allow
</Limit>
</Policy>
#
# End of "$Id: cupsd.conf.in 7888 2008-08-29 21:16:56Z mike $".
Thanks!
-dcl
Dave LeFevre
More information about the cups
mailing list