[cups] Using LDAP authentication with CUPS 1.6.3

Tim Mooney Tim.Mooney at ndsu.edu
Fri Dec 15 14:41:13 PST 2017


In regard to: Re: [cups] Using LDAP authentication with CUPS 1.6.3, Barton...:

> There is a /etc/pam.d/cups file already.  How do I get CUPS to utilize
> this file and LDAP?
>
> bfbarton at ip-10-68-13-206:~> cat /etc/pam.d/cups
> #%PAM-1.0
> # Use password-auth common PAM configuration for the daemon
> auth        include     password-auth
> account     include     password-auth

Your question just became about PAM, not CUPS.

The password-auth file is referenced by (included by) many different
PAM files, including stuff like /etc/pam.d/sshd.  It's a way to get
every PAM-enabled service to use the exact same stack of modules for
authentication.

You'll want to do some web searching and reading about configuring PAM
for LDAP authentication.  You'll probably want to start with what's
in password-auth as an example, but you'll need to copy it to some
other name (maybe /etc/pam.d/custom-ldap-auth) and then include *that*
file from /etc/pam.d/cups, instead of the password-auth.

Whatever you do, be careful.  PAM is complicated and it's easy to get
it wrong, in potentially disastrous ways (think: everyone can authenticate
as someone else, with no password.  Oops).

The good news for you is that there are lots and lots of examples out
there for Red Hat flavored systems for adding ldap to the PAM stack.

Good luck,

Tim

> On 12/15/17, 4:44 PM, "cups on behalf of Michael Sweet" <cups-bounces at cups.org on behalf of msweet at apple.com> wrote:
>
>    CUPS used to support a (custom) LDAP schema for printer sharing, but never anything directly for authentication.  For that, look at the PAM configuration file /etc/pam.d/cups - there you can add the pam_ldap module.
>
>
>    > On Dec 15, 2017, at 4:27 PM, Barton Jr, Bernard (RIS-PHL) <BBarton at signatureinfo.com> wrote:
>    >
>    > I’m using CUPS 1.6.3 on CentOS 7.  Is it possible to use LDAP for authentication?  I see no references to LDAP in the documentation, or man pages, e.g., the man page for cupsd.conf.
>    >
>    > Oddly, if I look at the man page for cupsd.conf on another server running CUPS 1.4.2, is full of references to LDAP.
>    >
>    >
>    > ---------------------------------------- The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. This message may be an attorney-client communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message.
>    > _______________________________________________
>    > cups mailing list
>    > cups at cups.org
>    > https://lists.cups.org/mailman/listinfo/cups
>
>    _________________________________________________________
>    Michael Sweet, Senior Printing System Engineer
>
>    _______________________________________________
>    cups mailing list
>    cups at cups.org
>    https://lists.cups.org/mailman/listinfo/cups
>
>
>
>
> ---------------------------------------- The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. This message may be an attorney-client communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message.
> _______________________________________________
> cups mailing list
> cups at cups.org
> https://lists.cups.org/mailman/listinfo/cups
>

-- 
Tim Mooney                                             Tim.Mooney at ndsu.edu
Enterprise Computing & Infrastructure                  701-231-1076 (Voice)
Room 242-J6, Quentin Burdick Building                  701-231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164


More information about the cups mailing list