Single Sign-On and the Corporate Directory, Part IV
Welcome back for the last article on using your single sign-on and corporate directory infrastructure. What we've covered so far is how to set up the infrastructure and how to plug various types of clients running different operating systems in to that infrastructure. The majority of that work benefits your users in enabling them to sign on only once, after which they can use a variety of resources, such as storage shares, printers, e-mail and more.
This month, we cover methods to use Kerberos and LDAP to make your job easier. As always, the sample programs and other files are available from the on-line Resources.
No matter what size your shop is, printing is always a necessity. Unfortunately, printing also can be one of the most error-prone processes as well, especially in a heterogeneous environment. Luckily, the CUPS (Common UNIX Printing System) Project has been established. The goals of CUPS are to provide a standards-based printing solution and to provide unified printing for UNIX-based systems. Today, it's the default printing system for most Linux distributions as well as Apple OS X.
Setting up a basic print server using CUPS is simple. To get a basic understanding of CUPS and a working install, you should read Colin Topliss' article “Centralized Printing Using CUPS” (see Resources). Make sure to configure the CUPS server on one of your Samba servers if you want to enable Windows clients to print. We cover how to do this shortly.
The first thing to do after setting up your print server is enabling encryption using SSL. You should create a certificate signing request, or CSR, and sign it with your CA. Save the certificate and key in /etc/ssl/cups as cups-cert.pem and cups-key.pem, respectively. Also, make sure that they're owned by the user that cupsd uses, usually lp, and that the permissions are set properly on the private key, 0400. Next, make some changes to /etc/cups/cupsd.conf:
ServerCertficate /etc/ssl/cups/cups-cert.pem ServerKey /etc/ssl/cups/cups-key.pem
Save your changes and restart cupsd.
One of the most difficult tasks of print management is keeping track of all the printers to manage. Gone are the days when all the printers existed in a central location. Now printers, more than likely, are scattered around the office, attached to people's workstations, and whatnot. Worse, the fact that these printers are different makes and models increases the challenge of organizing them.
The CUPS Web site (see Resources) states that LDAP support is scheduled for inclusion in version 1.3. Version 1.1 is currently stable, and 1.2 has been in testing for some time now. However, this needn't stop us from using LDAP as a way to inventory all the printers in the office and even provide a way to automate printer addition to a CUPS server.
The IETF has been thinking about this and has developed RFC 3712, “Lightweight Directory Access Protocol (LDAP): Schema for Printer Services”. I've taken the liberty of converting this RFC into an actual schema for use with OpenLDAP and included it in the on-line Resources. Include this schema in your slapd.conf file and restart slapd. Now we can add information about our printers:
dn: ou=printers,o=ci,dc=example,dc=com objectClass: organizationalUnit ou=printers dn: printer-name=pr-laser,ou=printers,o=ci,dc=example,dc=com objectClass: top objectClass: printerAbstract objectClass: printerService objectClass: printerIPP printer-name: pr-laser printer-location: A101 printer-info: laserjet.ppd printer-more-info: http://www.hp.com printer-make-and-model: HP LaserJet printer-uri: socket://pr-laser.example.com
Most of these are self-explanatory, but printer-info and printer-uri might need a little explaining. We use the printer-info attribute to specify the PostScript printer definition, PPD, to use for this printer, in this case laserjet.ppd. The printer-uri attribute is used to define the URI to contact the printer. The socket:// device is usually used for HP JetDirect connections to a printer. To find all the devices your print server supports, use the lpinfo command, which is usually kept in /usr/sbin:
# /usr/sbin/lpinfo -v network socket direct hal network http network ipp network lpd direct scsi serial serial:/dev/ttyS0?baud=115200 direct usb:/dev/usb/lp0 network smb
Your output may vary depending on what options were enabled when CUPS was compiled.
You now have a printer listed in LDAP, but what can you do with it as CUPS doesn't support LDAP? At the very least, you have a central place for keeping track of all your printers and their capabilities. I've written a small Perl script that queries LDAP for all the printers in the directory, and then creates a script that can be used to add all the printers to a CUPS server. It doesn't do much, but it gives you a start on how you can use LDAP to supplement CUPS and make management a bit more tractable. If you decide to use some of the attributes, such as printer-sides-supported, printer-finishings-supported and printer-media-supported, you could easily extend the script to call lpoptions to set printer-specific settings automatically as well.
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems
Join editor Bill Childers and Bit9's Paul Riegle on April 27 at 12pm Central to learn how to keep your Linux systems secure.
Free to Linux Journal readers.Register Now!
|diff -u: What's New in Kernel Development||Aug 20, 2014|
|Security Hardening with Ansible||Aug 18, 2014|
|Monitoring Android Traffic with Wireshark||Aug 14, 2014|
|IndieBox: for Gamers Who Miss Boxes!||Aug 13, 2014|
|Non-Linux FOSS: a Virtualized Cisco Infrastructure?||Aug 11, 2014|
|Linux Security Threats on the Rise||Aug 08, 2014|
- diff -u: What's New in Kernel Development
- Security Hardening with Ansible
- NSA: Linux Journal is an "extremist forum" and its readers get flagged for extra surveillance
- Monitoring Android Traffic with Wireshark
- Tech Tip: Really Simple HTTP Server with Python
- Readers' Choice Awards 2013
- RSS Feeds
- [<Megashare>] Watch Mrs Brown's Boys Movie Online Full Movie HD 2014
- Cooking with Linux - Serious Cool, Sysadmin Style!
- Linux Security Threats on the Rise