Single Sign-On and the Corporate Directory, Part IV

Welcome back for the last article on using your single sign-on and corporate directory infrastructure. What we've covered so far is how to set up the infrastructure and how to plug various types of clients running different operating systems in to that infrastructure. The majority of that work benefits your users in enabling them to sign on only once, after which they can use a variety of resources, such as storage shares, printers, e-mail and more.

This month, we cover methods to use Kerberos and LDAP to make your job easier. As always, the sample programs and other files are available from the on-line Resources.

No matter what size your shop is, printing is always a necessity. Unfortunately, printing also can be one of the most error-prone processes as well, especially in a heterogeneous environment. Luckily, the CUPS (Common UNIX Printing System) Project has been established. The goals of CUPS are to provide a standards-based printing solution and to provide unified printing for UNIX-based systems. Today, it's the default printing system for most Linux distributions as well as Apple OS X.

Setting up a basic print server using CUPS is simple. To get a basic understanding of CUPS and a working install, you should read Colin Topliss' article “Centralized Printing Using CUPS” (see Resources). Make sure to configure the CUPS server on one of your Samba servers if you want to enable Windows clients to print. We cover how to do this shortly.

The first thing to do after setting up your print server is enabling encryption using SSL. You should create a certificate signing request, or CSR, and sign it with your CA. Save the certificate and key in /etc/ssl/cups as cups-cert.pem and cups-key.pem, respectively. Also, make sure that they're owned by the user that cupsd uses, usually lp, and that the permissions are set properly on the private key, 0400. Next, make some changes to /etc/cups/cupsd.conf:

ServerCertficate /etc/ssl/cups/cups-cert.pem
ServerKey /etc/ssl/cups/cups-key.pem

Save your changes and restart cupsd.

One of the most difficult tasks of print management is keeping track of all the printers to manage. Gone are the days when all the printers existed in a central location. Now printers, more than likely, are scattered around the office, attached to people's workstations, and whatnot. Worse, the fact that these printers are different makes and models increases the challenge of organizing them.

The CUPS Web site (see Resources) states that LDAP support is scheduled for inclusion in version 1.3. Version 1.1 is currently stable, and 1.2 has been in testing for some time now. However, this needn't stop us from using LDAP as a way to inventory all the printers in the office and even provide a way to automate printer addition to a CUPS server.

The IETF has been thinking about this and has developed RFC 3712, “Lightweight Directory Access Protocol (LDAP): Schema for Printer Services”. I've taken the liberty of converting this RFC into an actual schema for use with OpenLDAP and included it in the on-line Resources. Include this schema in your slapd.conf file and restart slapd. Now we can add information about our printers:

dn: ou=printers,o=ci,dc=example,dc=com
objectClass: organizationalUnit
ou=printers

dn: printer-name=pr-laser,ou=printers,o=ci,dc=example,dc=com
objectClass: top
objectClass: printerAbstract
objectClass: printerService
objectClass: printerIPP
printer-name: pr-laser
printer-location: A101
printer-info: laserjet.ppd
printer-more-info: http://www.hp.com
printer-make-and-model: HP LaserJet
printer-uri: socket://pr-laser.example.com

Most of these are self-explanatory, but printer-info and printer-uri might need a little explaining. We use the printer-info attribute to specify the PostScript printer definition, PPD, to use for this printer, in this case laserjet.ppd. The printer-uri attribute is used to define the URI to contact the printer. The socket:// device is usually used for HP JetDirect connections to a printer. To find all the devices your print server supports, use the lpinfo command, which is usually kept in /usr/sbin:

# /usr/sbin/lpinfo -v
network socket
direct hal
network http
network ipp
network lpd
direct scsi
serial serial:/dev/ttyS0?baud=115200
direct usb:/dev/usb/lp0
network smb

Your output may vary depending on what options were enabled when CUPS was compiled.

You now have a printer listed in LDAP, but what can you do with it as CUPS doesn't support LDAP? At the very least, you have a central place for keeping track of all your printers and their capabilities. I've written a small Perl script that queries LDAP for all the printers in the directory, and then creates a script that can be used to add all the printers to a CUPS server. It doesn't do much, but it gives you a start on how you can use LDAP to supplement CUPS and make management a bit more tractable. If you decide to use some of the attributes, such as printer-sides-supported, printer-finishings-supported and printer-media-supported, you could easily extend the script to call lpoptions to set printer-specific settings automatically as well.