LDAP Printing

From Notes

Jump to: navigation, search

It is possible to use LDAP to keep track of printers when using CUPS as a print server. This article will describe the process.

LDAP Server Setup

  • Include the printer schema in /etc/openldap/slapd.conf. I have done this by placing the schema file in /usr/share/openldap/schema with a filename of ldap-printer.schema. I then include the file in the /etc/openldap/slapd.conf with the following line: 
include /usr/share/openldap/schema/ldap-printer.schema

Once you restart OpenLDAP, this schema will be available. When using a provider-consumer paradigm (ie, master-slave) it is best to deploy the new schema to the consumer(s) before the provider.

  • Add a user with permission to modify the printers ou. Something like the following would be appropriate: 
dn: uid=cupsd,ou=People,dc=example,dc=org
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
uid: cupsd
cn: cupsd
sn: cupsd
homeDirectory: /sbin/nologin
loginShell: /bin/false
uidNumber: <next uid>
gidNumber: 100
  • Add an ACL which gives this new user modify permission to the printers ou: 
access to attrs=userPassword
  by dn.exact="uid=replicator,ou=People,dc=example,dc=org"  read
  by dn.exact="cn=Manager,dc=example,dc=org" write
  by self write
  by anonymous auth
  by * none
access to dn.subtree="ou=printers,dc=example,dc=org"
  by dn.exact="uid=cupsd,ou=people,dc=example,dc=org" write
  by dn.exact="cn=manager,dc=example,dc=org" write
  by * read
access to *
  by dn.exact="uid=replicator,ou=People,dc=example,dc=org"  read
  by self write
  by * read
  • Also, add an index for the printerURI attribute, and re-index the directory: 
index   printerURI        eq


CUPS Server Setup

Pre-requisites:

  • CUPS v1.2+
  • php-ldap

Configuration:

  • The next step is to configure cups. This requires some additional entries in the cupsd.conf to let CUPS know where the LDAP directory is and to allow remote access to the CUPS server. 
# Configure CUPS to respond to remote requests
Listen <insert IP Address>:631

# Specifies the protocols to use for printer browsing.
BrowseProtocols cups ldap

# Specifies the protocols to use for local printer browsing.
BrowseLocalProtocols cups ldap

# Specifies the protocols to use for remote printer browsing.
BrowseRemoteProtocols cups ldap

# Configure LDAP printers
BrowseLDAPBindDN uid=cupsd,ou=people,dc=example,dc=org
BrowseLDAPPassword <ldap password>
BrowseLDAPServer ldaps://ldap-server.example.org/
BrowseLDAPDN dc=example,dc=org

# Restrict access to the server...
<Location />
  Order allow,deny
 Allow all
 Allow localhost
</Location>

Then restart CUPS and it should populate your printers into the LDAP directory and you should have access to printers from other CUPS servers connected to this LDAP directory.

Retrieved from "http://www.itsecureadmin.com/wiki/index.php/LDAP_Printing"
Personal tools