By the numbers, here is the process to get https working for the web interface and how to delegate control of a queue to a group other than lpadmin (or whatever group is listed as the system group.)
- Install CUPS
- Create a certificate
- Put the certificate in a common place, like /etc/ssl
- Edit /etc/cups/cupsd.conf
- Check firewall ports
- Modify the print queue
Do whatever you are comfortable with. I run Debian, so a simple
aptitude install cups
gets the basic set up installed. You will probably want gutenprint, maybe hplip, for printer drivers. The Debian package 1.4.4-2 has a bug that throws errors on the ServerCertificate directive. The package to use is at least 1.4.4-7. You can read about the bugs if you want the long story.
Just google it, there are lots of options on how to do this. At work we use a certificate authority, so I would generate a private key for the server and a certificate request in .pem format, which works fine with CUPS. The documentation shows .crt extensions on the certificates in the examples, so I'm going to assume that works as well.
3. Put the certificate in a common place, like /etc/ssl
This is optional, put the certificate wherever you like. I put it here because I don't have to think about it or open up the config file to find out where the certificates are that the service is using. Besides, if I ever need to run a web server that needs SSL it makes sense to keep it in a common location.4. Edit /etc/cups/cupsd.conf
This is where the magic happens. In addition to whatever else is in the cupsd.conf file by default, you will need these additional directives for the service to use SSL.ServerName myprintserver.domain.com SSLListen 192.168.1.10:443 SSLListen myprintserver.domain.com:443 ServerAlias myprintserver.domain.com ServerCertificate /etc/ssl/mycert.pem ServerKey /etc/ssl/myprivatekey.pem
To allow access to the server, add allows to the root location section.
<Location /> Order allow,deny Allow from 192.168.1 </Location>
If you want to allow access to the 'admin' and 'admin/conf' pages, you'll have to add the Allow directive to those Locations as well.
Copy <Policy default> (the whole section) and paste it at the bottom of the file. Change 'default' to some other name, I'll use 'mydefault' here. For each set of permissions defined in a Limit section that you want to delegate to another admin, add the name of the Unix group with the '@' symbol to the Require user directive (labprintadmin is the Unix group below.)
<Policy mydefault> <Limit...> Require user @OWNER @labprintadmin @SYSTEM Order deny, allow </Limit> ... </Policy>
Restart CUPS for the changes to take effect. Also, the Unix group will have to exist and have users in it for this to work.
addgroup labprintadmin adduser labadmin labprintadmin
5. Check firewall ports
Open up 443 to whatever needs to access it, make sure it is listed in /etc/hosts.allow if you're using tcpwrappers, etc.6. Modify the print queue
Now to apply the policy to the queue that the labprintadmin group should manage.lpadmin -p LabPrinter -o printer-op-policy=mydefault
I verify the change in /etc/cups/printers.conf and restart the service if the OpPolicy directive does not have the new policy listed.
That should do it.
No comments:
Post a Comment