The authentication cookbook - recipes by example
This section discusses various solutions to the "authentication problem" in recipe style. The aim is not to provide detailed step by step instructions, but rather guide the user to the relevant procedures and sections in other parts of the manual.
Windows systems with generic logins
This scenario arises either when users log in to systems using a common username such as user or student, or if the workstations auto-login as a generic user. See introduction for details.
Preferred method:
-
Ensure all users have an account (username and password) on the server (or domain) hosting the PaperCut MF software.
-
Install client software on all systems. See User Client for more detail.
-
Enable popup authenticationPopup authentication involves matching the source IP address of the print job with the user confirmed to be operating from the popup client IP address. Authentication is provided by the PaperCut NG client software in the form of a popup dialog requesting a username and password. To print with popup authentication the client software must be running on the workstations or laptops. by selecting the Unauthenticated option on the corresponding generic user account.
-
See Popup authentication for more detail.
Other methods:
-
Use standard Release Station in "Release Any" mode, or the User web interface Release Station configured to allow users to release any jobs. See Hold/release queues & Print Release Stations.
-
Consider implementing domain level logins.
Windows laptops that do not authenticate against a domain
Portable systems can spend most of their time outside the organization's network so setting up domain authentication might not be required. The laptops/notebooks are often owned by a single individual and are not under the control of a central administrator.
Preferred method:
Use popup authentication or hold/release queues. For more information, see Handling unauthenticated (non-domain) laptops.
Alternate method 1:
If using a version of Windows that can authenticate with a domain (i.e. not the Windows Home editions), then you can configure the laptop to authenticate with the network as follows.
Teach the user how add their domain username and password to their Stored usernames and passwords:
Start > Control Panel > User Accounts
Select the user's laptop login account
Click Manage my network passwords
Click Add
Enter the name of the server and the user's network domain username and password
Teach the user how to add a network printer in the form \\server\printer.
Optional: Locally install client software using the client-local-install.exe install program. This is located on the \\Server\PCClient\win share. At the end of the install process, the client opens asking the user to confirm their network identity. See User Client for more detail.
Alternate method 2:
-
Add a generic "LaptopUser", or "guest" user account to the domain. Make the password known to all users (e.g. password).
-
Set the unauthenticated option on this user (enable popup authentication).
-
Locally install client software using the client-local-install.exe install program. This is located on the \\Server\PCClient\win share. At the end of the install process the client opens asking the user to confirm their network identity. See Configuring the User Client using the command-line for details.
-
Teach the user how to add a network printer pointing to \\server\printer.
-
See the preceding scenario for more detail.
Windows print server using LDAP or eDirectory authentication
The Microsoft Windows operating system does not play well in non Active Directory domain environments such as LDAPThe Lightweight Directory Access Protocol (LDAP) is a directory service protocol that runs on a layer above the TCP/IP stack. It provides a mechanism used to connect to, search, and modify Internet directories. The LDAP directory service is based on a client-server model. or eDirectory. Although it is possible to configure a Windows print serverA print server is a system responsible for hosting print queues and sharing printer resources to desktops. Users submit print jobs to a print server rather then directly to the printer itself. A print server can be a dedicated server but on many networks this server also performs other tasks, such as, file serving on any network, Windows does not normally provide the ability to use LDAP as an authentication source. Jobs are listed under either a local Windows user identity or a guest account. Use PaperCut MF's popup authentication, bound to LDAP, to work around this limitation.
Preferred method:
-
Set up the Windows server and install and share printers.
-
Set printer permission to allow printing from a general "guest" type account. This usually takes the form of the built-in guest account, or a local account with a known username and password (e.g. printuser).
-
Configure printers on each workstation. Ensure all workstation users can print and jobs list in the print queueA print queue displays information about documents that are waiting to be printed, such as, the printing status, document owner, and number of pages to print. You can use the print queue to view, pause, resume, restart, and cancel print jobs. under the guest account configured in the previous step.
-
Install the PaperCut MF software. Select the LDAP server as your user/group source. PaperCut MF then uses this source for the user list and authentication. See Using LDAP for user synchronization for more information about LDAP.
-
Set the Unauthenticated option on each printer (print queue). This enables popup authentication. See Popup authentication for more information.
-
Install client software. See User Client for more detail.
Other methods:
-
Use Release StationPrint Release Stations place a print job on hold and allow users to release it when required. Often a Release Station is a dedicated PC terminal located next to the printers, however, Release Stations can take other forms such as a web browser based interface. Some common examples where Release Stations can be used include secure printing, approved printing, and authentication. In a secure printing environment jobs are only printed when the user arrives at the print area and confirms his or her identity. This ensures the user is there to collect the job and other users can't "accidentally" collect the document. In some organizations it may be appropriate to hold jobs until they are approved by selected individuals. A good example would be a teacher approving printing on an expensive color printer. Hold/Release queues can be used as a form of authentication in an unauthenticated environment. Users must authenticate prior to releasing their jobs allowing PaperCut NG to confirm their identity.. See Hold/release queues & Print Release Stations.
Mac OS X systems with generic user accounts
Mac OS X workstations in a lab environment are often set up so users log in using a common, generic, or standard account. For example, "macuser" or "student".
Preferred method:
-
Install client software. See User Client for more detail.
-
Add a domain/network user account that matches the generic login account (i.e. "macuser"). This ensures the account is available in PaperCut MF.
-
Set the Unauthenticated option on the "macuser" account.
-
Add the printer(s) so jobs list under the "macuser" account. If the print queues are hosted on Windows, add the printer using SambaSamba is a Windows interoperability suite of programs for Linux and Unix. It is used to integrate Linux/Unix servers and desktops into Active Directory environments. It can function as both a domain controller or as a regular domain member.. (e.g. A DeviceURI such as smb://macuser:password@servername/printer). See Mac printing in detail for an explanation on how to add a printer using this method.
Important:If you are running Mac OS 10.7, you might need to include the port in the DeviceURL:
smb://username:password@server_name:139/printer_name
Other methods:
-
Use Standard Release Station in "Release Any" mode, or the User web interface Release Station configured to allow users to release any jobs. See Hold/release queues & Print Release Stations.
-
Consider setting up domain-level authentication.
Mac OS X systems using domain authentication via Open Directory
You can configure Mac systems to authenticate users via a central Mac OS X server running Open Directory. Each user has their own login account.
Preferred method:
-
Set up print queues on the Mac OS X Server.
-
Set up PaperCut MF on the server either as a primary server, or as a secondary serverA PaperCut secondary server is a system that directly hosts a printer, that is, a print server with a Print Provider installed. A secondary server can be a server style system hosting many printers, a desktop style system hosting printer(s) also shared to other network users, or a desktop style system with the printer used only for local users (not shared). reporting to another primary server (either Mac, Linux or a Windows system) (see Installation).
-
Add printers to each Mac workstation. Ensure the local printers point to the shared print queue set up on the server.
-
Optional: Install client software (User Client).
Other methods:
-
Use Standard Release Station in "Release Any" mode, or the User web interface Release Station configured to allow users to release any jobs. See Hold/release queues & Print Release Stations.
-
Set up print queues on a Windows system and use popup authentication - see next recipe.
Mac OS X systems using domain authentication via Windows Active Directory
You can configure Mac systems so users log in using their Windows Active Directory domain username and password. The Mac Windows printer support using Samba/SMB, however, requires printers to be added using a single username and password and this is shared by all users. For this reason an extra layer of authentication is required.
Preferred method:
-
Host printers and the PaperCut MF system on the Windows server.
-
Ensure the print server is running in Mixed mode or Pre-Windows 2000 Compatibility Mode. Macs currently have problems with Native Mode networks.
-
Add a domain/network user account that matches the generic login account (i.e. "macuser"). This ensures that the macuser account is added to PaperCut MF's user list.
-
In PaperCut MF, turn on the Unauthenticated option on the "macuser" account to enable popup authentication. Also ensure that the account has zero balance and is restricted.
-
Add the printer(s) so jobs list under the "macuser" account. If the print queues are hosted on Windows, add the printer using Samba. (e.g. A DeviceURI such as smb://macuser:password@servername/printer). For more information about how to add a printer using this method, see Mac printing in detail.
Important:If you are running Mac OS 10.7, you might need to include the port in the DeviceURL:
smb://username:password@server_name:139/printer_name
-
Install client software (see User Client).
Other methods:
-
Use LPRThe Line Printer Remote protocol (LPR) is a network protocol for submitting print jobs to a remote printer. A server for the LPD/LPR protocol listens for requests on TCP port 515. A request begins with a byte containing the request code, followed by the arguments to the request, and is terminated by an ASCII LF character. An LPD printer is identified by the IP address of the server machine and the queue name on that machine. Many different queue names may exist in one LPD server, with each queue having unique settings. The LPR software is installed on the client device. as a connection method. See Scenario Three: Multi-user Macs using LDAP or Active Directory authentication in detail.
-
Use Standard Release Station in "Release Any" mode, or the User web interface Release Station configured to allow users to release any jobs. See Hold/release queues & Print Release Stations.
-
Host printers on a Mac Server (see the previous recipe).
Mac OS X laptops (or single user systems) printing to Windows print queues
Mac systems that are owned/used by a single user can benefit from having the printers added in such a way in that they automatically authenticate under their identity.
Preferred method:
-
Teach users how to add printers using the method described in Scenario One: My Own Mac (Single User).
-
Use popup authentication or hold/release queues. For more information, see Handling unauthenticated (non-domain) laptops.
Other methods:
-
Locally install client software using the client-local-install program located in the directory [app-path]/client/mac. The client displays a popup asking them to confirm their network identity (via username/password).
Linux Workstations in a lab environment with printers hosted on a Windows server
Linux workstations typically use the CUPSCommon User Printing System (CUPS) is a printing system for Unix operating systems that allows a computer to act as a print server. A computer running CUPS is a host that can accept print jobs from client computers, process them, and send them to the appropriate printer. print system. CUPS, through the use of Samba, can print directly to Windows print queues.
Preferred method:
-
Ensure the system is configured to deny remote shell access to standard users - that is, allow only direct screen/console access. This ensures the system's IP address can be associated with a single user providing a suitable environment for popup authentication.
-
Ensure the print server is running in Mixed mode or Pre-Windows 2000 Compatibility Mode. Some Linux distributions currently have problems with Native Mode networks.
-
Add a domain/network user account that matches the generic login account (i.e. "linuxuser"). This ensures the "linuxuser" account is added to PaperCut MF's user list.
-
In PaperCut MF, turn on the Unauthenticated option on the "linuxuser" account to enable popup authentication. Also ensure that the account has zero balance and is restricted.
-
Add the printer(s) so jobs list under the "linuxuser" account. If the print queues are hosted on Windows, add the printer using Samba. (e.g. A DeviceURI such as smb://linuxuser:password@servername/printer). Refer to the CUPS or distribution documentation to read more how to add a CUPS printer using an smb backend.
-
Install client software. For more information, see Deployment on Linux and Unix. If users log in to the workstations using a username that matches their Active Directory password, no additional client configuration is required. If users log in using a generic or non-matching account, use command-line options or the config.properties file to force the client to display under the user's domain identity. See Configuring the User Client using the command-line for more information.
Other methods:
-
Use Standard Release Station in "Release Any" mode, or the User web interface Release Station configured to allow users to release any jobs. See Hold/release queues & Print Release Stations.
-
Host printers on a CUPS server running on Linux.
-
Install PaperCut LPDThe Line Printer Daemon protocol (LPD) is a network protocol for submitting print jobs to a remote printer. A server for the LPD/LPR protocol listens for requests on TCP port 515. A request begins with a byte containing the request code, followed by the arguments to the request, and is terminated by an ASCII LF character. An LPD printer is identified by the IP address of the server machine and the queue name on that machine. Many different queue names may exist in one LPD server, with each queue having unique settings. The LPD software is stored on the printer or print server. Service and use a LPR rather than CUPS (or CUPS with an LPR backend).
Linux Workstations in a lab environment with printers hosted on Linux CUPS server
Network administrators running Linux labs might choose to host the printers on a Linux server running CUPS. For convenience, CUPS is set up without authentication.
Preferred method:
-
Set up CUPS print queues on a Linux server.
-
Ensure each user has an account on this system (or the domain depending on PaperCut MF's selected user list source)
-
Set up PaperCut MF on the server either as a primary server, or as a secondary server reporting to another primary server (either Mac, Linux or a Windows system) (see Installation).
-
Set the Unauthenticated option on each printer (print queue). This enables popup authentication (see Popup authentication).
-
Ensure the system is configured to deny remote shell access to standard users, that is, allow only direct screen/console access. This ensures the system's IP address can be associated with a single user providing a suitable environment for popup authentication.
-
Install client software (see User Client).
Other methods:
-
Use Standard Release Station in "Release Any" mode, or the User web interface Release Station configured to allow users to release any jobs. See Hold/release queues & Print Release Stations.
-
Use CUPS Authentication.
Linux laptops (or single user systems)
Modern Linux laptops make use of the CUPS print system. This environment is equivalent to the Mac laptop recipes described above.
Multiuser Unix terminal servers
Unix or Linux systems allowing remote SSH, Telnet, VNC, or X connections differ from the other scenarios discussed above. These systems cannot use the popup authentication as it is not possible to uniquely identify a user from the system's IP address. The only secure option is to use the Release Station.
Preferred method:
-
Set up PaperCut MF on your preferred server - this does not need to be the multi-user terminal system itself. It could be another Windows or Linux server.
-
Ensure PaperCut MF sources its user list from the same source as that used by the multi-user terminal server - most likely an LDAP server.
-
Enable the Release Station option on all printers that are accessed via users of the multiuser terminal system.
Important:Enabling the Release Station option might be incompatible with objectives of other operating systems so it might be appropriate to set up a separate set of print queues. See Further Recommendations below for more detail.
-
Set up a Release Station. This commonly takes the form of a dedicated terminal located near the printers, however, other options worth considering using the PaperCut MF User web interfaceThe User web interface provide a range of services for users, including a summary of usage and balance history, a list of the shared accounts that the user can use for printing, the current costs for printing usage, ability to add balance by using a TopUp/Pre-Paid Card or an external payment system (when using the payment gateway module), transfer funds to other users, view a history of balance transactions, view a list of the user's recent printing, and view print jobs pending release (when using a Release Station). to release jobs, or the Release Station command-line client. See Hold/release queues & Print Release Stations for details.
-
Instruct users on how to use the Release Station.
Other methods:
-
No alternate methods.
Further recommendations
-
Decide on an authentication method and use it consistently throughout the organization and network. For example, using popup authentication on some systems and Release Stations on others might be confusing for users. Try to offer a consistent user experience.
-
Where possible, configure workstations to communicate with the server using the server's native print protocol. For example, use SMB or standard Windows printing when printing to a Windows server, and Internet Printing Protocol (IPPThe Internet Printing Protocol (IPP) is an Internet protocol for communication between a print server and its clients. It allows clients to send one or more print jobs to the server and perform administration such as querying the status of a printer, obtaining the status of print jobs, or cancelling individual print jobs. IPP can run locally or over the Internet. Unlike other printing protocols, IPP also supports access control, authentication, and encryption, making it a much more capable and secure printing mechanism than older ones.) when printing to a CUPS server. Servers are most reliable when talking their own language!
-
Consider the scope of any configuration change. For example, enabling popup authentication or Release Station on a print queue affects ALL users of that printer. For example, you might want to ask Linux users to use the Release Station, however, this might be considered an inconvenience for Windows users. In these cases, you might set up two print queues for each physical printer - the first queue without Release Station enabled for Windows users and the other with the Release Station option enabled for Linux users.