Table of Contents
- About Authentication and Printing
- The Authentication Cookbook - Recipes by example
- Windows systems with generic logins
- Windows laptops that do not authenticate against a domain
- Windows print server using LDAP or eDirectory authentication
- Mac OS X systems with generic user accounts
- Mac OS X systems using domain authentication via Open Directory
- Mac OS X systems using domain authentication via Windows Active Directory
- Mac OS X laptops (or single user systems) printing to Windows print queues
- Linux Workstations in a lab environment with printers hosted on a Windows server
- Linux Workstations in a lab environment with printers hosted on Linux CUPS server
- Linux laptops (or single user systems)
- Multiuser Unix terminal servers
- Further Recommendations
Modern large multiuser networks, like those typically seen in Higher Education, are made up of mix of operating systems, authentication methods, print protocols and disparate networks. This heterogeneous mix poses problems for system administrators working towards a unified and centralized print management system. PaperCut NG sports an array of tools to help administrators meet their unification goals. PaperCut NG's flexibility is however a double-edged sword and the multitude of options also bring complexity. This section discusses cross-platform support in detail, and hopes to arm the reader with the knowledge needed to make the correct architecture decisions. Solutions are presented as "recipes" with the aim of directing the reader to appropriate procedures and other chapters.
The objectivity of a centralized and unified PaperCut NG system in its simplest form is to offer all users, irrespective of their operating system or access method, access to the full array of features in a secured and authenticated way. PaperCut NG offers cross-platform client software providing end-user features on all major operating systems, however the need for secured and authenticated access adds an extra, somewhat complex dimension.
Authentication in a printing environment is the act of confirming the digital identity of the person who issued a print job. Knowledge of the user's identity allows PaperCut NG to offer the user access to functions such as allocating the cost of a job to their account, or offering them access to shared accounts. In a Window domain environment, authentication is handled at the point of login using a username and password. A web-of-trust is then established between servers and services.
There are three common scenarios that cause authentication issues:
Generic, common, or shared user accounts.
Systems that auto-login as a set user.
Unauthenticated print queues or print protocols.
Generic or shared login accounts are seen in some computer lab and network environments. In these environments administrators ask users to log into selected systems using standard user names such as "student" or "user". This practice is particularly common on the Apple Mac operating system as a single login helps streamline system and application management. The use of the Window auto-login feature also poses a similar problem - authentication is not enforced at the time of system startup. An extra layer of authentication is required on these systems to correctly identify the person that performs printing.
Unauthenticated print queues also pose problems in cross platform environments. In an ideal world all computers would talk the same protocols and happily work together in a single centrally authenticated environment. We can come close to this goal in a 100% Microsoft Windows environment, however if we mix in Unix, Linux and Mac, it's a different story. Although initiatives such as CUPS (Common Unix Printing System) and the Internet Printing Protocol (IPP) offer some hope, unification in the area of authenticated printing is still some way off. Unfortunately technical reasons often prevent networks from using CUPS authentication or exclusively using the authenticated Microsoft printing protocol.
If technical reasons prevent authentication at the print queue level, PaperCut NG provides a number of alternate authentication mechanisms.
This method involves associating the workstation's IP address with a user for a specified period of time - a session. Any print jobs arriving from this IP address are deemed to be associated with this user. Authentication is provided by the PaperCut NG client software in the form of a popup dialog requesting a username and password. Data is transmitted to the server via an SSL encrypted connection. Popup authentication is not appropriate for server based operating systems that may support multiple users at the same time - for example, Unix SSH, Telnet or X terminal servers.
More information on popup authentication can be found in the section called “Popup Authentication”.
Release stations work by placing print jobs in a holding queue. Users must authenticate at a release station before being given access to release their job. A release station normally takes the form of a dedicated terminal located next to the printer(s), however the holding queue may also be accessed via a web browser or even a Unix based command-line client. The act of a user releasing a job causes it to be charged to their account. Release stations do not use session based authentication and hence can be used in a multi-user Unix terminal environment.
More information on setting up and using release stations is discussed in Chapter 9, Print Release Stations.