openldap directory administration standard unix services and ldap
DESCRIPTION
OpenLDAP Directory Administration Standard Unix Services and LDAP. Table of Contents. The Directory Namespace An FTP/HTTP Combination User Authentication with Samba FreeRadius Resolving Hosts Central Printer Management. Table of Contents. The Directory Namespace An FTP/HTTP Combination - PowerPoint PPT PresentationTRANSCRIPT
OpenLDAP Directory Administration
Standard Unix Services and
LDAP
Table of Contents● The Directory Namespace
● An FTP/HTTP Combination
● User Authentication with Samba
● FreeRadius
● Resolving Hosts
● Central Printer Management
Table of Contents● The Directory Namespace
● An FTP/HTTP Combination
● User Authentication with Samba
● FreeRadius
● Resolving Hosts
● Central Printer Management
The Directory Namespace● This chapter explores how standard Unix services can
make use of our directory
● We continue with the namespace developed in chapter 6 and 7
● We will eventually need to modify it
adminstrative groupsand pisixGroups
adminstrative groupsand pisixGroups
user accounts
user accounts
application data
application data
ou=group ou=people ou=services
dc=plainjoe,dc=org
Table of Contents● The Directory Namespace
● An FTP/HTTP Combination
● User Authentication with Samba
● FreeRadius
● Resolving Hosts
● Central Printer Management
An FTP/HTTP Combination● ProFTPD (http://www.proftpd.org/) + LDAP
● Apache (http://www.apache.org/) + LDAP
● Assume that ftp and web platform cannot make use of PAM or NSS
● Schema:
LDAPdirectory
ldap.plainjoe.orgwww.plainjoe.org
home directory and account information
http://www.plainjoe.org/~userupload files to~public_html
An FTP/HTTP Combination (cont.)ProFTPD
– Comes with a mod_ldap module (not same as Apache's)
– Compilation flag:
--with-modules=mod_ldap
– Listing built-in modules:
$ proftpd -lCompiled-in modules: mod_core.c mod_xfer.c mod_auth_unix.c ... mod_ldap.c ... mod_log.c mod_site.c mod_auth_pam.c mod_quotatab.c mod_ratio.c mod_tls.c mod_rewrite.c mod_radius.c mod_ifsession.c mod_cap.c
$ proftpd -lCompiled-in modules: mod_core.c mod_xfer.c mod_auth_unix.c ... mod_ldap.c ... mod_log.c mod_site.c mod_auth_pam.c mod_quotatab.c mod_ratio.c mod_tls.c mod_rewrite.c mod_radius.c mod_ifsession.c mod_cap.c
An FTP/HTTP Combination (cont.)ProFTPD (cont.)
– Sample start configuration:
ServerType standaloneDefaultServer onPort 21Umask 022User nobodyGroup nobodyDefaultRoot ~/public_html
# LDAP parameters will go in here
<Directory /*>AllowOverwrite on
</Directory>
ServerType standaloneDefaultServer onPort 21Umask 022User nobodyGroup nobodyDefaultRoot ~/public_html
# LDAP parameters will go in here
<Directory /*>AllowOverwrite on
</Directory>
An FTP/HTTP Combination (cont.)ProFTPD (cont.)
– LDAP Configuration:
LDAPDoAuth on “ou=people,dc=plainjoe,dc=org”LDAPServer ldap.plainjoe.org
# By default, anonymous binds are used# LDAPAuthBinds off (=anonymous bind, or simple bind via LDAPDNInfo# as DN. Use password must be stored in clear {text} or {crypt} format)# LDAPAuthBinds on (=authenticates connecting user by binding to the # directory server, locates DN of user, userPassword attribute is never# requested. Then bind to LDAP server again using user's DN & password# entered)
LDAPAuthBinds on
# How to inform proftpd to resolve UIDs and GIDs when listing files ?
LDAPDoGIDLookups on “ou=group,dc=plainjoe,dc=org”LDAPDoUIDLookups on “ou=people,dc=plainjoe,dc=org”
# Default search filters of (&(uidNumber=UNIX uid)# (objectclasses=posixAccount)) and (&(gidNumber=UNIX gid)# (objectclasses=posixGroup)) can be overriden via extra parameter
LDAPDoAuth on “ou=people,dc=plainjoe,dc=org”LDAPServer ldap.plainjoe.org
# By default, anonymous binds are used# LDAPAuthBinds off (=anonymous bind, or simple bind via LDAPDNInfo# as DN. Use password must be stored in clear {text} or {crypt} format)# LDAPAuthBinds on (=authenticates connecting user by binding to the # directory server, locates DN of user, userPassword attribute is never# requested. Then bind to LDAP server again using user's DN & password# entered)
LDAPAuthBinds on
# How to inform proftpd to resolve UIDs and GIDs when listing files ?
LDAPDoGIDLookups on “ou=group,dc=plainjoe,dc=org”LDAPDoUIDLookups on “ou=people,dc=plainjoe,dc=org”
# Default search filters of (&(uidNumber=UNIX uid)# (objectclasses=posixAccount)) and (&(gidNumber=UNIX gid)# (objectclasses=posixGroup)) can be overriden via extra parameter
An FTP/HTTP Combination (cont.)ProFTPD LDAP Parameters
Directive Default DescriptionLDAPAuthBinds on
LDAPDefaultAuthScheme crypt
LDAPDefaultGID None
LDAPDefaultUID None
LDAPDNInfo “” “”
LDAPDoAuth off Should mod_ldap be enabled for authentication?LDAPDoGIDLookups off
LDAPDoUIDLookups off
LDAPForceDefaultGID off
LDAPForceDefaultUID off
Should the connecting user be authenticated by binding to the directory server using the located DN and the user's password (on), or should the module hash the password locally and compare it with the userPassword attribute obtained from the directory (off) ?Specifies the hashing scheme for passwords that are not prefixed by a type string ({}). Possible values are crypt and clearSpecifies the default UNIX GID to be assigned to the user if the gidNumber attribute is unavailableSpecifies the default UNIX UID to be assigned to the user if the uidNumber attribute is unavailableDefines the DN and password to use when binding to the directory server for searches
should mod_ldap attempt to resolve GID numbers to names by querying the directory for matching posixGroup entries ?Should mod_ldap attempt to resolve UID numbers to names by querying the directory for matching posixAccount entries ?Forces the GID of all connected users to the LDAPDefaultGID, even if a gidNumber attribute can be obtainedForces UID of all connected users to the LDAPDefaultUID, even if a uidNumber attribute can be obtained
An FTP/HTTP Combination (cont.)ProFTPD LDAP Parameters (cont.)
Directive Default Description“”
LDAPNegativeCache off
LDAPQueryTimeout
LDAPSearchScope subtree Defines the LDAP search scope as onelevel or subtreeLDAPServer localhost
LDAPUseTLS off
LDAPHomedirOnDemandSuffix
Specifies additional subdirectories to be created in the event that LDAPHomedirOnDemand has been enabled. Multiple directories can be included in a whitespace-delimited listInstructs mod_ldap to cache negative responses to UID/GID resolution attempts
LDAP client library default
Specifies the maximum amount of time, in seconds, to wait for a search to complete
Specifies the hostname of the directory server. An alternative to port 389 can be defined using the syntax server:port. Multiple servers can be specified; separate server hostnames by spacesThis parameter is available only if mod_ldap.c has been modified to define USE_LDAPV3_TLS. If enabled, mod_ldap will use the StartTLS extension when contacting the LDAP server. If the directory does not support TLS, mod_ldap will downgrade to an unencrypted channel and simply report failure to the proftpd server
An FTP/HTTP Combination (cont.)Apache
– There is more than one LDAP module for Apache
– We will use mod_ldap_userdir here● Searches LDAP directory for posixAccountentry with matching
uid value
– Building the module is not covered here
– Configuration:
LoadModule ldap_userdir_module /usr/lib/apache/mod_ldap_userdir.so
<IfModule mod_ldap_userdir.c>LDAPUserDirServer ldap.plainjoe.orgLDAPUserDirSearchScope subtreeLDAPUserDirBaseDN ou=people,dc=plainjoe,dc=orgLDAPUserDir public_html
</IfModule>
LoadModule ldap_userdir_module /usr/lib/apache/mod_ldap_userdir.so
<IfModule mod_ldap_userdir.c>LDAPUserDirServer ldap.plainjoe.orgLDAPUserDirSearchScope subtreeLDAPUserDirBaseDN ou=people,dc=plainjoe,dc=orgLDAPUserDir public_html
</IfModule>
An FTP/HTTP Combination (cont.)Apache (cont.)
Directives for mod_ldap_userdirDirective Default Description
LDAPUserDir public_html The expected name of the subdirectoryLDAPUserDirServer None The hostname of the LDAP directory serverLDAPUserDirDNInfo None
LDAPUserDirBaseDN “” “”
LDAPUserDirFilter ()
LDAPUserDirSearchScope subtree
LDAPUserDirUseTLS off
The DN and password to be used to bind to the directory. The password should be given in clear textThe base search suffix to use when searching the directoryThe RFC2254-compliant LDAP search filter to use when querying the directoryThe scope of the LDAP search; can be a onelevel or subtreeWhether to use the StartTLS extended operation (on) or an unencrypted connection (off) when searching the directory
Table of Contents● The Directory Namespace
● An FTP/HTTP Combination
● User Authentication with Samba
● FreeRadius
● Resolving Hosts
● Central Printer Management
User Authentication with Samba● http://www.samba.org/
● Implements server portion of SMB/CIFS protocol (Server Message Block/Common Internet File System)
● Full Samba coverage is not the scope of this course
● To support challenge/response authentication mothods used by MS Windows clients, Samba requires a list of hashed passwords separate from the passwords in /etc/shadow, smbpasswd file:
username:uid:LM_HASH:account_flags:timestamp
● Disadvantages of smbpasswd for large sites:
– Lookups are performed sequentially
– Single smbpasswd file replicated to multipe servers is a clumsy solution (eg. uids/gids must be identical, etc.)
– Format of smbpasswd file limits number of attributes (eg. location of user's roaming profile)
User Authentication with Samba (cont.)
Configuring Samba
– Covered here: Samba 2.2.7a (LDAP support must be enabled at compile time: --with-ldapsam)
– Samba 3 LDAP support is different (more powerful)
– sambaAccount object in LDAP directory
– smb.conf file (partial):
[global]netbios name = TASHTEGOworkgroup = PEQUOD
security = userencrypt passwords = yes
ldap admin dn =“cn=smbadmin,ou=people,dc=plainjoe,dc=org”
ldap server = ldap.plainjoe.orgldap ssl = start_tlsldap port = 389ldap suffix = “ou=people,dc=plainjoe,dc=org”ldap filter = “(&(uid=%U)
(objectclass=sambaAccount))”
...
[global]netbios name = TASHTEGOworkgroup = PEQUOD
security = userencrypt passwords = yes
ldap admin dn =“cn=smbadmin,ou=people,dc=plainjoe,dc=org”
ldap server = ldap.plainjoe.orgldap ssl = start_tlsldap port = 389ldap suffix = “ou=people,dc=plainjoe,dc=org”ldap filter = “(&(uid=%U)
(objectclass=sambaAccount))”
...
User Authentication with Samba (cont.)
smb.conf LDAP Parameters
– Make sure the NTLM hashes are not retrievable by an anonymous user
– Password for LDAP bind is not stored in smb.conf, but in the secrets.tdb file:
Directive Default Descriptionldap admin dn “”
ldap filter
ldap port 636
ldap server localhost The FQDN of the directory serverldap ssl on
The DN used by smbd when connecting to the LDAP server. This DN should be able to read all attribute values for sambaAccount entries, including lmPassword and ntPassword
(&(uid=%u)(objectclass=sambaAccount))
The RFC2254-compliant search filter to use when locating a user's Samba account informationThe TCP port to use when contacting the LDAP server
The parameter that specifies how smbd connects to the LDAP server. Possible values are off (do not use encryption), on (use LDAPS), or start_tls (use the StartTLS command)
# smbpasswd -w secretSetting stored password for “cn=smbadmin,ou=people,dc=plainjoe,dc=org” in secrets.tdb
# smbpasswd -w secretSetting stored password for “cn=smbadmin,ou=people,dc=plainjoe,dc=org” in secrets.tdb
User Authentication with Samba (cont.)
Configuring OpenLDAP
– LDAP server must support the appropriate schema
– sambaAccount schema, samba.schema
– slapd.conf:
include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/samba.schema
include /etc/openldap/schema/core.schemainclude /etc/openldap/schema/cosine.schemainclude /etc/openldap/schema/nis.schemainclude /etc/openldap/schema/inetorgperson.schemainclude /etc/openldap/schema/samba.schema
User Authentication with Samba (cont.)
sambaAccount Object Class
objectClass:sambaAccount
uid:rid:
cn:lmPassword:ntPassword:pwdLastSet:logonTime:logoffTime:kickoffTime:userWorkstations:primaryGroupID:domain:pwdCanChange:pwdMustChange:acctFlags:displayName:smbHome:homeDrive:scriptPath:profilePath:description:
objectClass:sambaAccount
uid:rid:
cn:lmPassword:ntPassword:pwdLastSet:logonTime:logoffTime:kickoffTime:userWorkstations:primaryGroupID:domain:pwdCanChange:pwdMustChange:acctFlags:displayName:smbHome:homeDrive:scriptPath:profilePath:description:
optional attributes
required attributes
User Authentication with Samba (cont.)
Access Control Rules
– New access rules to prevent normal users from retrieving LanMan/NT password hashes
# Previous ACLsaccess to attrs=userPassword
by self writeby * auth
# Don't let users snoop Windows passwordsaccess to attrs=lmPassword,ntPassword
by dn=”cn=smbadmin,ou=people,dc=plainjoe,dc=org” writeby * none
# Allow smbadmin to add new entries and modify existing onesaccess to dn.subtree=”ou=people,dc=plainjoe,dc=org”
by dn=”cn=smbadmin,ou=people,dc=plainjoe,dc=org” writeby * read
# Previous ACLsaccess to dn.subtree=”ou=group,dc=plainjoe,dc=org”
by * read
# Previous ACLsaccess to attrs=userPassword
by self writeby * auth
# Don't let users snoop Windows passwordsaccess to attrs=lmPassword,ntPassword
by dn=”cn=smbadmin,ou=people,dc=plainjoe,dc=org” writeby * none
# Allow smbadmin to add new entries and modify existing onesaccess to dn.subtree=”ou=people,dc=plainjoe,dc=org”
by dn=”cn=smbadmin,ou=people,dc=plainjoe,dc=org” writeby * read
# Previous ACLsaccess to dn.subtree=”ou=group,dc=plainjoe,dc=org”
by * read
User Authentication with Samba (cont.)
The smbadmin Account
– Since Samba will bind to LDAP using this account, the account must possess a userPassword attribute. However, it is not necessary to have a UID, so we can use the person structural object class
– Corresponding LDIF:
dn: cn=smbadmin,ou=people,dc=plainjoe,dc=orgobjectClass: personcn: smbadminsn: smbadminuserPassword: {SSHA}xDG3/Cfj7ATgJ9yP0exS2lGD+infJqCj
dn: cn=smbadmin,ou=people,dc=plainjoe,dc=orgobjectClass: personcn: smbadminsn: smbadminuserPassword: {SSHA}xDG3/Cfj7ATgJ9yP0exS2lGD+infJqCj
objectClass:person
cn:sn:
userPassword:telephoneNumber:seeAlso:description:
objectClass:person
cn:sn:
userPassword:telephoneNumber:seeAlso:description:optional
attributes
required attributes
User Authentication with Samba (cont.)
Adding and Using a sambaAccount
– Add user:
– List user:
# smbpasswd -a kristi -s testpassLDAP search “(&(uid=kristi)(objectclass=sambaAccount))” returned 0 entries.Added user kristi
# smbpasswd -a kristi -s testpassLDAP search “(&(uid=kristi)(objectclass=sambaAccount))” returned 0 entries.Added user kristi
dn: uid=kristi,ou=people,dc=plainjoe,dc=orgobjectClass: inetOrgpersonobjectClass: posixAccountobjectClass: sambaAccount...uid: kristipwdLastSet: 1040186720logonTime: 0logoffTime: 2147483647kickoffTime: 2147483647pwdCanChange: 0pwdMustChange: 2147483647rid: 2570primaryGroupID: 1201lmPassword: ...ntPassword: ...acctFlags: [UX ]
dn: uid=kristi,ou=people,dc=plainjoe,dc=orgobjectClass: inetOrgpersonobjectClass: posixAccountobjectClass: sambaAccount...uid: kristipwdLastSet: 1040186720logonTime: 0logoffTime: 2147483647kickoffTime: 2147483647pwdCanChange: 0pwdMustChange: 2147483647rid: 2570primaryGroupID: 1201lmPassword: ...ntPassword: ...acctFlags: [UX ]
Table of Contents● The Directory Namespace
● An FTP/HTTP Combination
● User Authentication with Samba
● FreeRadius
● Resolving Hosts
● Central Printer Management
FreeRadius● Not discussed in this course
Table of Contents● The Directory Namespace
● An FTP/HTTP Combination
● User Authentication with Samba
● FreeRadius
● Resolving Hosts
● Central Printer Management
Resolving Hosts● Most widespread mechanism for hostname resolution is
DNS (Domain Name System)
● LDAP is not really a replacement for a specialized directory service such as DNS
● LDAP can be used as a back-end storage system for zone files
● A patch for BIND9 exists: (http://www.vernaas.no/ldap/bind-sdb/)
Resolving Hosts (cont.)Overview
dc=plainjoe,dc=org
ou=services
ou=group
ou=people
ou=hosts
DNS zone(plainjoe.org)
Directory
LDAP search
Name query
Resolving Hosts (cont.)How to Get It to Work ?
– Copy ldap.c to bind source directory
– Copy ldap.h to the include directory of BIND source tree
– Edit bin/named/Makefile.in, add:
– you may need to add the path to the LDAP include files and liraries to DDRIVER_INCLUDES and DDRIVER_LIBS
– Edit bin/named/main.c and add the lines
DDRIVER_OBJS = ldapdb.@*@DDRIVER_SRCS = ldapdb.cDDRIVER_LIBS = -lldap -llber
DDRIVER_OBJS = ldapdb.@*@DDRIVER_SRCS = ldapdb.cDDRIVER_LIBS = -lldap -llber
#include <xxdb.h>#include <ldapdb.h>#include <xxdb.h>#include <ldapdb.h>
xxdb_init();ldapdb_init();xxdb_init();ldapdb_init();
xxdb_clear();ldapdb_clear();xxdb_clear();ldapdb_clear();
Resolving Hosts (cont.)How to Get It to Work ? (cont.)
– Given the following zone file:
plainjoe.org. IN SOA dns1.plainjoe.org. root.dns.plainjoe.org. (3 ; serial10800 ; Refresh after 3 hours3600 ; Retry after 1 hour604800 ; Expire after 1 week86400 ) ; Minimum TTL of 1 day
; Name serversplainjoe.org. IN NS dns1.plainjoe.org.
; Addresses for local printerslocalhost.plainjoe.org IN A 127.0.0.1dns1.plainjoe.org. IN A 192.168.1.10ldap.plainjoe.org. IN A 192.168.1.70ahab.plainjoe.org. IN A 192.168.1.80
plainjoe.org. IN SOA dns1.plainjoe.org. root.dns.plainjoe.org. (3 ; serial10800 ; Refresh after 3 hours3600 ; Retry after 1 hour604800 ; Expire after 1 week86400 ) ; Minimum TTL of 1 day
; Name serversplainjoe.org. IN NS dns1.plainjoe.org.
; Addresses for local printerslocalhost.plainjoe.org IN A 127.0.0.1dns1.plainjoe.org. IN A 192.168.1.10ldap.plainjoe.org. IN A 192.168.1.70ahab.plainjoe.org. IN A 192.168.1.80
Resolving Hosts (cont.)How to Get It to Work ? (cont.)
– There is a structural dNSZone object class that allows you to store DNS records in the directory
objectClass:dNSZone
zoneName:relativeDomainName:
DNSTTL:DNSClass:ARecord:MDRecord:PTRRecord:MXRecord:NSRecord:SOARecord:CNAMERecord:NAPTRRecord:KXRecord:DNAMERecord:HINFORecord:MINFORecord:TXTRecord:SIGRecord:KEYRecord:AAAARecord:LOCRecord:NXTRecord:SRVRecord:CERTRecord:A6Record:
objectClass:dNSZone
zoneName:relativeDomainName:
DNSTTL:DNSClass:ARecord:MDRecord:PTRRecord:MXRecord:NSRecord:SOARecord:CNAMERecord:NAPTRRecord:KXRecord:DNAMERecord:HINFORecord:MINFORecord:TXTRecord:SIGRecord:KEYRecord:AAAARecord:LOCRecord:NXTRecord:SRVRecord:CERTRecord:A6Record:
optional attributes
required attributes
Resolving Hosts (cont.)How to Get It to Work ? (cont.)
– LDIF entry for A record for host ahab.plainjoe.org:
– Next step is to tell named service about the LDAP database:
– Note: zone2ldap tool included in BIND distribution (or Venaas' web site)
dn: relativeDomainName=ahab,ou=hosts,dc=plainjoe,dc=orgaRecord: 192.168.1.80objectClass: dNSZonerelativeDomainName: ahabdNSTTL: 86400zoneName: plainjoe.org
dn: relativeDomainName=ahab,ou=hosts,dc=plainjoe,dc=orgaRecord: 192.168.1.80objectClass: dNSZonerelativeDomainName: ahabdNSTTL: 86400zoneName: plainjoe.org
zone “plainjoe.org” in {type master;database “ldap ldap://192.168.1.70/ou=hosts,dc=plainjoe,dc=org
172800”;}
zone “plainjoe.org” in {type master;database “ldap ldap://192.168.1.70/ou=hosts,dc=plainjoe,dc=org
172800”;}
Table of Contents● The Directory Namespace
● An FTP/HTTP Combination
● User Authentication with Samba
● FreeRadius
● Resolving Hosts
● Central Printer Management
Central Printer Management● Network printers are devices associated with entries in
DNS and possess attributes used to support a non-DNS application
● Next step: design directory-based solution for managing printing configuration information:
– Adding printers
– Deploying printers
– Retiring printers
● See namespace on next slide
Central Printer Management (cont.)
LDAP Namespace for Directory-based Storage of Printer Configuration Data
dc=plainjoe,dc=org
ou=people ou=groupou=printers
ou=services
ou=hosts
printerconfiguratio
ndata
printerconfiguratio
ndata
commonprinters
commonprinters
printergroups
printergroups
host DNSconfiguration
ou=config ou=global ou=floor-1
ou=location
Central Printer Management (cont.)
The Namespace
– The config OU sits at the root of the actual configuration tree
● Each printer has an entry (name, max print size job, ...)● Also contains DNS information● ou=config,ou=printers,dc=plainjoe,dc=org entry acts as base
suffix for the lp.plainjoe.org DNS zoneused by BIND9– If an administrator removes a printer's entry, it is immediately
removed from DNS as well
– Printers listed below ou=global entry should be available to all clients on the network
– ou=location tree has a similar function to the global tree● Holder for another group of organizational units● Each OU represents a group of printers
– Big difficulty = deciding on acceptable schema for representing printer capabilities and data
Central Printer Management (cont.)
The Namespace (cont.)
– There is currently no standardized printer schema
– Closest: draft-fleming-ldap-printer-schema-XX.txt
– See also “Network Printing” from O'Reilly
– Some additional object classes and attributes needed to generate printcap entries for LPD and LPRng
– Problem: dNSZone and printerService objects are both structural classes
● Fortunately, BIND9 LDAP lookups do not use the objectClass● Use extensibleObject class in place of dNSZone● Other solution would be to define a new auxiliary object class
with all the attributes contained in a dNSZone object
Central Printer Management (cont.)
Object Classes for Printing
objectClass:printerAbstract
printer-name:printer-natural-language-configured:printer-location:printer-info:printer-more-info:printer-make-and-model:printer-multiple-document-jobs-supported:printer-charset-configured:printer-charset-supported:printer-generated-natural-language-supported:printer-document-format-supported:printer-color-supported:printer-compression-supported:printer-pages-per-minute:printer-pages-per-minute-color:printer-finishings-supported:printer-number-up-supported:printer-sides-supported:printer-media-supported:printer-media-local-supported:printer-resolution-supported:printer-print-quality-supported:printer-job-priority-supported:printer-copies-supported:printer-job-k-octets-supported:printer-current-operator:printer-service-person:printer-delivery-orientation-supported:printer-stacking-order-supported:printer-output-features-supported:
objectClass:printerAbstract
printer-name:printer-natural-language-configured:printer-location:printer-info:printer-more-info:printer-make-and-model:printer-multiple-document-jobs-supported:printer-charset-configured:printer-charset-supported:printer-generated-natural-language-supported:printer-document-format-supported:printer-color-supported:printer-compression-supported:printer-pages-per-minute:printer-pages-per-minute-color:printer-finishings-supported:printer-number-up-supported:printer-sides-supported:printer-media-supported:printer-media-local-supported:printer-resolution-supported:printer-print-quality-supported:printer-job-priority-supported:printer-copies-supported:printer-job-k-octets-supported:printer-current-operator:printer-service-person:printer-delivery-orientation-supported:printer-stacking-order-supported:printer-output-features-supported:
objectClass:printerLRP
printer-name:
printer-aliases:
objectClass:printerLRP
printer-name:
printer-aliases:
objectClass:nprinterPortPrinterInfo
nprintDeviceName:nprintDeviceFlags:nprintFilter:
objectClass:nprinterPortPrinterInfo
nprintDeviceName:nprintDeviceFlags:nprintFilter:
objectClass:nprintNetworkPrinterInfo
nprintDNSName:nprintHardwareQueueName:nprintQueuePort:
objectClass:nprintNetworkPrinterInfo
nprintDNSName:nprintHardwareQueueName:nprintQueuePort:
objectClass:printerService
printer-uri:printer-xri-supported:
objectClass:printerService
printer-uri:printer-xri-supported:parent optional
required
Central Printer Management (cont.)
Example Networked Printer Configuration
Example Non-networked Printer Configuration
dn: printer-uri=lpr://hp2100,ou=config,ou=printers,dc=plainjoe,dc=orgaRecord: 192.168.1.220printer-name: hp2100nprintHarwareQueue: rawprinter-uri: lpr://hp2100relativedomainName: hp2100objectClass: printerServiceobjectClass: nprintNetworkPrinterInfoobjectClass: extensibleObjectprinter-job-k-octets-supported: 10000zoneName: lp.plainjoe.org
dn: printer-uri=lpr://hp2100,ou=config,ou=printers,dc=plainjoe,dc=orgaRecord: 192.168.1.220printer-name: hp2100nprintHarwareQueue: rawprinter-uri: lpr://hp2100relativedomainName: hp2100objectClass: printerServiceobjectClass: nprintNetworkPrinterInfoobjectClass: extensibleObjectprinter-job-k-octets-supported: 10000zoneName: lp.plainjoe.org
dn: printer-uri=lpr://bjc240,ou=config,ou=printers,dc=plainjoe,dc=orgprinter-name: bjc240nprintHarwareQueue: rawprinter-uri: lpr://bjc240objectClass: printerServiceobjectClass: printerLPRobjectClass: nprintPortPrinterInfonprintDeviceName: /dev/lp0printer-aliases: canon
dn: printer-uri=lpr://bjc240,ou=config,ou=printers,dc=plainjoe,dc=orgprinter-name: bjc240nprintHarwareQueue: rawprinter-uri: lpr://bjc240objectClass: printerServiceobjectClass: printerLPRobjectClass: nprintPortPrinterInfonprintDeviceName: /dev/lp0printer-aliases: canon
No nprintDNSName attribute: can bedetermined from relativeDomainNameand zoneName attributes
Central Printer Management (cont.)
More Configuration ...
– Entries below ou=global and ou=location contain only a printer's name, eg.
– nprintHostPrinter AUXILIARY object class allows to extend existing entry for a network host to define membership in a printing group
dn: printer-name=hp2100,ou=global,ou=printers,dc=plainjoe,dc=orgprinter-name: hp2100objectClass: printerService
dn: printer-name=bitsink,ou=floor-1,ou=location,dc=plainjoe,dc=orgprinter-name: bitsinkobjectClass: printerService
dn: printer-name=hp2100,ou=global,ou=printers,dc=plainjoe,dc=orgprinter-name: hp2100objectClass: printerService
dn: printer-name=bitsink,ou=floor-1,ou=location,dc=plainjoe,dc=orgprinter-name: bitsinkobjectClass: printerService
objectClass:nprintHostPrinter
nprintPrinterName:nprintLocation:
objectClass:nprintHostPrinter
nprintPrinterName:nprintLocation:
optional
Central Printer Management (cont.)
More Configuration ... (cont.)
– Entry for workstation queso.plainjoe.org:
– generate_printcap.pl script
dn: relativeDomainName=queso,ou=hosts,dc=plainjoe,dc=orgaRecord: 192.168.1.74nprintLocation: floor-1objectClass: dNSZoneobjectClass: nprintHostPrinterrelativeDomainName: quesodNSTTL: 86400nprinterName: draft-printerzoneName: plainjoe.org
dn: relativeDomainName=queso,ou=hosts,dc=plainjoe,dc=orgaRecord: 192.168.1.74nprintLocation: floor-1objectClass: dNSZoneobjectClass: nprintHostPrinterrelativeDomainName: quesodNSTTL: 86400nprinterName: draft-printerzoneName: plainjoe.org
Central Printer Management (cont.)
Printing Information and Entries for queso.plainjoe.org
ou=printersou=hosts
relativeDomainName=quesorelativeDomainName: quesonprintLocation: floor-1nprintPrinterName: draft-printer
ou=global
printer-name:hp2100ou=config
printer-uri:lpr://hp2100
printer-uri:lpr://bjc240
printer-uri:lpr://draft-printer
printer-uri:lpr://bitsink
ou=location
ou=floor-1
printer-name:bitsink
Central Printer Management (cont.)
Resulting printcap File
# printer-uri=lpr://hp2100,ou=config,ou=printers,dc=plainjoe,dc=org# objectClass: nprintNetworkPrinterInfohp2100:\
:sh:\:mx#10000:\:lf=/var/spool/lpd/hp2100/lpd-err:\:sd=/var/spool/lpd/hp2100:\:lp=/dev/null:\:rm=hp2100.lp.plainjoe.org:\:rp=raw:
# printer-uri=lpr://bitsink,ou=config,ou=printers,dc=plainjoe,dc=org # objectClass: nprintNetworkPrinterInfobitsink:\
:sh:\:mx#0:\:lf=/var/spool/lpd/bitsink/lpd-err:\:sd=/var/spool/lpd/bitsink:\:lp=/dev/null:\:rm=bitsink.lp.plainjoe.org:\:rp=bitsink:
# printer-uri=lpr://draft-printer,ou=config,ou=printers,dc=plainjoe,dc=org# objectClass: nprintPortPrinterInfodraft-printer:\
:sh:\:mx#0:\:lf=/var/spool/lpd/draft-printer/lpd-err:\:sd=/var/spool/lpd/draft-printer:\:lp=/dev/lp0:\:sd=/var/spool/lpd/draft-printer:\:if=/opt/printers/filters/hpif.sh:
# printer-uri=lpr://hp2100,ou=config,ou=printers,dc=plainjoe,dc=org# objectClass: nprintNetworkPrinterInfohp2100:\
:sh:\:mx#10000:\:lf=/var/spool/lpd/hp2100/lpd-err:\:sd=/var/spool/lpd/hp2100:\:lp=/dev/null:\:rm=hp2100.lp.plainjoe.org:\:rp=raw:
# printer-uri=lpr://bitsink,ou=config,ou=printers,dc=plainjoe,dc=org # objectClass: nprintNetworkPrinterInfobitsink:\
:sh:\:mx#0:\:lf=/var/spool/lpd/bitsink/lpd-err:\:sd=/var/spool/lpd/bitsink:\:lp=/dev/null:\:rm=bitsink.lp.plainjoe.org:\:rp=bitsink:
# printer-uri=lpr://draft-printer,ou=config,ou=printers,dc=plainjoe,dc=org# objectClass: nprintPortPrinterInfodraft-printer:\
:sh:\:mx#0:\:lf=/var/spool/lpd/draft-printer/lpd-err:\:sd=/var/spool/lpd/draft-printer:\:lp=/dev/lp0:\:sd=/var/spool/lpd/draft-printer:\:if=/opt/printers/filters/hpif.sh: