| iPrint is designed to take full advantage of eDirectory security and ease of management. Setting up a secure printing environment can be done on two levels: Print access control Create a secure printing management infrastructure by assigning users to User, Operator, or Manager roles. This restricts the list of those who can control printers, iPrint Managers, and Driver Stores. Securing iPrint with SSL This option not only encrypts print communications over the wire, but also requires users to authenticate before installing and printing to a printer.
These levels are discussed in the following sections. Print Access Control Printer security is ensured through the assignment of the Manager, Operator, and User Access Control roles, and by the strategic placement of printers and printer configurations. For more information on eDirectory access control in general, see Chapter 7. The access controls for iPrint allow you to specify the access each User, Group, or Container object will have to your printing resources. It is important to remember that all iPrint print roles function independently. For example, assigning someone as a printer manager does not automatically grant said person the rights of a printer user. In most cases, the default assignments will prevent any problems that this role independence might cause. For example, a printer manager is automatically assigned as a printer operator and user for that printer. Similarly, a printer operator is automatically assigned as a user of that printer as well. You cannot remove the user role from an operator, and you cannot remove the operator and user roles from a manager. The creator of an iPrint object is automatically assigned to all supported roles for the type of object being created. You can assign multiple Printer objects to a given printer agent, but simultaneously make different access control assignments to each Printer object. This means that users in different containers can be assigned different trustee rights to the same printer. PRINTER ROLES As previously alluded to, three roles are associated with iPrint printing services: Manager, Operator, and User. Table 13.3 describes the rights granted to each role. Table 13.3. NDPS Print Roles and Their Associated RightsROLE | ASSOCIATED RIGHTS |
|---|
Manager | Tasks performed exclusively by the printer manager are those that require the creation, modification, or deletion of Printer objects, as well as other eDirectory administrative functions. Printer managers are automatically designated as printer operators and users as well, so they can perform all tasks assigned to the operator role. Typical manager functions include the following: Modifying and deleting Printer objects Adding or deleting operators and users for a printer Adding other managers Configuring interested-party notification Creating, modifying, or deleting printer configurations | Operator | Print operators cannot create, modify, or delete eDirectory objects or perform other eDirectory administrative functions. Their management tasks include the following: Performing all of the functions available through the Printer Control page Pausing, restarting, or reinitializing printers Reordering, moving, copying, and deleting jobs Setting printer defaults, including locked properties Configuring print job spooling | User | Print users only have rights to submit and manage print jobs that they own. Users cannot copy, move, reorder, or remove jobs they do not own. To simplify administration, the container within which a printer resides is automatically assigned as a user for that printer. That way, all users in that container inherit printer user rights. You can delete the Container object as a printer user in order to block access to the printer for users in that container. |
To define the role assignment for a printer, complete the following steps in iManager: 1. | In the Navigation frame, open the iPrint group and select Manage Printer.
| 2. | In the Content frame, specify the printer for which you want to configure access controls and click OK.
| 3. | At the Manage Printer page, select the Access Control tab, as shown in Figure 13.5.
Figure 13.5. Access Control tab for defining printer management roles in ConsoleOne. 
| 4. | Make your desired changes by adding or deleting members from the User, Operator, and Manager roles for this printer. eDirectory objects that can be assigned in these roles include User, Group, or Container objects. Click OK to save your changes.
|
Following these changes, printer access will be granted according to the access controls you have defined. IPRINT MANAGER ACCESS CONTROLS iPrint Manager security is provided exclusively through the printer manager role in iManager. The printer manager role was discussed previously in the "Printer Roles" section. Refer to Table 13.3 for more information on iPrint administrative roles in iManager. For more information on role-based administration with iManager, see Chapter 5, "OES Management Tools." Common administrative tasks related to the print manager include the following: Creating printer agents and iPrint Manager objects Adding or deleting operators and users for a printer Adding other managers Configuring interested-party notification Creating, modifying, or deleting printer configurations
You should plan on assigning users who need to perform these types of tasks as occupants of the printer manager role. IPRINT DRIVER STORE ACCESS CONTROLS Two roles are associated with the Driver Store object. The printer manager role was discussed previously in the "Printer Roles" section. Refer to Table 13.3 for more information on iPrint administrative roles in iManager: Manager Tasks performed exclusively by the Driver Store manager require the creation, modification, or deletion of Driver Store objects, as well as those that involve other eDirectory administrative functions. Typical manager functions include the following: Creating, modifying, and deleting Driver Store objects Adding other managers Enabling or disabling Driver Stores
Public access user A public access user is a role assigned to all individuals on the network who are users of printers receiving services and resources provided by the Driver Store. This role is assigned by default and does not require specific administrative action by the Driver Store manager.
Securing iPrint with SSL Secure printing takes advantage of SSL, which requires users to authenticate using their eDirectory usernames and passwords. Users must authenticate once per eDirectory tree per session. The print data is encrypted, and all print communications use port 443. Without secure printing, the printer is available to anyone on the local network and print communications are not encrypted. Secure printing works in conjunction with the security level set for the printer. Prior to implementing SSL for iPrint, the following considerations must be noted: Enabling SSL changes the printer URL. Implementing SSL will modify the printer URL. Clients currently configured to access the printer will need to delete and reinstall the printer in order to be operational. SSL uses LDAP authentication. When users authenticate to the printer, this authentication is performed using LDAP access to eDirectory. LDAP then performs a search for the requested user starting from the root of the tree. If your eDirectory tree is large, the search base can be manually configured to decrease the time necessary for this search. To make this change, edit the AuthLDAPURL parameter within the iprint_ssl.conf file found at /etc/opt/novell/iprint/httpd/conf.
To enable SSL support for a given printer, complete the following steps in iManager: 1. | In the Navigation frame, open the iPrint group and select Manage Printer.
| 2. | In the Content frame, specify the printer for which you want to enable IPP printing.
| 3. | On the Client Support tab, select the iPrint Support subpage. To enable SSL, click the check box for Enable Secure Printing.
| 4. | Click OK to return to the iManager home page.
|
When this configuration is complete, SSL printers will require user authentication and encrypt communication between the client and server. Depending on the security of your network and the material being printed, this may not be a required step. |
