Setting Up a Secure Printing EnvironmentiPrint is designed to take full advantage of eDirectory security and ease of management. Setting up a secure printing environment can be done on two levels: Print access control Create a secure printing management infrastructure by assigning users to User, Operator, or Manager roles. This restricts the list of those who can control printers, iPrint Managers, and Driver Stores. Securing iPrint with SSL This option not only encrypts print communications over the wire, but also requires users to authenticate before installing and printing to a printer. These levels are discussed in the following sections. Print Access ControlPrinter security is ensured through the assignment of the Manager, Operator, and User Access Control roles, and by the strategic placement of printers and printer configurations. For more information on eDirectory access control in general, see Chapter 7. The access controls for iPrint allow you to specify the access each User, Group, or Container object will have to your printing resources. It is important to remember that all iPrint print roles function independently. For example, assigning someone as a printer manager does not automatically grant said person the rights of a printer user.In most cases, the default assignments will prevent any problems that this role independence might cause. For example, a printer manager is automatically assigned as a printer operator and user for that printer. Similarly, a printer operator is automatically assigned as a user of that printer as well. You cannot remove the user role from an operator, and you cannot remove the operator and user roles from a manager.The creator of an iPrint object is automatically assigned to all supported roles for the type of object being created.You can assign multiple Printer objects to a given printer agent, but simultaneously make different access control assignments to each Printer object. This means that users in different containers can be assigned different trustee rights to the same printer. PRINTER ROLESAs previously alluded to, three roles are associated with iPrint printing services: Manager, Operator, and User. Table 13.3 describes the rights granted to each role.
Following these changes, printer access will be granted according to the access controls you have defined. IPRINT MANAGER ACCESS CONTROLSiPrint Manager security is provided exclusively through the printer manager role in iManager. The printer manager role was discussed previously in the "Chapter 5, "OES Management Tools." Common administrative tasks related to the print manager include the following: Creating printer agents and iPrint Manager objects Adding or deleting operators and users for a printer Adding other managers Configuring interested-party notification Creating, modifying, or deleting printer configurations You should plan on assigning users who need to perform these types of tasks as occupants of the printer manager role. IPRINT DRIVER STORE ACCESS CONTROLSTwo roles are associated with the Driver Store object. The printer manager role was discussed previously in the "Printer Roles" section. Refer to Table 13.3 for more information on iPrint administrative roles in iManager: Manager Tasks performed exclusively by the Driver Store manager require the creation, modification, or deletion of Driver Store objects, as well as those that involve other eDirectory administrative functions. Typical manager functions include the following: Creating, modifying, and deleting Driver Store objects Adding other managers Enabling or disabling Driver Stores Public access user A public access user is a role assigned to all individuals on the network who are users of printers receiving services and resources provided by the Driver Store. This role is assigned by default and does not require specific administrative action by the Driver Store manager. Securing iPrint with SSLSecure printing takes advantage of SSL, which requires users to authenticate using their eDirectory usernames and passwords. Users must authenticate once per eDirectory tree per session. The print data is encrypted, and all print communications use port 443. Without secure printing, the printer is available to anyone on the local network and print communications are not encrypted. Secure printing works in conjunction with the security level set for the printer. Prior to implementing SSL for iPrint, the following considerations must be noted: Enabling SSL changes the printer URL . Implementing SSL will modify the printer URL. Clients currently configured to access the printer will need to delete and reinstall the printer in order to be operational. SSL uses LDAP authentication . When users authenticate to the printer, this authentication is performed using LDAP access to eDirectory. LDAP then performs a search for the requested user starting from the root of the tree. If your eDirectory tree is large, the search base can be manually configured to decrease the time necessary for this search. To make this change, edit the AuthLDAPURL parameter within the iprint_ssl.conf file found at /etc/opt/novell/iprint/httpd/conf. To enable SSL support for a given printer, complete the following steps in iManager:
When this configuration is complete, SSL printers will require user authentication and encrypt communication between the client and server. Depending on the security of your network and the material being printed, this may not be a required step. |