Univention Bugzilla – Bug 51862
Enable iPads to find and use CUPS printers
Last modified: 2023-06-08 18:43:04 CEST
iPads are often used in school environments. In order for them to be able to use the printers on the school servers, they must be made known to the iPad. The avahi service (zeroconf) can be used for this. This service is already installed on UCS@school systems by default, but cannot be accessed from outside. The following steps were carried out by a customer in its environment in order to implement a prototype: 1) The script airprint-generate.py is downloaded from https://github.com/tjfontaine/airprint-generate. It connects to CUPS, reads all printer shares and creates an avahi configuration file for each printer share. To do this, run the command "airprint-generate.py -d /etc/avahi/services/" e.g. hourly as a cron job. 2) The avahi service must be accessible via UDP port 5353. A UCR variable must be set so that the firewall is opened appropriately during the next firewall restart. 3) The following section should be included in /etc/cups/cupsd.local.conf to ensure that only authenticated users can print automatically to all printers <Location /printers/> Order Allow,Deny Allow From localhost Allow From slave123.schule-univention.ucs AuthType Basic Require valid-user Satisfy any </Location> This solution has not been tested in detail.
Since this bug was opened, we gathered a lot more experience with printing from iPads to printers shared by UCS. I will list as many things as I can remember: 1. First, broadcasting printers via avahi (Bonjour/Zeroconf/mDNS) must be enabled with "Browsing On" in cupsd.conf, it's disabled by default on UCS@School. Also UDP port 5353, which avahi listens on, must be opened in the firewall. "airprint-generate.py" is NOT needed in recent CUPS versions anymore. CUPS will automatically publish all shared printers via avahi. 2. Printers MUST NOT be protected in the CUPS config via a "<Location>" directive, as in Sönke's example. Because this will make iPads and macOS devices DoS the CUPS service to death. In current UCS, this means that 'cups/automaticrestrict' must be set to false. Otherwise, for every LDAP printer that has ACLs set, such a "<Location>" directive would be created. Instead, printers should be protected by using <Policy ...><Limit ...>..</Limit></Policy> directives, to allow/disallow individual IPP operations, like "Print-Job", etc. This can allow iPads to query the printers, but then ask for authentication, when an actual print job is generated. These <Policy> directives are luckily already mostly configurable via UCR. It might be up for debate if any kind of "<Location>" or "<Policy>" based protection is needed by default anyways, since the LDAP-based ACLs are also set per printer in the printers.conf file. I did not test this in detail yet. 3. UCS should allow the usage of "IPP Everywhere", which drops the need to select a PPD file (from a by now mostly incomplete and outdated list anyways), but instead allows CUPS to query the printer for its capabilities via the IPP protocol. This will allow for much better compatibility with the features of each individual printer.