Bug 51862 - Enable iPads to find and use CUPS printers
Enable iPads to find and use CUPS printers
Status: NEW
Product: UCS@school
Classification: Unclassified
Component: Print services
UCS@school 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS@school maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-08-20 13:24 CEST by Sönke Schwardt-Krummrich
Modified: 2023-06-08 18:43 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2023020121000421
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sönke Schwardt-Krummrich univentionstaff 2020-08-20 13:24:42 CEST
iPads are often used in school environments. In order for them to be able to use the printers on the school servers, they must be made known to the iPad.
The avahi service (zeroconf) can be used for this. This service is already installed on UCS@school systems by default, but cannot be accessed from outside.

The following steps were carried out by a customer in its environment in order to implement a prototype:

1) The script airprint-generate.py is downloaded from https://github.com/tjfontaine/airprint-generate. It connects to CUPS, reads all printer shares and creates an avahi configuration file for each printer share. To do this, run the command "airprint-generate.py -d /etc/avahi/services/" e.g. hourly as a cron job.

2) The avahi service must be accessible via UDP port 5353. A UCR variable must be set so that the firewall is opened appropriately during the next firewall restart.

3) The following section should be included in /etc/cups/cupsd.local.conf to ensure that only authenticated users can print automatically to all printers

<Location /printers/>
    Order Allow,Deny
    Allow From localhost
    Allow From slave123.schule-univention.ucs
    AuthType Basic
    Require valid-user
    Satisfy any
</Location>


This solution has not been tested in detail.
Comment 2 Markus Dählmann 2021-10-15 11:29:51 CEST
Since this bug was opened, we gathered a lot more experience with printing from iPads to printers shared by UCS. I will list as many things as I can remember:

1. First, broadcasting printers via avahi (Bonjour/Zeroconf/mDNS) must be enabled with "Browsing On" in cupsd.conf, it's disabled by default on UCS@School. Also UDP port 5353, which avahi listens on, must be opened in the firewall.
"airprint-generate.py" is NOT needed in recent CUPS versions anymore. CUPS will automatically publish all shared printers via avahi.

2. Printers MUST NOT be protected in the CUPS config via a "<Location>" directive, as in Sönke's example. Because this will make iPads and macOS devices DoS the CUPS service to death. In current UCS, this means that 'cups/automaticrestrict' must be set to false. Otherwise, for every LDAP printer that has ACLs set, such a "<Location>" directive would be created.

Instead, printers should be protected by using <Policy ...><Limit ...>..</Limit></Policy> directives, to allow/disallow individual IPP operations, like "Print-Job", etc. This can allow iPads to query the printers, but then ask for authentication, when an actual print job is generated. These <Policy> directives are luckily already mostly configurable via UCR.

It might be up for debate if any kind of "<Location>" or "<Policy>" based protection is needed by default anyways, since the LDAP-based ACLs are also set per printer in the printers.conf file. I did not test this in detail yet.

3. UCS should allow the usage of "IPP Everywhere", which drops the need to select a PPD file (from a by now mostly incomplete and outdated list anyways), but instead allows CUPS to query the printer for its capabilities via the IPP protocol. This will allow for much better compatibility with the features of each individual printer.