Understanding InfoPrint Manager Security
InfoPrint Manager Security, a feature that you administer through the InfoPrint Manager Management Console (MMC), lets you protect your printing system by associating an Access Control List (ACL) with an InfoPrint Manager object or operation. An ACL is the list of users and groups who have permission to do something to or with an object. The ACL also refers to the type of permission.
- Types of permission
-
In InfoPrint Manager, users can have three levels of permission: read, write, and delete. The levels provide these types of access:
- Read
- For operations, the user can do the operation. For servers and queues, the user can view the attributes. If you restrict access to a server or queue, access to all objects contained by that server or queue is automatically restricted, even if the objects are not explicitly protected. For destinations, the user can view attributes and submit jobs to that destination.
- Write
- For all objects, the user can view and modify attributes.
- Delete
- For all objects, the user can view and modify attributes and can delete the object.
- FST Users and Groups
-
When InfoPrint Manager is running in FST mode, the FST users and FST groups are required to manage the security of your printing system.
When InfoPrint Manager is first installed, three groups are created for you by default: acl_admin, admin, and oper. The user selected as authorized user during InfoPrint Manager installation is placed in the acl_admin group. To have the access necessary to modify the security characteristics, the user must be a member of the acl_admin group.
The users in the admin group have more default privileges from the users in the oper group: the possibility to create and delete InfoPrint Manager objects, and clean all the jobs associated with an InfoPrint Manager object.
- Federated Authentication Overview
-
Federated authentication is a method of granting users secure access to InfoPrint Manager Web Management Interface and the InfoPrint Manager Web Administration Interface by relying on external identity providers (IdPs). Instead of managing separate user credentials within our system, federated authentication allows users to log in using their existing accounts from trusted third-party services.
- Important:
- InfoPrint Managerfederated authentication implementation is mapped on existing FST security groups.
- When enabling federated authentication, FST or LDAP security continue to work as before.
- Federated authentication can be used only for the Web Management Interface or the Web Administration Interface.
- Federated authentication works only if you enabled https for the InfoPrint Manager web applications.
InfoPrint Manager supports the following federated authentication servers:
- Active Directory Federation Services™ (AD FS)
- Common Approach to Identity Assurance (CAIA)
- Okta®
- Mapping Federated Authentication groups to FST groups
-
When logging in through federated authentication, the groups passed by the federated authentication server for the user must match existing InfoPrint Manager FST groups. Those groups identify the access rights that the user will have in the system.
- LDAP Security Overview
-
Lightweight Directory Access Protocol (LDAP) is an application that allows the secure use and administration of distributed users. As an LDAP administrator, you create groups that have certain permissions.
- Important:
- InfoPrint Manager LDAP implementation is an extension of the FST security. When enabling LDAP security, the FST security continues to work as before. To use only the LDAP security, see Convert FST security to LDAP security.
InfoPrint Manager supports these LDAP implementations:
- Active Directory
- IBM Tivoli Directory Server
- OpenLDAP
- NetIQ eDirectory 8.8 SP8 (Novell eDirectory)
Communication with the LDAP system can be done without encryption, using StartTLS encryption, or SSL encryption. This offers you flexibility, depending on your implementation of LDAP.
To be able to take full advantage of the LDAP security features, InfoPrint Manager allows 2 methods of authentication: Simple and Digest. In addition, you can do Anonymous or Authenticated searches in the LDAP system. To be able to do an Authenticated search, you have to provide InfoPrint Manager with a Bind DN and a password for an LDAP user allowed to run searches against the LDAP system.
On the client side, InfoPrint Manager supports 2 ways of authentication:
- The client determines if it is running under an LDAP (PAM)/Active Directory system
authentication session and no more credential checks are done. The LDAP user taken
from the LDAP(PAM)/Active Directory system authentication session is used for the
InfoPrint Manager user-related attributes.
Clients using this method: InfoPrint Select without LDAP, Java GUI, SAP Clients, Command Line Clients.
- The client asks for the LDAP credentials and uses them to authenticate to the LDAP
server. After the authentication, the client uses the LDAP user for InfoPrint Manager user-related attributes.
Clients using this method: Web GUI and InfoPrint Select with LDAP.
Clients not using LDAP authentication: Command Line Clients for HP-UX and Sun OS, Submit Express, MVS Download, DPF Receiver, LPD, and hot folders.
- Note:
-
The default Windows logon does not support LDAP, only Active Directory. This means that InfoPrint Select, CLC, Java GUI, and SAP clients work as LDAP-enabled clients on Windows only when you are using the Active Directory implementation of LDAP.
-
When InfoPrint Manager clients are using LDAP for authentication, the following InfoPrint Manager attributes contain the LDAP login attribute instead of the username@computername information:
- user-name
- job-owner
- job-originator
- name-of-last-accessor
- results-profile
- LDAP Users and Groups
- When InfoPrint Manager is running in LDAP mode, adding LDAP users and/or LDAP groups is required to manage
the security of your print system.
An LDAP user/group can be added to any of the FST groups or directly in the ACLs for enhanced security. Once the user/group is defined in the InfoPrint Manager security, any client using LDAP authentication is verified against the LDAP system. This means that you can have two users with the same name, one using FST security and the other one using LDAP security. If you add LDAP groups to the IPM security, the LDAP client login is checked for group membership in the LDAP system.
- LDAP caching mechanism
- To minimize the number of LDAP queries run, InfoPrint Manager has an LDAP caching mechanism. This cache is unique per machine and contains information
about users, groups, and LDAP login attributes. When a user first connects to any
InfoPrint Manager server, the server checks the user credentials against the cache. If the user exists in
the cache, the server uses the local information for security purposes. If the user
does not exist, the LDAP system is queried and the user information is stored in the
cache for future usage.
There are two important advantages of using a caching mechanism:
- The number of LDAP searches is minimized, thus the InfoPrint Manager performance is not affected.
- The LDAP connection can be interrupted for short periods of time without losing functionality (users are able to work with the system)
Important: The LDAP caching mechanism can be manually enabled by editing the/etc/rc.lcd
.- Note:
- If multiple InfoPrint Manager servers are started on the system where the cleanup command is run, the cache of all servers is cleaned.
- If the servers are interoperated, a cleanup command cleans all server cache.
- Convert FST security to LDAP security
- To convert from FST security to LDAP only security, it is recommended that you create two LDAP groups: pd_admin and pd_operator and map these groups to the admin and oper FST groups. You can also use existing LDAP groups, if they suit your needs. The pd_admin and pd_operator groups are sufficient for your needs. Members of these two groups can do all the administrator and operator tasks for your system. You might need to create more LDAP groups with different permissions depending on the access rights you need for each group and map them to the corresponding InfoPrint Manager FST groups or directly in the InfoPrint Manager ACLs. Once you have created and mapped the LDAP groups to the InfoPrint Manager security system, enable the LDAP security for InfoPrint Manager. The final step in the FST to LDAP security conversion is to remove any FST users from the FST groups or InfoPrint Manager ACLs. This operation restricts the access of any FST users to the InfoPrint Manager objects.
- Convert LDAP security to FST security
- To convert from LDAP security to FST only security, you must add FST users (in the form of username@hostname) to the admin and oper FST groups. To restrict the access level, you can add specific users directly to the InfoPrint Manager ACLs. Once you have added all the FST users to the InfoPrint Manager security system, disable the LDAP security for InfoPrint Manager. The final step in the LDAP to FST security conversion is to remove any LDAP users or groups from the FST groups or InfoPrint Manager ACLs. This restricts the access of any LDAP users to the InfoPrint Manager objects.