Understanding InfoPrint Manager Security (FST and LDAP)
InfoPrint Manager Security, a feature that you administer through SMIT, lets you protect your printing system by associating an Access Control List (ACL) with an InfoPrint object or operation. An ACL is the list of users and groups who have permission to do something to or with an object. The ACL also refers to the type of permission.
- Types of permission
In InfoPrint Manager, users can have three levels of permission: read, write, and delete. The levels provide these types of access:
- For operations, the user can do the operation. For servers and queues, the user can view the attributes. For destinations, the user can view attributes and submit jobs to that destination.
- For all objects, the user can view and modify attributes.
- For all objects, the user can view and modify attributes and can delete the object.
- FST Users and Groups
When InfoPrint Manager is running in FST mode, the FST users and FST groups are required to manage the security of your printing system.
When InfoPrint Manager is first installed, three groups are created for you by default: acl_admin, admin, and oper. The user selected as authorized user during InfoPrint Manager install is placed in the acl_admin group. To have the access necessary to modify the security characteristics, the user must be a member of the acl_admin group.
The users in the admin group have more default privileges from the users in the oper group: the possibility to create and delete InfoPrint Manager objects, and clean all the jobs associated with an InfoPrint Manager object.
- LDAP Security Overview
Lightweight Directory Access Protocol (LDAP) is an application that allows the secure use and administration of distributed users. As an LDAP administrator, you create groups that have certain permissions.
- InfoPrint Manager’s LDAP implementation is an extension of the FST security. When enabling LDAP security, the FST security continues to work as before. To use only the LDAP security, see Convert FST security to LDAP security.
- The InfoPrint Manager server and tools search for IBM's libidsldap.a library in the
/opt/IBM/ldap/V6.X/lib64, where X is from 1 to 9. If your version of libidsldap.a library is installed on a different path, such as:
/opt/IBM/ldap/V6.3.1/lib64, you must set (system wide) the PD_LDAP_LIBRARY_PATH environment variable to the directory where libidsldap.a is located before you configure the InfoPrint Manager LDAP functionality.
InfoPrint Manager supports these LDAP implementations:
- Active Directory
- IBM Tivoli Directory Server
- NetIQ eDirectory 8.8 SP8 (Novell eDirectory)
Communication with the LDAP system can be done without encryption, using StartTLS encryption, or SSL encryption. This offers you flexibility, depending on your implementation of LDAP.
To be able to take full advantage of the LDAP security features, InfoPrint Manager allows 2 methods of authentication: Simple and Digest. In addition, you can do Anonymous or Authenticated searches in the LDAP system. To be able to do an Authenticated search, you have to provide InfoPrint Manager with a Bind DN and a password for an LDAP user allowed to run searches against the LDAP system.
On the client side, InfoPrint Manager supports 2 ways of authentication:
- The client determines if it is running under an LDAP (PAM)/Active Directory system
authentication session and no more credential checks are done. The LDAP user taken
from the LDAP(PAM)/Active Directory system authentication session is used for the
IPM user-related attributes.
Clients using this method: InfoPrint Select without LDAP, Java GUI, SAP Clients, Command Line Clients.
- The client asks for the LDAP credentials and uses them to authenticate to the LDAP
server. After the authentication, the client uses the LDAP user for IPM user-related
Clients using this method: Web GUI and InfoPrint Select with LDAP.
Clients not using LDAP authentication: Submit Express, MVS Download, DPF Receiver, LPD and hot folders.
The default Windows logon does not support LDAP, only Active Directory. This means that Select, CLC, JAVA GUI, and SAP clients work as LDAP enabled clients on Windows only when you are using the Active Directory implementation of LDAP.
When InfoPrint Manager clients are using LDAP for authentication, the following InfoPrint Manager attributes contain the LDAP login attribute instead of the username@computername information:
- LDAP Users and Groups
- When InfoPrint Manager is running in LDAP mode, adding LDAP users and/or LDAP groups
is required to manage the security of your print system.
An LDAP user/group can be added to any of the FST groups or directly in the ACLs for enhanced security. Once the user/group is defined in the IPM security, any client using LDAP authentication is verified against the LDAP system. This means that you can have two users with the same name, one using FST security and the other one using LDAP security. If you add LDAP groups to the IPM security, the LDAP client login is checked for group membership in the LDAP system.
- LDAP caching mechanism
- To minimize the number of LDAP queries run, InfoPrint Manager has an LDAP caching mechanism. This cache is unique per machine and contains information about users, groups, and LDAP login attributes. When a user first connects to any InfoPrint Manager server, the server checks the user credentials against the cache. If the user exists in the cache, the server uses the lo