Understanding InfoPrint Manager Security (FST and LDAP)

InfoPrint Manager Security, a feature that you administer through SMIT, lets you protect your printing system by associating an Access Control List (ACL) with an InfoPrint object or operation. An ACL is the list of users and groups who have permission to do something to or with an object. The ACL also refers to the type of permission.

Types of permission

In InfoPrint Manager, users can have three levels of permission: read, write, and delete. The levels provide these types of access:

Read
For operations, the user can do the operation. For servers and queues, the user can view the attributes. For destinations, the user can view attributes and submit jobs to that destination.
Write
For all objects, the user can view and modify attributes.
Delete
For all objects, the user can view and modify attributes and can delete the object.

FST Users and Groups

When InfoPrint Manager is running in FST mode, the FST users and FST groups are required to manage the security of your printing system.

When InfoPrint Manager is first installed, three groups are created for you by default: acl_admin, admin, and oper. The user selected as authorized user during InfoPrint Manager install is placed in the acl_admin group. To have the access necessary to modify the security characteristics, the user must be a member of the acl_admin group.

The users in the admin group have more default privileges from the users in the oper group: the possibility to create and delete InfoPrint Manager objects, and clean all the jobs associated with an InfoPrint Manager object.

LDAP Security Overview

Lightweight Directory Access Protocol (LDAP) is an application that allows the secure use and administration of distributed users. As an LDAP administrator, you create groups that have certain permissions.

    Important:
  • InfoPrint Manager’s LDAP implementation is an extension of the FST security. When enabling LDAP security, the FST security continues to work as before. To use only the LDAP security, see Convert FST security to LDAP security.
  • The InfoPrint Manager server and tools search for IBM's libidsldap.a library in the directories: /opt/IBM/ldap/V6.X/lib64, where X is from 1 to 9. If your version of libidsldap.a library is installed on a different path, such as: /opt/IBM/ldap/V6.3.1/lib64, you must set (system wide) the PD_LDAP_LIBRARY_PATH environment variable to the directory where libidsldap.a is located before you configure the InfoPrint Manager LDAP functionality.

InfoPrint Manager supports these LDAP implementations:

  • Active Directory
  • IBM Tivoli Directory Server
  • OpenLDAP
  • NetIQ eDirectory 8.8 SP8 (Novell eDirectory)

Communication with the LDAP system can be done without encryption, using StartTLS encryption, or SSL encryption. This offers you flexibility, depending on your implementation of LDAP.

To be able to take full advantage of the LDAP security features, InfoPrint Manager allows 2 methods of authentication: Simple and Digest. In addition, you can do Anonymous or Authenticated searches in the LDAP system. To be able to do an Authenticated search, you have to provide InfoPrint Manager with a Bind DN and a password for an LDAP user allowed to run searches against the LDAP system.

On the client side, InfoPrint Manager supports 2 ways of authentication:

  1. The client determines if it is running under an LDAP (PAM)/Active Directory system authentication session and no more credential checks are done. The LDAP user taken from the LDAP(PAM)/Active Directory system authentication session is used for the IPM user-related attributes.

    Clients using this method: InfoPrint Select without LDAP, Java GUI, SAP Clients, Command Line Clients.

  2. The client asks for the LDAP credentials and uses them to authenticate to the LDAP server. After the authentication, the client uses the LDAP user for IPM user-related attributes.

    Clients using this method: Web GUI and InfoPrint Select with LDAP.

Clients not using LDAP authentication: Submit Express, MVS Download, DPF Receiver, LPD and hot folders.

    Note:
  • The default Windows logon does not support LDAP, only Active Directory. This means that Select, CLC, JAVA GUI, and SAP clients work as LDAP enabled clients on Windows only when you are using the Active Directory implementation of LDAP.

  • When InfoPrint Manager clients are using LDAP for authentication, the following InfoPrint Manager attributes contain the LDAP login attribute instead of the username@computername information:

    • user-name
    • job-owner
    • job-originator
    • name-of-last-accessor
    • results-profile
    For more information on how to configure your LDAP security settings, see: “Managing security for InfoPrint Manager for AIX” in InfoPrint Manager for AIX: Procedures.

LDAP Users and Groups
When InfoPrint Manager is running in LDAP mode, adding LDAP users and/or LDAP groups is required to manage the security of your print system.

An LDAP user/group can be added to any of the FST groups or directly in the ACLs for enhanced security. Once the user/group is defined in the IPM security, any client using LDAP authentication is verified against the LDAP system. This means that you can have two users with the same name, one using FST security and the other one using LDAP security. If you add LDAP groups to the IPM security, the LDAP client login is checked for group membership in the LDAP system.

LDAP caching mechanism
To minimize the number of LDAP queries run, InfoPrint Manager has an LDAP caching mechanism. This cache is unique per machine and contains information about users, groups, and LDAP login attributes. When a user first connects to any InfoPrint Manager server, the server checks the user credentials against the cache. If the user exists in the cache, the server uses the local information for security purposes. If the user does not exist, the LDAP system is queried and the user information is stored in the cache for future usage.

There are two important advantages of using a caching mechanism:

  • The number of LDAP searches is minimized, thus the InfoPrint Manager performance is not affected.
  • The LDAP connection can be interrupted for short periods of time without losing functionality (users are able to work with the system)
You can manually purge the cache using SMIT (TroubleshootingClear LDAP Cache).
Important: The LDAP caching mechanism can be manually enabled by editing the /etc/rc.lcd.
    Note:
  • If multiple InfoPrint Manager servers are started on the system where the cleanup command is run, the cache of all servers is cleaned.
  • If the servers are interoperated, a cleanup command cleans all server cache.

Convert FST security to LDAP security
To convert from FST security to LDAP only security, it is recommended that you create two LDAP groups: pd_admin and pd_operator and map these groups to the admin and oper FST groups. You can also use existing LDAP groups, if they suit your needs. The pd_admin and pd_operator groups are sufficient for your needs. Members of these two groups can do all the administrator and operator tasks for your system. You might need to create more LDAP groups with different permissions depending on the access rights you need for each group and map them to the corresponding InfoPrint Manager FST groups or directly in the IPM ACLs. Once you have created and mapped the LDAP groups to the IPM security system, enable the LDAP security for InfoPrint Manager. The final step in the FST to LDAP security conversion is to remove any FST users from the FST groups or IPM ACLs. This operation restricts the access of any FST users to the InfoPrint Manager objects.
Convert LDAP security to FST security
To convert from LDAP security to FST only security, you must add FST users (in the form of username@hostname) to the admin and oper FST groups. To restrict the access level, you can add specific users directly to the IPM ACLs. Once you have added all the FST users to the IPM security system, disable the LDAP security for InfoPrint Manager. The final step in the LDAP to FST security conversion is to remove any LDAP users or groups from the FST groups or IPM ACLs. This restricts the access of any LDAP users to the InfoPrint Manager objects.