Using LDAP Job Authentication with macOS X Command Line Client

The LDAP-enabled macOS X Command Line Client requires users to LDAP-authenticate when they first submit a job. LDAP authentication support allows only authenticated users to print and provides information about the users that printed a specific job. LDAP authentication allows InfoPrint Manager to provide more accurate accounting information.

The LDAP-enabled macOS X Command Line Client must be configured to use an LDAP server that has the GSS authentication option enabled. Only one version of the macOS X Command Line Client can be installed at a time. If you install the LDAP version of the macOS X Command Line Client and you want to switch back to the standard non-LDAP version, you can install it over the LDAP version. The installer allows you to install one version of the macOS X Command Line Client over the other and automatically removes the old version. Subsequent updates apply to the current version that is installed. There is a configuration file containing the LDAP authentication settings, and you can edit the configuration settings each time the LDAP login is performed. Multiple users are allowed to login and authenticate from the same box.

If you cannot successfully log in to the LDAP server, the LDAP-enabled macOS X Command Line Client does not allow you to submit jobs. If you are successfully logged in to the LDAP server, you are allowed to submit jobs to the InfoPrint Manager server. You must log in to the LDAP server the first time you submit a print job. The LDAP login session expires in either of these situations: when you log off or when the session timeout set by the LDAP server administrator expires. This way each time you log in you are required to LDAP authenticate. You do not have to log in again for each subsequent print job that you submit. The submitted jobs contain an authenticated-login attribute with the LDAP username that can be added to the server accounting logs by using the server or actual destination additional-accounting-log-attributes attribute. You can modify the connection settings, and the application updates the configuration file.

The LDAP-enabled macOS X Command Line Client is LDAP v3 compliant. It only supports an open directory LDAP model. This means that the LDAP server does not enforce the clients to establish connections over SSL, and it does not ask clients to be authenticated when and if they connect to an LDAP server over SSL.

The SSL client mutual authentication is enabled when you do not want your directory system to be opened to the general public. It is a closed directory system where both the SSL and the client authentication are forced. The SSL client authentication means that the client must have a valid certificate verified by the server.