Providing printing for a network is quite different to providing it for a single machine. On a single machine you simply attach a printer to the 'USB port' or 'parallel port'. However, for a network you have a dedicated machine (called a 'print server') that collects print jobs from any machine on the network, holds that job until a specified printer is ready (known as 'spooling'), and then feeds it to that printer. A good print server may also do a number of other useful things - like keeping track of usage statistics for departmental charging purposes, etc.

Printing in this way has a number of advantages. A major one is that it is far, far easier to administer - one or several central print servers are simpler for the IT team to look after than tens, hundreds or even thousands of different printers connected to and controlled by individual PCs all scattered around the building. Another advantage is that it increases the print options available - any user can send their print job to any selected printer (on the network), get back to work, then pick up the printed output later. They are no longer limited to the single printer directly attached to their PC.

What we're replacing:

Walk into any IT department in the country and ask them what their biggest user complaints are. I guarantee two of the TOP complaints will be "email's not working!" and "printing's slow/not working!".

Printing can be an IT support nightmare. Many businesses do it with one of the various flavours of Windows Server Edition, and very often this is at the root of the problem...

Firstly, there are all of the usual Windows issues. Instability, low uptimes, unexplainable crashes that need a reformat and reinstall to 'fix', virus susceptibility, poor security and, not least, the high cost of licences, CALs, support etc. But, more than this, using it to control printers brings loads more! Print jobs get lost or stuck, printers print out gibberish, scalability is dreadful forcing an unnaturally high ratio of servers to printers. And sometimes, perhaps just to keep us on our toes, it just stops printing and needs a reboot.

However, what I find even more worrying is that using Windows as a print server also drives you towards, or locks you further into, a Windows-only infrastructure. Try serving Macintosh or UNIX workstations from a Windows print server - it 'can' be done, but it's not easy, it's slow and it's even more unreliable! And if the business does require print services for Macs, there are no options, you have to purchase the even more expensive Windows Advanced Server (did you know, by the way, even though it's a Mac, once it's connected, you have to pay a Client Access Licence for the privilege! Money and trees spring to mind).

Here's how to change all that and get the fast, reliable, platform neutral print services your business needs plus save a great deal of money while you are at it.

Open Source, simply better software:

Once again, GNU/Linux and Open Source is simply the better business solution. As a print server, an Open Source solution is perfect. Since it is modular software, you only need to use the bits you require. This means you aren't forced to swamp the hardware with all that general purpose Windows code, you install made-for-the-job, fast, reliable, efficient modules that do precisely what you want. The end result? A lean, mean printing system that runs very, very happily on low spec hardware yet that delivers twice the speed of its Windows equivalent and is four times as scalable. And there are no licensing costs whatsoever. Now, won't the business like that!

Samba is the key to all this. After GNU/Linux, Samba is the 'crown jewels' of the Open Source world. You can think of it as an Open Source Windows Advanced Server on steroids. A network full of Windows desktops expects (in practice, demands) to see a Windows Server as its back-end. The genius of Samba is that it shows them one! Samba presents printers to your Windows desktops in exactly the same way as a Windows Server - so, from the user's perspective, it looks and feels like a Windows server. It is so seamless that all they see is that it is faster, it doesn't crash, and there are no viruses taking it out every few weeks.

Configuring Samba is simplicity itself edit a simple text file if you're an 'expert', fire up an easy-to-use GUI if you're not.

To complete the system you also need to install CUPS (the Common Unix Printing System) which handles the physical mechanics of printing. CUPS is a state-of-the-art printing system. Its many developers include HP's finest engineers, and they know a thing or two about printing so it ought to be good! Samba hands over the print jobs it receives from the Windows desktops to CUPS, which then handles the rest. Despite (or maybe because of...) the U for UNIX in the name, CUPS is a superior printing solution whether you're printing from UNIX, Windows or Apple Macintoshes. It is fully cross-platform and uses open protocols (IPP). It can handle any type, shape or breed of printer from lowly Deskjets to big lasers to esoteric poster printers, you name it, it handles it so no more problems with identifying, searching out and downloading drivers that work with the various versions of Windows you have in use. And once again, just like with Samba, configuring CUPS is a doddle text based or through a simple GUI.

So there you have it. A couple of day's work and you have all the printing system you'll ever need. And it really is as easy as that. You've now got a far more reliable, simpler and faster solution. You've eliminated one of the major causes of user complaints. You've reduced your exposure to, and dependency on, Windows technologies and the constant hardware/software upgrade treadmill they force you on. Even more, you've saved the business a great deal of money on hardware, support staff time, software licences and CALs.

And it's not through some kind of magic, it's simply because it's better software.

How we can help you

• Consulting: we specialise in deploying Open Source alternatives to ISA. Deployment
• Training: we can train your staff to it themselves. Training
• Support: we're happy to offer support and advice for businesses keen to replace ISA themselves. Support

The Sirius Way - 8 Steps for Success

• Ensure the deployment strategy matches business strategy.
  - Never deploy technology for technology's sake.
• Get the business on board.
  - Achieve full buy-in and commitment, by targeting clear business benefits.
• Plan the 'when'.
  - The when is crucial.
  - Know business cycles, windows, and people availability.
  - Ensure contingency is built-in, right from the start.
• Be ready for the unexpected.
  - Have a clear, agreed, documented backout plan.
• Never rely on enthusiastic amateurs.
  - Have access to proven, high quality, on demand, professional support.
• Document the deployment.
  - Continually learn and improve.
  - Six months down the line, you'll know what you did!
• Measure the results.
  - And publish them so they are open, visible, and seen by the business.
• Celebrate success.
  - With your IT team and with the business.

Technologies

Squid
Squid is a caching proxy server. Most companies require some or all of their users to have web access, but do not wish to attach modems to every single users machine. Users web browsers are pointed at the proxy server, which downloads web pages on their behalf and serves them to their browser. A caching proxy server will save a copy of all web sites it has downloaded so that next time a user looks it up, only files that have changed need to be downloaded again. Caching will, over time, save a company a huge amount of bandwidth as most users view the same sites, and certain sites are viewed again and again. Squid is:

• a full-featured Web proxy cache
• designed to run on Unix systems
• free, open-source software
• the result of many contributions by unpaid (and paid) volunteers

Squid supports...

• proxying and caching of HTTP, FTP, and other URL's
• proxying for SSL
• cache hierarchies
• ICP, HTCP, CARP, Cache Digests
• transparent caching
• WCCP (Squid v2.3 and above)
• extensive access controls
• HTTP server acceleration
• SNMP
• caching of DNS lookups

Iptables

Iptables does stateful packet filtering. Packet filtering is the process of inspecting incoming and outgoing network traffic to see whether it is allowed according to some security ruleset. Statefull packet filtering is an enhancement whereby packets can be accepted or denied depending on recent history (this helps protect against certain kinds of attack). The intention of this is to define which services (e.g. email, web access) are allowed to pass the packet filtering machine, and which services (e.g. network logins, access to files on the network, etc.) are denyed. Packet filtering is perhaps the most important function of any product purporting to be a Firewall. Iptables runs under the Linux operating system.
The netfilter/iptables project is the Linux 2.4.x / 2.5.x firewalling subsystem.It delivers you the functionality of packet filtering (stateless or stateful), all different kinds of NAT (Network Address Translation) and packet mangling.

SpamAssassin

SpamAssassin SpamAssassin(tm) is a mail filter to identify spam. Using its rule base, it uses a wide range of heuristic tests on mail headers and body text to identify "spam", also known as unsolicited commercial email.

The spam-identification tactics used include:

• header analysis: spammers use a number of tricks to mask their identities, fool you into thinking they've sent a valid mail, or fool you into thinking you must have subscribed at some stage. SpamAssassin tries to spot these.
• text analysis: again, spam mails often have a characteristic style (to put it politely), and some characteristic disclaimers and CYA text.

SpamAssassin can spot these, too.

• blacklists: SpamAssassin supports many useful existing blacklists, such as mail-abuse.org, ordb.org or others.
• Razor: Vipul's Razor is a collaborative spam-tracking database, which works by taking a signature of spam messages. Since spam typically operates by sending an identical message to hundreds of people, Razor short-circuits this by allowing the first person to receive a spam to add it to the database -- at which point everyone else will automatically block it. Once identified, the mail can then be optionally tagged as spam for later filtering using the user's own mail user-agent application.

SpamAssassin requires very little configuration; you do not need to continually update it with details of your mail accounts, mailing list memberships, etc. It accomplishes filtering without this knowledge, as much as possible. The distribution provides a command line tool to perform filtering, along with Mail::SpamAssassin, a set of perl modules which allow SpamAssassin to be used in a wide range of products.

SpamAssassin lives at spamassassin.org or in CPAN, and is distributed under Perl's Artistic license. ('SpamAssassin' is a trademark of Network Associates, Inc.)

Features

• Wide-spectrum: SpamAssassin uses a wide variety of local and network tests to identify spam signatures. This makes it harder for spammers to identify one aspect which they can craft their messages to work around.
• Free software: it is distributed under the same terms and conditions as Perl itself.
• Easy to extend: Rules, weights and user-visible text are stored in text configuration files as much as possible, which the user (or sysadmin) can edit to modify or add new rules.
• Flexible: SpamAssassin encapsulates its logic in a well-designed, abstract API. As a result, it's not limited to the traditional local-delivery-to-spool case; using the Mail::SpamAssassin classes, it can be used in a wide variety of setups. This means that SpamAssassin support is available for a variety of mail systems -- traditional procmail, a Mail::Audit plugin, qmail, MIMEDefang, Postfix, and many others.

Snort

Snort is an open source network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture.

Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient. Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump(1), a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection system.

Webmin

Webmin is a web-based interface for system administration for Unix. Using any browser that supports tables and forms (and Java for the File Manager module), you can setup user accounts, Apache, DNS, file sharing and so on.

Links to Key Projects

All of the key Open Source technologies that enable you to replace ISA are linked to below:

Squid
Squid Documentation
Netfilter
Netfilter Documentation
netfilter_log_analyzer
SpamAssassin
SpamAssassin Documentation
Webmin
Webmin Documentation
Snort
Snort documentation

1. Introduction
   What is LDAP?
   Why use LDAP?
   Credits
2. Setting Up An OpenLDAP Server
   Install Master Server
   Secure Master Server with SSL/TLS
   Populate Master Server
   Summary of User Object Classes and Attributes Table
   Install Slave Servers
3. Configure UNIX Hosts for LDAP Logins
   LDAP enable Samba PDC For NT Workstation Logins
   Configure NT Workstations for LDAP Logins
4. LDAP enable Samba PDC for NT Workstation Logins
5. Configure NT Workstations for LDAP Logins

---

Introduction

What is LDAP:

LDAP stands for Lightweight Directory Access Protocol. OpenLDAP is an Open Source project that uses LDAP to deliver a fast, free, distributed directory service to organisations without locking them into dependence upon a single software vendor.

For example, prior to the use of centralized directory services separate directories were required for the domain itself, mailboxes, remote access, databases, and other applications. OpenLDAP enables a systems administrator to make a single entry in a directory which them gives a user account access to the network, access their email, access to corporate CRM systems or other mission-critical applications. In short, by using OpenLDAP as a multi-purpose directory an organisation enables single sign-on for its users. Once a user is authenticated by the network using OpenLDAP they will automatically unlock all of the applications or services that they have been enabled for.

Why use LDAP?:

• Single source of authentication.
• Simplifies administration.
• Obviates need for baroque/homebrew user account replication.
• Replacement for NIS, /etc/passwd, /etc/groups, /etc/shadow, NT users/groups, etc.
• Platform agnostic.
• Can be back-end for authenticating most services (email, ftp, proxy services, etc).
• Can be used for much more than just authentication (HR, phone lists, address books, etc).

Basically, the process is:

• Set up OpenLDAP server
• Configure UNIX Hosts for LDAP Logins
• LDAP enable Samba PDC For NT/2000 Workstations

Credits:

The following people were involved in the production of this HOWTO:
Regan Burke

Setting Up An OpenLDAP Server

Install Master Server:

The latest stable version (currently 2.1.16) of OpenLDAP can be downloaded from here.

The Administrators Guide (essential reading) may be downloaded from here.

Source Install Under Solaris 8:

Solaris 8 is quite broken out of the box. We strongly suggest you immediately implement the sage advice found in fixsolaris8.txt before continuing.

Download the latest stable release
./configure
make depend
make
make install

Source Install Under Debian GNU/Linux 3.0:

You will need the following packages installed prior to building the OpenLDAP server (apt-get is your friend!):

• gcc
• automake
• autoconf
• autotools-dev
• m4
• autoconf2.13
• libtool
• libtdl3
• libtdl3-dev

You will also need to build the Berkeley DB software from source

• Download latest stable release (currently 4.1.25) from here and un-gzip it into wherever you build your local software (say /usr/local/src)
• cd to the 'build_unix' directory
• ../dist/configure
• make
• make install
• Download the latest stable release and un-gzip it into wherever you build your local software (say /usr/local/src)
  ./configure
  make depend
  make
  make install

Non-Source Install Under Linux:

Debian:

The required packages are:

• libldap2
• slapd
• libiodbc2
• ldap-utils

Install using apt-get or dselect.
Configure according to the debian-specific documentation.
The slapd.conf file may require some further editing.
Firstly you will need to decide which schemas to include.
The core.schema must always be included.
If you wish to support Solaris 8, you must include the cosine.schema, nis.schema, inetorgperson.schema and the solaris.schema.
The nis.schema supplied with the distribution is borked. Please please contact us for a replacement.
If you intend to support Solaris 8, please contact us.
If you intend to use Samba, please contact us for the correct schema.
They should be placed in /etc/ldap/schema along with the others.
The latest Debian unstable also has migrationtools.

Secure Master Server with SSL/TLS:

This section has not been completed. please contact us for further details.

Populate Master Server:

How the server is populated depends on which operating systems you wish to support authentication on.
Currently, this howto covers Linux, FreeBSD, Solaris 8 and the various incarntations of Microsoft Windows.
It is possible (and desirable) to keep non-authentication related information in your server, such as adresses, email details, and even staff photos(!) if you want to.
You will also have to make decisions on the structure of your LDAP server in terms of groupings of entries.

1. Set up base dn with appropriate object classes and attributes.
2. Set up organisational units (e.g. People, Groups, Machines, etc.) with appropriate object classes and attributes.
3. Add individual entries for People, Groups, Machines, etc.

Please contact us for an example setup file to create the top level plus our suggested organisational units.
Obviously, you will need to customise this file to match your own organisation.
When you are happy with it, it can be installed to the ldap server by issuing the command

"ldapadd -f setup.ldif -h yourserver -x -D cn=admin,dc=siriusit,dc=co,dc=uk -w p455w0rd" as root.

Where 'yourserver', the domain components (dc's), and p455w0rd are suitably adjusted for your site. yourserver may be a hostname or an ip address.

User Accounts:

The minimum object classes needed for UN*X clients to authenticate UN*X users against the LDAP server are top, posixAccount and shadowAccount.
The definitive guide to these (and other) object classes is RFC 2307.

Suggested object classes to include for a user:

top
person
organizationalPerson
inetOrgPerson
account
posixAccount
shadowAccount
sambaAccount

Change the value of the following parameters to 2147483647
logoffTime
kickoffTime
pwdMustChange

Summary of User Object Classes and Attributes:

Objectclass	Attributes	Required?	Description
top			default
	ObjectClass	required	Object Class
person			Basic person
	cn	required	Common Name
	sn	required	Surname
	userPassword	optional	User's UN*X Password
	telephoneNumber	optional	Phone Number
	seeAlso	optional	Reference related LDAP entry
	description	optional	Description/Special Interests
organizationalPerson			Extended Person
	title	optional	Organisational Title
	x121Address	optional	Naming Standard defined in CCITT Rec. X.121
	registeredAddress	optional	Address where recipient guarantees to accept delivery
	destinationIndicator	optional	Used for telegrams
	preferredDeliveryMethod	optional	Single value favourite delivery method
	telexNumber	optional
	teletexTerminalIdentifier	optional
	telephoneNumber	optional
	internationaliSDNNumber	optional
	facsmilieTelephoneNumber	optional
	street	optional
	postOfficeBox	optional
	postalCode	optional
	postalAddress	optional
	physicalDeliveryOfficeName	optional
	ou	optional
	st	optional
	l	optional
inetOrgPerson			Extended Internet Person
	audio	optional
	businessCategory	optional
	carLicence	optional
	departmentNumber	optional
	displayName	optional
	employeeNumber	optional
	employeeType	optional
	givenName	optional
	homePhone	optional
	homePostalAddress	optional
	initial	optional
	jpegPhoto	optional
	labeledURI	optional
	mail	optional
	manager	optional
	mobile	optional
	o	optional
	pager	optional
	photo	optional
	roomNumber	optional
	secretary	optional
	uid	optional
	userCertificate	optional
	x500uniqueIdentifier	optional
	preferredLanguage	optional
	userSMIMECertificate	optional
	userPKCS12	optional
account			Basic Account
	userid	required	see uid (below)
	description	optional
	seeAlso	optional
	localityName	optional
	organizationName	optional
	organizationalUnitName	optional
	host	optional
posixAccount			Unix Account
	cn	required	Common Name (if a person, their full name)
	uid	required	User's login
	uidNumber	required	Number that uniquely identifies user to system
	gidNumber	required	Number that uniquely identifies group to system
	homeDirectory	required	Path to user's home directory
	userPassword	optional	User's UN*X Password
	loginShell	optional	UN*X login shell
	gecos	optional
	description	optional
shadowAccount			Unix Shadow Account
	uid	required
	userPassword	optional
	shadowLastChangeshadowMin	optional
	shadowMin	optional
	shadowMax	optional
	shadowWarning	optional
	shadowInactive	optional
	shadowExpire	optional
	shadowFlag	optional
	description	optional
sambaAccount			Windows User Account
	uid	required
	rid	required	Windows relative identifier
	cn	optional
	ImPassword	optional
	ntPassword	optional
	pwdLastSet	optional
	logonTime	optional
	logoffTime	optional
	kickoffTime	optional
	pwdCanChange	optional
	pwdMustChange	optional
	acctFlags	optional
	displayName	optional
	smbHome	optional
	homeDrive	optional
	scriptPath	optional
	profilePath	optional
	description	optional
	userWorkStations	optional
	primaryGroupID	optional
	domain	optional

 

Workstations:
posixAccount
sambaAccount

cn
uid
uidNumber
gidNumber
homeDirectory
rid

clean profiles directory
home directory

Group Accounts:

The minimum object classes needed for clients to retrieve groups from the LDAP server are top and posixGroup.

Summary of Group Object Classes and Attributes:

Objectclass	Attributes	Required?	Description
top			default
	objectClass	required	Object Class
posixGroup			Unix Group
	cn	required
	gidNumber	required
	userPassword	optional	UN*X password
	memberUid	optional
	description	optional

Summary of Workstation Object Classes and Attributes

Objectclass	Attributes	Required?	Description
top			default
	objectClass	required	Object Class
posixAccount			Unix Account
	cn	required
	uid	required
	uidNumber	required	UN*X uid
	gidNumber	required	UN*X gid
	homeDirectory	required	UN*X home directory
	userPassword	optional	UN*X password
	loginShell	optional	UN*X login shell
	gecos	optional
	description	optional

Install Slave Servers:

This ain't done either ;)

Configure UNIX Hosts for LDAP Logins

This is achieved by using PADL Software's open source pam_ldap and nss_ldap modules.

The pam_ldap module enables the client operating system to authenticate against your LDAP server, whilst the nss_ldap module enables the client operating system to retrieve session information (GECOS field type information) from your LDAP server.
Configuration is different under each client operating system, and depends upon whether you compile from source or use precompiled modules if available.

A basic intro to PAM may be downloaded (pdf format) from here
Further detail on the Linux implementation of PAM may be found here
Sun (who started it all) have a web page here
The Linux-PAM System Administrators' Guide may be found here

Source Install Under Solaris 8:

Make sure that the following programs from Sunfreeware are installed:

• autoconf
• automake
• libtool
• libiconv
• m4

Download PADL Software's pam_ldap and nss_ldap modules source code. Put them in /usr/local/src, or wherever you keep stuff you compile locally.
Back up your existing /usr/lib/nss_ldap.so.1 and /usr/lib/security/pam_ldap.so.1 files.

cd into the pam_ldap-152 directory.
Run "./configure"
Run "aclocal"
Edit the Makefile to remove "-llber" on line 115
Run "make"
Run "make install"

cd into the nss_ldap-201 directory.
Run "./configure"
Edit the Makefile to remove "-llber" on line 157
Run "make"
Run "chmod +x install-sh"
Run "make install"

Edit /etc/ldap.conf to suit your site.
add ldap.secret
Edit /etc/nsswitch.conf.
Finally, the PAM configuration file must be modified.
Modify the configuration file /etc/pam.conf - for each service you wish to LDAP-enable.
The modifications are quite simple, generally involving adding lines of the form:
type sufficient pam_ldap.so
where type is one of account, auth, password, or session.
/etc/init.d/nscd restart
The name service caching daemon (nscd) caches LDAP lookups locally to speed up authentication. There is a problem with synchroniation though.

Non-Source Install Under Linux:

Debian:

The required packages are:

• libldap2
• libpam0g
• libpam-ldap
• libnss-ldap
• nscd

Install using apt-get or dselect.

Debconf will ask you a few questions:

• Configuring Libnss-ldap - LDAP Server host - enter the ip address of your ldap server.

Edit /etc/pam_ldap.conf to suit your site.
The admin passwords needs to be in the file /etc/ldap.secret. chmod this file to 0600.
Edit /etc/libnss-ldap.conf to suit your site.
Edit /etc/nsswitch.conf to suit your site.
Finally, the PAM configuration files must be modified.
cd to /etc/pam.d/ and modify the configuration file for each service you wish to LDAP-enable.
The modifications are quite simple, generally involving adding lines of the form: