One of the most important parts of managing the system is to configure the User and Group synchronization options. PaperCut NG synchronizes user and group information from a source such as Windows Active Directory (or Windows Domain). This simplifies the administration of the system by avoiding the need to manage a separate database of users and groups. If a user is added to the domain or is removed from a group then PaperCut NG will automatically synchronize this information without any intervention from the administrator. For example:
Jason configures PaperCut NG to assign an initial credit of $10 to users that are members of the "Students" windows security group.
At the start of the new school year Jason, the system administrator, has just added 100 new students to the Windows Active Directory.
Jason also adds all the users to the "Students" Windows security group.
When PaperCut NG next synchronizes with Active Directory, the 100 new users are added to PaperCut and automatically assigned the $10 of initial credit. This was done automatically without any additional work by Jason.
The synchronization options are located on the → tab. There are five options to select:
Sync source - this selects where the users/groups should be imported from. (Active Directory, Windows NT Domain, LDAP, or Custom provider).
Import users from Group - allows to import from a subset of users
Delete users that do not exist in the selected source - deletes users from PaperCut NG if they no longer exist in the selected synchronization source.
Update users' full-name, email, department and office when synchronizing - if a user's details in PaperCut NG do not match those in the synchronization source, they will be updated.
Import new users and update details overnight - when selected, synchronization will be automated to occur each night. This option will never delete users from PaperCut NG.
If the PaperCut NG server is a member of an Active Directory domain it is recommended to use this option. The advantages over the "Windows Standard" include:
Allows using Active Directory organizational units.
Supports nested groups for simplified user management.
Allows importing of users from other trusted Active Directory domains.
By default, PaperCut NG automatically re-syncs the user and group information each night, however the sync process can also be initiated manually. To initiate a manual sync:
Navigate to the → tab.
Press the button.
The sync process will start and a status window will open showing the status of the sync process.
Tip
By default, the Active Directory user source will import all users, including those that are disabled. It is possible to change this behaviour using an advanced config entry. To do this:
Navigate to the tab.
Press the Config Editor (Advanced) action on the left.
Find the
user-source.config-argproperty.Change the value to
enabled-users-only.Press the Update button next to the config property.
Take care when changing this option if you temporarily disable user accounts for disciplinary or other reasons. If you do this, performing a user sync will cause disabled users to be deleted if you also have the Delete old users when syncing option enabled.
Important
The group membership is automatically synchronized nightly to ensure that group-based operations (like quota allocation) operate as expected.
However, the users are not automatically synchronized, so if many users have been added to your
Active Directory, it is recommended that you perform a manual user/group sync operation.
Alternatively a full user and group synchronization can be automated as a nightly task
by scheduling a script to run the appropriate server-command
command. More information on using the server-command can be
found in Appendix A, Tools (Advanced).
The On Demand User Creation setting defines if and when PaperCut NG will create new users. The settings applied to newly created users are defined by their group membership (for more information see the section called “New User Creation Rules”). By default, new users are created automatically when they print for the first time, use the internet, start the user client tool or log into the user web tools. This makes administration much easier, as there is no need for additional administration when new users come along; they can use PaperCut NG straight away.
In some situations it may be preferable to change the way new users are treated. For example when just one department is being tracked, but there are other departments using the same printers, it may be preferable to allow the other departments' users to print, but not to track them using PaperCut NG.
There are three options available for the setting When the user does not exist:
create the user on demand (default) - users are created when they interact with PaperCut NG for the first time. E.g. when they print for the first time.
do not create the user and allow usage - users interacting with PaperCut NG who do not already exist will not be created, but their usage will be allowed. The usage will not be logged.
do not create the user and deny usage - users interacting with PaperCut NG who do not already exist will not be created, and their usage will be denied. The usage will not be logged.
To change the behavior, select the desired option and press Apply.
PaperCut NG's Active Directory integration is performed at a native level and supports advanced features such as nested groups and OU's. Some additional options provided with the Active Directory interface include:
Import disabled users - If set, all users, including disabled accounts will be imported from the domain. In an education environment it is recommended to leave this option on as often student accounts are disabled for disciplinary actions, and removing the account from PaperCut NG is not appropriate.
Enable multi-domain support - This is an advanced option and is appropriate for larger sites running multiple trusted domains. For example, in an education enviornment it is common to have separate domains for students and staff/teachers with a one-way trust relationship. This option can bring in groups, OU's and users from both domains.
The list of domains is semicolon separated (
;). This list should contain the name of the domains in DNS dot notation, and should include the name of the current domain if importing from this domain is desired.Trust domain relationships are a complex area and administrators are advised to use the button to verify that the settings result in the desired behaviour. The total number of user accounts is a good measure.
LDAP (Lightweight Directory Access Protocol) directories usually store information about user and groups in an organization. One of the most common uses of LDAP is to provide single sign-on on a network that comprises multiple platforms and applications. When a network consists of only Windows computers, then an Active Directory domain can be used. But when there is a mix of Windows, Apple and Linux machines then LDAP can provided the single source of user, group and authentication information. (It is worth noting that both Active Directory and Novell eDirectory implement the LDAP protocol).
PaperCut NG can use an LDAP directory for user authentication and as a source of user and group information. LDAP can either be enabled at installation time, or by changing the user source option in → . When enabling LDAP, a number of configuration settings must be specified to allow the application to connect to the LDAP server. Please ask your LDAP administrator what values to use for the various options:
LDAP Server Type - Determines which LDAP fields are used to get user and group information.
LDAP Host address - The hostname or IP address of the LDAP server.
Use SSL - Indicates if an encrypted SSL connection should be used to connect to the LDAP server. The LDAP server requires SSL support to be enabled and should accept connections on the standard LDAPS port 636.
Base DN - This is the Base DN of the LDAP server. This is the equivalent of the "suffix" config setting of the OpenLDAP server. For example, if the domain hosted by the LDAP server is "domain.com" then the Base DN might be
DC=domain,DC=com. The format of the Base DN can differ significantly depending on configuration. Some examples:DC=myschool,DC=edu,DC=au DC=myorganization,DC=com OU=OrgUnit,DC=domain,DC=com DC=localAdmin DN - The DN of the user who has permission to connect to and query the LDAP server. This is typically an administrative user, although it can be a user that has full read access to the LDAP server. An example of the DN of the Administrator user on a Windows AD domain "domain.com", would be
CN=Administrator,CN=Users,DC=domain,DC=com. The exact format of the DN depends on the LDAP server. Some examples:Windows Active Directory:
CN=Administrator,CN=Users,DC=domain,DC=comWindows Active Directory (in organizational unit):
CN=administrator,OU=OrgUnit,DC=domain,DC=comMac OpenDirectory:
uid=admin,CN=users,DC=domain,DC=comUnix Open LDAP:
uid=root,DC=domain,DC=com, oruid=ldapadmin,DC=domain,DC=com
Admin password - The password for the above user.
Tip
Some LDAP servers are configured to allow 'anonymous' LDAP query access. In these situations, the Admin DN and Admin password may be left blank.
PaperCut NG supports the following server types:
Novell eDirectory
Microsoft Active Directory
Unix/NIS
However, it is easy to support other server types by adjusting the LDAP fields PaperCut NG searches. This is discussed in Appendix C, Advanced LDAP Configuration.