Let’s face the fact, assigning iPrint printers in iManager, especially if the users are in a different container than the iPrint Printer, can become very tedious and time consuming. First you have to wait for the browse window to choose a printer, then wait for the browse window to browse for the users or groups, and finally select all of your users. Well what if you had 5 executives that needed to have access to every Xerox Printer in the organization and these printers existed in multiple containers? Let’s say there were 35 of these printers. This could take hours. I’ll demonstrate how to do it in less than 5 minutes.

First, I want to distinguish between assigning users to a printer and assigning a printer to a user. When a user is assigned to a printer, this means that the user is allowed to download the drivers for this printer, install the printer, and has access to print to the printer. This would be a manual process where the user would visit the iPrint webpage and select the printer for installation. By default, when an iPrint printer is installed, the organizational unit (OU) where the printer exists is assigned as users of the printer. Therefore, by default, all users in that container have access to install and use the printer. Any users in any other OU must be either assigned to the printer, or their OU assigned to the printer in order for them to install and use that printer.

Likewise, when you assign a printer to a user, the next time that the iPrint client starts, the printer will be installed for that user. The pre-requisite for this to work though, is that the user has to have rights to the printer. Either the user needs to be in the container where the iPrint printer was installed, or the user or user’s OU has to have been assigned to the printer as noted in the previous paragraph.

Now let’s move on to the example. Let’s say that we have 5 executives who travel around the world to all of the different branch offices of a company. Each of the branches are a different OU in the tree, and each branch has a minimum of 1 Xerox Printer. We need for each of the executives to be able to install the Xerox Printers whenever they visit each branch, and when they leave, they can delete the printer(s).

First, we create a group and place each of the users as members of the group. In our example we will call the group iPrint-ALL-Xerox. Next we need to do an ldap search to create an LDIF file containing all of the Xerox Printers in the tree. This example assumes logically that all of the Xerox printers have “Xerox” in the name of the printer. So, here is the query.

dapsearch -x -h ndsservername-or-IP -b o=orgainzation -D binduser in format of cn=ldapuser,o=org -W "(&(cn=Xerox*)(objectclass=iPrintPrinter))" ACL

The results of the first printer will look like this:

# extended LDIF
# LDAPv3
# base  with scope subtree
# filter: (&(cn=Xerox-WC-5645-Prt22)(objectclass=iPrintPrinter))
# requesting: ACL

# Xerox-WC-5645-Prt22, Dubai, Corp
dn: cn=Xerox-WC-5645-Prt22,ou=Dubai,o=Corp
ACL: 16#subtree#cn=PMgr-Dubai,ou=Dubai,o=Corp#[Entry Rights]
ACL: 3#subtree#[Root]#[All Attributes Rights]
ACL: 1#subtree#[Root]#[Entry Rights]
ACL: 8#entry#ou=Dubai,o=Corp#iPrintPrinterUserRole
ACL: 16#subtree#cn=Xerox-WC-5645-Prt22,ou=Dubai,o=Corp#[Entry Rights]
ACL: 16#subtree#cn=iPrintMgr,ou=Dallas,o=Corp#[Entry Rights]
ACL: 8#entry#cn=iPrintMgr,ou=Dallas,o=Corp#iPrintPrinterOperatorRole
ACL: 2#entry#cn=iPrintMgr,ou=Dallas,o=Corp#ACL
ACL: 2#entry#cn=iPrintMgr,ou=Dallas,o=Corp#networkAddress
ACL: 2#entry#ou=Timbuk2,o=Corp#ACL
ACL: 2#entry#ou=Timbuk2,o=Corp#networkAddress
ACL: 8#entry#cn=iPrintMgr,ou=Dallas,o=Corp#iPrintPrinterUserRole

Once we are satisfied with the results, we can output this to a file for editing like this:

dapsearch -x -h ndsservername-or-IP -b o=orgainzation -D binduser in format of cn=ldapuser,o=org -W "(&(cn=Xerox*)(objectclass=iPrintPrinter))" cn ACL >> iPrintXerox.ldifout

Now we need to use some type of advanced editor in order to update each printer to add some additional information for import. There are several out there, but the most popular ones are UltraEdit and TextPad. This example will use UltraEdit. To determine what we need to add to each printer, the best method is to assign the group to one of the iPrint Xerox Printers and then run your search again. Here is an example output after assigning the group to the Xerox-WC-5645-PRT22 Printer:

LDAL-PRD-1:/ # ldapsearch -x -h lvds-prd-1 -b o=corp -D cn=MBruner,ou=Dallas,o=Corp -W "(&(cn=Xerox-WC-5645-Prt22)(objectclass=iPrintPrinter))" cn ACL
Enter LDAP Password:
# extended LDIF
# LDAPv3
# base <o=corp> with scope subtree
# filter: (&(cn=Xerox-WC-5645-Prt22)(objectclass=iPrintPrinter))
# requesting: ACL
# Xerox-WC-5645-Prt22, Somewhere, Corp
dn: cn=Xerox-WC-5645-Prt22,ou=Somewhere,o=Corp
ACL: 16#subtree#cn=PMgr-Somewhere,ou=Somewhere,o=Corp#[Entry Rights]
ACL: 3#subtree#[Root]#[All Attributes Rights]
ACL: 1#subtree#[Root]#[Entry Rights]
ACL: 8#entry#ou=Somewhere,o=Corp#iPrintPrinterUserRole
ACL: 16#subtree#cn=Xerox-WC-5645-Prt22,ou=SomeWhere,o=Corp#[Entry Rights]
ACL: 16#subtree#cn=MFaris,ou=Timbuk2,o=Corp#[Entry Rights]
ACL: 8#entry#cn=iPrintAdmin,ou=Timbuk2,o=Corp#iPrintPrinterOperatorRole
ACL: 2#entry#cn=iPrintAdmin,ou=Timbuk2,o=Corp#ACL
ACL: 2#entry#cn=iPrintAdmin,ou=Timbuk2,o=Corp#networkAddress
ACL: 2#entry#ou=Somewhere,o=Corp#ACL
ACL: 2#entry#ou=Somewhere,o=Corp#networkAddress
ACL: 8#entry#cn=iPrintMgr,ou=Timbuk2,o=Corp#iPrintPrinterUserRole
ACL: 8#entry#cn=iPrint-ALL-Xerox,ou=Timbuk2,o=Corp#iPrintPrinterUserRole
ACL: 2#entry#cn=iPrint-ALL-Xerox,ou=Timbuk2,o=Corp#ACL
ACL: 2#entry#cn=iPrint-ALL-Xerox,ou=Timbuk2,o=Corp#networkAddress

Note the last 3 lines above. Those three lines are what we need to add to each printer attributes. Each printer is separated by a blank line, so this is helpful to us. We know that when there is a blank line, we want to insert those three lines and add another blank line. Before you start, you can place a # sign at the beginning of any blank line except those between each printer, or you can clean up later as noted below. So here is how it is done in UltraEdit.

Search For:

^p$ #This represents a blank line as a regular expression in UltraEdit.

Replace with:

^pACL: 8#entry#cn=iPrint-ALL-Xerox,ou=Timbuk2,o=Corp#iPrintPrinterUserRole
ACL: 2#entry#cn=iPrint-ALL-Xerox,ou=Timbuk2,o=Corp#ACL
ACL: 2#entry#cn=iPrint-ALL-Xerox,ou=Timbuk2,o=Corp#networkAddress^p

You will have to do a little bit of cleanup at the beginning and end of the file because there were a few blank lines at the top and bottom. Do a Save As and name the file iPrint-ALL-Xerox.ldifin. After that, you are ready to modify the iPrint objects with the new attributes. So, copy the file back to the server. Make sure you are logged into the server as root and then type the following command:

ldapmodify -x -h ldapserver-address-or-IP -D cn=ldapuser,o=corp -W -f /iPrint-ALL-Xerox.ldifin

If all goes well, all of the printers will be updated with the group having access now to the printers.

I realize this seems like a lot of information and you are saying yeah right, 5 minutes my foot. But, I can assure you that with a little practice and after you understand the concept, you can do this from start to finish in less than 5 minutes.

Stay tuned for another Article coming soon on other methods of simplifying iPrint Printer Assignments using other tools.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

Leave a Comment

By: mbruner1
Oct 28, 2009
4:40 pm