Save Money, Print to PDF

Once again this post will be pretty mundane to the typical enterprise Linux admin. I continue to post these projects because it highlights what can be done with free software, plus I have worked out some kinks that others may run into.

If you couple parts of this post with how to join Ubuntu to an AD domain you have a simple scalable PDF printer for every user in the enterprise. We even discussed doing this at the Circus.

The last couple of days have been fun. I found out the Circus has been spending $25K per year on paper and toner, not to mention the two FTEs, to print medical records out of our Electronic Medical Records (EMR). Then we paid those two ladies to scan that paper file back into a .pdf.

The worst part of this whole set up was that this department had first been told that printing to .pdf was just not possible. Then they were told that if we installed a new print system from our EMR, that would cost us $100K, we would be able to print to .pdf. I was appalled.

So I set up a cups-pdf printer and shared out the output directory through samba, asked for it to be set up like any other printer from the EMR and ta-da, .pdf medical records. The director and manger of medical records offered to buy me dinner and my CIO offered lunch. Not a bad couple of days of work. Not to mention the savings to the hospital, I’m guessing a ball park of $40K annually.

So here is how I did it. I forgot to mention that once they saw the first one, the decided they wanted two and then two months later a third. That added a little wrinkle but I’ll show you how I dealt with it.

I am using RHEL 5.3 but any CentOS will do, it’s even easier to setup on
Ubuntu. That’s where I did my proof of concept, but all of the extra stuff
I only did on Red Hat.

First add the users, these will be used to direct the pdf output to the correct directory. Also make sure to add these users to the lp group in /etc/group.

# useradd recordsaudit
# useradd recordsrelease
# useradd webrelease

Now make the ip addresses. I have to make three IP addresses to be able to print to three pdf printers because they will be used for different purposes and I don’t want the end users getting lost.
eth1 == 192.168.1.10
eth1:1 == 192.168.1.11
eth1:2 == 192.168.1.12

Next install the cups-pdf rpm, I used cups-pdf-2.4.6-1.el5.i386.rpm.
Edit the /etc/cups/cupsd.conf file to allow printing from your network.
Here is mine:

#
# "$Id: cupsd.conf.in 7199 2008-01-08 00:16:30Z mike $"
#
# Sample configuration file for the Common UNIX Printing System (CUPS)
# scheduler. See "man cupsd.conf" for a complete description of this
# file.
#
MaxLogSize 2000000000

# Log general information in error_log - change "info" to "debug" for
# troubleshooting...
LogLevel debug

# Administrator user group...
SystemGroup sys root

# Only listen for connections from the local machine.
Port 631
Listen /var/run/cups/cups.sock

# Show shared printers on the local network.
Browsing On
BrowseOrder allow,deny
BrowseAddress @LOCAL

# Default authentication type, when authentication is required...
DefaultAuthType Basic

# Restrict access to the server...

Order deny,allow
Deny From All
Allow From 127.0.0.1
Allow From All

# Restrict access to the admin pages...

Order allow,deny

# Restrict access to configuration files...

AuthType Default
Require user @SYSTEM
Order allow,deny
# Set the default printer/job policies...

# Job-related operations must be done by the owner or an administrator...

Require user @OWNER @SYSTEM
Order deny,allow
# All administration operations require an administrator to authenticate...

AuthType Default
Require user @SYSTEM
Order deny,allow
# All printer operations require a printer operator to authenticate...

AuthType Default
Require user @SYSTEM
Order deny,allow
# Only the owner or an administrator can cancel or authenticate a job...

Require user @OWNER @SYSTEM
Order deny,allow
Order deny,allow

#
# End of "$Id: cupsd.conf.in 7199 2008-01-08 00:16:30Z mike $".
#

Edit the cups-pdf configuration file, /etc/cups/cups-pdf.conf. The keys here are the UserUmask and the Out directory. The out directory ties into the user specified in the jetdirect configuration for xinetd. We print to the user that corresponds to the directory of the correct share from Samba. Reread that last paragraph because it is the crux of this set up.

# cat /etc/cups/cups-pdf.conf | grep -v \# | sed /^$/d
Out /var/spool/cups-pdf/${USER}
AnonDirName /var/spool/cups-pdf/ANONYMOUS
AnonUser nobody
UserUMask 0000
Log /var/log/cups
LogType 3

Those who work with printing quite a bit will know that HP network printing uses port 9100. Let’s verify so that we can make xinetd answer for that port:

# grep jetdirect /etc/services
jetdirect 9100/tcp laserjet hplj

Now set up xinetd to answer on each IP address above for a different printer and user that correlates to the directory where the output is supposed to end up.

# cat /etc/xinetd.d/jetdirect
# Allow applications using the AppSocket / JetDirect protocol
# to communicate with CUPS.
service jetdirect
{
socket_type = stream
protocol = tcp
wait = no
user = recordsrelease
server = /usr/bin/lp
server_args = -d recordsrelease -o raw
bind = 192.168.1.10
groups = yes
disable = no
}

service jetdirect
{
socket_type = stream
protocol = tcp
wait = no
user = recordsaudit
server = /usr/bin/lp
server_args = -d recordsaudit -o raw
bind = 192.168.1.11
groups = yes
disable = no
}

service jetdirect
{
socket_type = stream
protocol = tcp
wait = no
user = webrelease
server = /usr/bin/lp
server_args = -d webrelease -o raw
bind = 192.168.1.12
groups = yes
disable = no
}

To set up the printer, just set it up like any other HP jetdirect printer. I
use the “HP Color LaserJet PS” printer in Windows.

To share out the output directory first add whatever user to samba:
smbpasswd -a username

Or check out how to add a Linux box to your Windows domain.

The interesting sections of my /etc/samba/smb.conf file:

# Printer configuration
printing = cups
load printers = yes

# The share for records
[audit]
comment = PDF Printouts
path = /var/spool/cups-pdf/recordsaudit
public = no
writable = yes
printable = no
write list = +username
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s