<para>Start the print server configuration (now that you have chosen &CUPS;, this is equivalent to the configuration of the &CUPS; daemon) by clicking on the appropriate button. You can find it by moving the mouse slowly over the buttons and reading the tooltips. It should be the 11th from the left , or third from the right; its icon is a <guiicon>wrench</guiicon>.</para>
<para>The &CUPS; Server Configuration window pops up. It gives you a structured view of all the settings that apply to the &CUPS; daemon. The configuration file for that daemon is normally located in <filename>/etc/cups/cupsd.conf</filename>. This is a plain <acronym>ASCII</acronym> file with a syntax similar to the configuration file of the <application>Apache</application> web server. It is a good idea to create a backup copy, just in case something goes wrong with the configuration through &tdeprint;/&CUPS; Server Configuration dialogues:</para>
<para>As this graphical user interface to edit the configuration file is such a new feature, you should have the second chance of resorting to the original file. So back it up, please.</para>
<para>One very nice feature is the <quote>Quick Help</quote> available. If you click on the little question mark (<guiicon>What's this?</guiicon>) on your window title bar, you'll see the cursor changing its form. Now click on a <command>cupsd</command> configuration setting field to find out what it means and what your options are. In most cases you should understand the meaning immediately, otherwise turn to the excellent &CUPS; documentation. (If your &CUPS; Daemon is running, you have it online on your own host at <ulink url="http://localhost:631/documentation.html">http://localhost:631/documentation.html</ulink>.</para>
<para>If &CUPS; is not running, but installed on your system you could find it in your own host's file system. The exact location depends on your &OS;, but on &Linux; the default is <filename class="directory">/usr/share/doc/cups/</filename> or <filename class="directory"> /usr/share/doc/cups/documentation.html</filename>.</para>
<para>For the best, most detailed and most recent information you should always refer to the original &CUPS; documentation. &CUPS; is, much like &kde; in a rapid development process. There are constantly new features being added. New features might for times be only configurable by directly editing the configuration files. The &tdeprint; &GUI; might not have caught up with &CUPS; development.</para>
<para>These paths are based on the default installation. Your &OS; may have installed them to a different prefix, for example, <filename class="directory">/usr/local/</filename>, but the hierarchy should still match that shown below.</para>
<para>The following links give you access to the same files (probably icons and graphics will be missing) even if your CUPS daemon is not up and running. You need, however, CUPS installed on your system. (Some distributions might place the files somewhere else -- you're on your own then to find out where...) To access all the original CUPS documentation, go to:</para>
<para>This documentation is available even when the &CUPS; daemon is not installed, although you may find images and icons are missing when you view the <acronym>HTML</acronym> files.</para>
<para>And finally, there will be a WebSite for &tdeprint; and related documentation, at <ulink url="http://tdeprint.sourceforge.net/"> http://tdeprint.sourceforge.net/</ulink></para>
<para>This is the Welcome Screen for your server configuration dialogues. Clicking onto one of the items of the tree view on left side of the screen opens the appropriate part of the configuration settings.</para>
<para>Every setting has a default value. The defaults let &CUPS; normally work as a fully functional client. The clients listen on TCP/IP Port 631 for infos broadcast by &CUPS; servers on the <acronym>LAN</acronym>. This information let the clients print immediately after receiving them, without installing any driver or configuring any printer on the clients.</para>
<para>To configure a &CUPS; server (which is broadcasting its service to the <acronym>LAN</acronym>) you need to change settings from the defaults.</para>
<para>To select the default setting of any item just enable the checkbox on the right side of the screen. To set an item to a different value, disable the checkbox and then go on to do the setting you want on the left side of the screen.</para>
<para><link linkend="server-encryption-support-configuration">Server <guilabel>Encryption</guilabel> and Certificate Support Configuration</link></para>
<para>The tab window to configure the &CUPS; server general settings lets you the change the default values. Click on the little question mark and then on one of the fields to get a <quote>Quick Help</quote> about the meaning of the setting.</para>
<para>If you are unsure, leave alone and turn to the original &CUPS; documentation first. If your &CUPS; daemon is already running, it is readable from the &konqueror; by pointing it to &URL; <ulink url="http://localhost:631/documentation.html"> http://localhost:631/documentation.html</ulink>.</para>
<para>There, first <quote>make friends</quote> with the Software Administrator Manual. Otherwise, for example, if the &CUPS; daemon is not running, try looking in your local file system, by default at <filename class="directory">/usr/share/doc/cups/</filename> or <filename>/usr/share/doc/cups/documentation.html</filename>.</para>
<phrase>The dialogue to configure the &CUPS; server general settings: ServerName, AdminMail, ServerUser, ServerGroup, RemoteUserName </phrase></textobject>
<para>The hostname of your server, as advertised to the world. By default, &CUPS; will use the hostname of the system. To set the default server usd by clients, see the <filename>client.conf</filename> file.</para>
<para>This is the hostname that is reported to clients. Should you ever encounter strange problems in accessing the server, put here its <acronym>IP</acronym> address for troubleshooting. This way you eliminate any potential name resolution problems; and you can more easily nail the real problem down.</para>
<para>Contrary to what the quickhelp suggests, it is also legal to send an email full of praise and enthusiasm about &CUPS; and &tdeprint; to the server administrator.</para>
<para>The user the server runs under. Normally this must be <systemitem class="username">lp</systemitem>, however you can configure things for another user if needed.</para>
<para>The server must be initially run as root to support the default <acronym>IPP</acronym> port of 631. It changes users whenever an external program is run.</para>
<para>This is the &UNIX; user account for filters and <acronym>CGI</acronym> programs to run under. <acronym>CGI</acronym> programs are responsible for showing you the nice web administration interface accessible via <ulink url="http://localhost:631/">http://localhost:631/</ulink>).</para>
<para>There is no need to set the <guilabel>User</guilabel> directive to <systemitem class="username">root</systemitem>, so never do this, as it only involves dangers. Should anyone discover security vulnerabilities in one of the used file filters, printer drivers or <acronym>CGI</acronym> programs, he could remotely execute arbitrary commands on your system with root user privileges. Always use an unprivileged account for the server directive <guilabel>User</guilabel>.</para>
<para>The group the server runs under. Normally this must be <systemitem class="groupname">sys</systemitem>, however you can configure things for another group as needed.</para>
<para>This name will appear in log files and in queries about the job owner &etc;, for all resources and locations of the &CUPS; server that are configured to allow access <emphasis>without</emphasis> authentication. Authenticated entries will carry the authenticated names.</para>
<para>This is an important screen for you. Should you ever encounter problems: here is the place to set the Log level to <quote>debug</quote>, restart the &CUPS; daemon and then look at the Error log file defined here for entries that might give you an insight to the trouble.</para>
<para>This is where accesses to the server are logged. If this does not start with a leading <literal>/</literal>, then it is assumed to be relative to the server root.</para>
<para>The format of this file is stored in the so-called <quote>Common Log Format</quote>. This way you can use programs such as <application>Webalizer</application> or any other Web access reporting tool to generate reports on the &CUPS; server activities.</para>
<para>To include the server name in the file name use a <token>%s</token> in the name. Example: <userinput><filename>/var/log/cups/access_log-%s</filename></userinput>.</para>
<para>You see a separate line for each single access, showing the <acronym>IP</acronym> address of the accessing client, date and time of access, method of access (<command>POST</command> or <command>GET</command>), the requested ressource, the &HTTP; version used by the client, status code and the number of transferred bytes. Status code <errorcode>200</errorcode> means <errorname>successful-OK</errorname> the <errorcode>401</errorcode> in the above example was an <errorname>unauthorized access</errorname> which was denied. For a detailed explanation of the log format go to <ulink url="http://localhost:631/sam.html#7_6_1">the &CUPS; Software Administrator Manual</ulink>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><guilabel>Error log file</guilabel></term>
<listitem>
<para>If this does not start with a leading <literal>/</literal>, then it is assumed to be relative to the server root. The default setting is <filename>/var/log/cups/error_log</filename>.</para>
<para>You can also use the special name <userinput>syslog</userinput> to send the output to the syslog file or daemon.</para>
<para>The error log excerpt below shows you the part logged for printing the test page with the default setting of <guilabel>Log level</guilabel> to <quote>info</quote>. For an explanation of the <guilabel>Log Level</guilabel> setting see further below.</para>
<para>If this does not start with a leading <literal>/</literal> then it is assumed to be relative to the server root. The default is <filename>/var/log/cups/page_log</filename></para>
<para>In this excerpt of the file you find information on the name of the printers (<systemitem class="resource">GIMP_print_stp_HP</systemitem> and <systemitem class="resource">DANKA_infotec_P450</systemitem>) used through this server, the user names (<systemitem class="username">kdetest</systemitem>, <systemitem class="username">kurt</systemitem> and <systemitem class="username">root</systemitem>), the job-IDs (<quote>201</quote> to <quote>205</quote>), time of printing, page number inside the job and the number of copies for the pages. For example, job-ID 204 had 4 pages and 33 copies printed, job-ID 205 had 14 copies of just 1 page) .</para>
<para>&CUPS; is dependent (for its calculation of the number of pages in a job) on passing the &PostScript; through the <quote>pstops</quote> filter. See the <link linkend="architecture-diagram">&kivio; Flowchart</link> on the &CUPS; filter architecture for an idea about were this filter fits into the whole printing process). More, <command>pstops</command> depends for the counting on a <acronym>DSC</acronym> conforming (<acronym>DSC</acronym> is Document Structuring Conventions, a standard defined by Adobe) to be sent by the client. In most cases this is working.</para>
<para>However, this page accounting does not work for any <quote>raw</quote> printer queues (as those, by definition, don't use any filtering on the &CUPS; host and are by-passing <command>pstops</command>.) Every job going through a <quote>raw</quote> queue is counted as a 1-page-job (with possibly multiple copies). This is especially true for all Jobs send from &Microsoft; &Windows; clients via <application>Samba</application> to the &CUPS; server, as those jobs are already arriving in the correct format for the printer, because the clients use the original printer driver.</para>
<para>I am still looking for someone who will write a nice &CUPS; page log analysing tool. It should generate a report with a graphical output similar to the <application>Webalizer</application>'s access log reports. This way you could have nice statistics to be used for accounting about usage of printers, load dependent on daytime or weekday, users &etc; Anyone?</para>
<para>If you need to troubleshoot (or if you want to study the inner workings of &CUPS;), set the log level to debug or debug2. Then the error_log will have a lot more entries (not just errors, but also informational entries).</para>
<para>You can use this to watch <quote>live</quote> what &CUPS; is doing when you send a print job. In a &konsole; type:</para>
<para>This will give you the last 100 lines (<option>-n</option> <parameter>100</parameter>) of the file onto the screen and a <quote>realtime</quote> update (<option>-f</option>)of what is happening. The following listing shows the printing of a test page (some pieces have been cut off for space reasons... Try it yourself if you need more info):</para>
<para>The lines tagged <quote>D</quote> at the beginning are debug level entries, the ones tagged <quote>I</quote> are there in <quote>info</quote> level.</para>
<para>The dialogue to configure the &CUPS; server. Different folders are to be set here. Normally you don't need to change anything in this section. In case you play around with fancy (TrueType, &PostScript; or other) fonts on your system, this qis the place to do the settings for using those fonts when printing. Server folder settings include:</para>
<para>The root folder for the scheduler executables. By default this is <filename class="directory">/usr/lib/cups</filename> (or <filename class="directory">/usr/lib32/cups</filename> on IRIX 6.5)</para>
<para>The root folder for the scheduler. By default, <filename class="directory">/etc/cups</filename>.</para>
<para>On the authors SuSE system, this is <filename class="directory">/usr/share/doc/cups</filename>. It contains all the <acronym>HTML</acronym> or <acronym>PDF</acronym> documentation for &CUPS; which is available through the Web interface at <ulink url="http://localhost:631/documentation.html"> http://localhost:631/documentation.html</ulink></para>
<para>The folder to put temporary files in. This folder must be writable by the user defined on the previous screen. This defaults to either <filename class="directory">/var/spool/cups/tmp</filename> or the value of the <envar>TMPDIR</envar> environment variable.</para>
<para>The place to configure the &CUPS; server for handling your fancy fonts (TrueType or &PostScript;). &CUPS; will look here for fonts to embed in printfiles. This currently only affects the <command>pstoraster</command> filter, and the default is <filename class="directory">/usr/share/cups/fonts</filename>.</para>
<para><emphasis>Referencing</emphasis> the font by name leaves it up to the <acronym>RIP</acronym> and print device to respect and actually use it. <acronym>RIP</acronym> or printer <emphasis>can</emphasis> only use the desired font, if it is available on the system.</para>
<para>In the case of a &PostScript; printer, this needs to be a printer-resident font. If the printer doesn't have this font, it will try and replace it by an adequately similar font.</para>
<para>In the case of a non &PostScript; printer, this is done by &CUPS; and its <acronym>RIP</acronym>-ing filtering system. &CUPS; will use the font path directive to grab the correct font when <acronym>RIP</acronym>-ing the &PostScript; in the <command>pstoraster</command> filter. </para>
<para>In the case of a &PostScript; output device, &CUPS; is just spooling the file (actually, it is passing it through the <command>pstops</command> filter for accounting or n-up purposes), not <quote>working</quote> on it. Therefore, if you print to a &PostScript; printer it is solely the printer's responsibility to use the font asked for. It can't, if the font is neither loaded into the printer nor embedded in the &PostScript;. </para>
<para>The root folder for &HTTP; documents that are served. By default the compiled in folder, <filename class="directory">/usr/share/cups/doc</filename></para>
<para>The default character set to use. If not specified, this defaults to UTF-8. This can also be overridden directly in the <acronym>HTML</acronym> documents.</para>
<para>The dialogue to configure the &CUPS; server miscellaneous settings is shown here. The following server settings are done through this screen:</para>
<listitem><para><guilabel>Preserve job history</guilabel>: whether to preserve a job history for later re-view</para></listitem>
<listitem><para><guilabel>Preserve job files</guilabel>: whether to preserve fully <acronym>RIP</acronym>-ed job files for later re-print</para></listitem>
<listitem><para><guilabel>Printcap file</guilabel>: setting the name of and the path to a printcap file</para></listitem>
<listitem><para><guilabel>RIP Cache</guilabel>: setting the size of the <acronym>RIP</acronym> cache in memory</para></listitem>
<listitem><para><guilabel>Filter Limit</guilabel>: defining a filter limit</para></listitem>
<para>The amount of memory that each <acronym>RIP</acronym> should use to cache bitmaps. The value can be any real number, followed by <quote>k</quote> for kilobytes, <quote>m</quote> for megabytes, <quote>g</quote>for gigabytes, or <quote>t</quote> for tiles, where one tile is 256 x 256 pixels. The default value is 8m.</para>
<para>Sets the maximum cost of all job filters that can be run at the same time. A limit of 0 means no limit. A typical job may need a filter limit of at least 200. Limits less than the minimum required by a job force a single job to be printed at any time. The default limit is 0 (unlimited).</para>
<para>Whether or not to do lookups on <acronym>IP</acronym> addresses to get a fully-qualified hostname. This defaults to off, for performance reasons.</para>
<para>Enter here Ports and addresses that the server will listen to. The default port 631 is reserved for the Internet Printing Protocol, and is what we use here.</para>
<para>You can have multiple entries, to listen to more than one port or address, or to restrict access.</para>
<para>Unfortunately, most web browsers don't support <acronym>TLS</acronym> or &HTTP; upgrades for encryption. If you want to support web-based encryption, you'll probably need to listen on port 443, the <acronym>HTTPS</acronym> port.</para>
<para>You can enter ports on their own, ⪚ <userinput>631</userinput>, or hostnames with ports, ⪚ <userinput>myhost:80</userinput> or <userinput>1.2.3.4:631</userinput>.</para>
<para>Whether or not to use <quote>short</quote> names for remote printers when possible (⪚ <systemitem class="resource">printer</systemitem> instead of <systemitem class="resource">printer@host</systemitem>). Enabled by default.</para>
<para>Whether or not to use implicit classes.</para>
<para>Printer classes can be specified explicitly, in the <filename>classes.conf</filename> file, implicitly based upon the printers available on the <acronym>LAN</acronym>, or both.</para>
<para>When Implicit classes are enabled, printers on the <acronym>LAN</acronym> with the same name (⪚ <systemitem class="resource">Acme-LaserPrint-1000</systemitem>) will be put into a class with the same name. This allows you to setup multiple redundant queues on a <acronym>LAN</acronym> without a lot of administrative difficulties. If a user sends a job to <systemitem class="resource">Acme-LaserPrint-1000</systemitem>, the job will go to the first available queue.</para>
<listitem><para><guilabel>Broadcast addresses</guilabel>: The (<acronym>UDP</acronym>) broadcast address to transmit printer information to</para></listitem>
<listitem><para><guilabel>Broadcast Port</guilabel>: The port number to use for broadcasting</para></listitem>
<listitem><para><guilabel>Poll addresses</guilabel>: The address(es) to poll for information about printers on servers that might not broadcast (or whose broadcasts might not reach your <acronym>LAN</acronym> due to routers in between).</para></listitem>
<para>After pressing the <guibutton>Add</guibutton> button, you will see the following dialogue to enter a new value for outgoing broadcasting browse packets. It is the same kind of dialogue as for adding other &CUPS; server addresses to be polled for printer information.</para>
<para>&HP-UX; 10.20 and earlier do not properly handle broadcast unless you have a Class A, B, C or D netmask (&ie;, there is no <acronym>CIDR</acronym> support).</para>
<para>The port used for <acronym>UDP</acronym> broadcasts. By default this is the <acronym>IPP</acronym> port; if you change this, you need to do it on all servers. Only one BrowsePort is recognised.</para>
<para>The dialogue to enter a new value for the address of another &CUPS; server to accept browse packets from is shown here. It is opened by clicking on the <guibutton>Add...</guibutton> button beside the field named <guilabel>Browse Allow:</guilabel>. It is the same dialogue as for adding <quote>denied</quote> broadcast sending addresses.</para>
<para><guilabel>Browse allow</guilabel> specifies an address mask to allow for incoming browser packets. The default is to allow packets from all addresses.</para>
<para><guilabel>Browse deny</guilabel> specifies an address mask to deny for incoming browser packets. The default is to deny packets from no addresses.</para>
<para>Both <guilabel>Browse allow</guilabel> and <guilabel>Browse deny</guilabel> accept the following notations for addresses:</para>
<para>The timeout (in seconds) for network printers - if we don't get an update within this time, the printer will be removed from the printer list.</para>
<para>This number definitely should not be less than the browse interval period, for obvious reasons. Defaults to 300 seconds.</para>
<para>The dialogue to configure the &CUPS; server security settings for any of the defined server locations is shown here. It contains the following settings, which may be defined separately for any valid resource (or location) of the &CUPS; server:</para>
<listitem><para>All printers on the server: <systemitem class="resource">/printers</systemitem></para></listitem>
<listitem><para>Any individual printer on the server: ⪚ <systemitem class="resource">/printers/infotec_P320</systemitem></para></listitem>
<listitem><para>All printer classes on the server: <systemitem class="resource">/classes</systemitem>:</para></listitem>
<listitem><para>Any individual printer class on the server: ⪚ <systemitem class="resource">/classes/all_infotecs_P320_or_P450</systemitem></para></listitem>
<para>For all locations that are not defined separately the setting of the location <quote>above</quote> it is valid.</para>
<para>For example, you have a printer named <systemitem class="resource">infotec_P450</systemitem> with no set security options. Then the security of the location <systemitem class="resource">/printers</systemitem> will take the responsibility for this printer as it is a sub-location of<systemitem class="resource">/printers</systemitem>. If, in turn there is no security set for <systemitem class="resource">/printers</systemitem>, then the security for <systemitem class="resource">/</systemitem> (the general security) of the server takes responsibility. Either you have set this for your purpose or the compiled-in default value takes over.</para>
<para>The group name for <systemitem class="groupname">System</systemitem> or printer administration access. The default varies depending on the operating system, but will be <systemitem class="groupname">sys</systemitem>, <systemitem class="groupname">system</systemitem> or <systemitem class="groupname">root</systemitem> (checked for in that order).</para>
<para>The authorisation class. Currently only <quote>Anonymous</quote>, <quote>User</quote>, <quote>System</quote> (valid user belonging to the group set as system group), and <quote>group</quote> (valid user belonging to the specified group) are supported.</para>
<para>Whether or not to use encryption. This depends on having the <application>OpenSSL</application> linked into the &CUPS; library and scheduler.</para>
<title>Example: How To Define The Security For All Printers</title>
<para>The dialogue to configure the &CUPS; server security settings is discussed here. We use the example to add security definitions other than the default ones for the resource named <systemitem class="resource">all printers</systemitem>. For the &CUPS; web server, this is the location you access through <ulink url="http://localhost:631/printers/"> http://localhost:631/printers/</ulink> or (remotely) through <ulink url="http://cups.server.name:631/printers/"> http://cups.server.name:631/printers/</ulink></para>
<para>The first screenshot shows the general location for this setting. <guilabel>Select</guilabel> <guibutton>Add</guibutton> or <guibutton>Modify</guibutton> a resource for which you want to decide about its security settings.</para>
<para>This dialogue is to add a new resource. It looks similar if you want to modify an already existing resource. Here are the general options:</para>
<para>.This is the second part or the dialogue is to add a new ressource. It looks similar if you want to modify an already existing resource. Here you define the actual access masks for the resource in question. </para>
