John’s Tech Blog for Lawyers

I recently read a review of ClearSynch by Christel Burris in TechnoLawyer’s TechnoFeature: Review: ClearSync 2 for Syncing and Sharing Calendars and Contacts. I am in full agreement that shared calendars and contacts in multi-user environments provide are invaluable communications resources. But what about shared document management, resource allocation, timesheets, file managers, project managers, and user/group permission management, and the security risk of storing all of this information on a third party’s computer system? These features call for some flavor of groupware.
The good news is that there are a few options. The better news is that one of the options is free to download. It is an open source application so you can add onto it, tweak it, or customize it to fit your needs, and it doesn’t require any subscription to use. This option in my office is eGroupware.
So what is eGroupware? It is a groupware server, translated into more than 25 languages, that runs on Linux, Mac, Windows and other operating systems, and that can be accessed from any common internet browser like Firefox, Opera, and Internet Explorer.

eGroupware Server Requirements:
As the name implies, the first thing you need is a server. Before you stop reading because you don’t want to invest in a high end server hardware, I should tell you about my humble ’server’. For those who are unfamiliar with what exactly a server is, it is simply a computer dedicated to one or more tasks. e.g. holding your files, collecting your mail, hosting your website, etc. The application uses very little system overhead, and can be run on an LAMP or WAMP server. In my office, I run eGroupware on my mail and file server. I installed a LAMP server on an outdated desktop. My machine, which lives in the corner of a closet, has a 1.2Ghz AMD Athlon processor, 640 MB of memory, a 40 GB hard drive, and a network card. I don’t even have the machine hooked up to a monitor since all of the configuration can be done via ssh (a secure telnet session). And even this machine averages about 95% cpu idle time, although the memory does get used by the mail server. All that while running my file server, WebDAV server, groupware server, mail server, IMAP server, Spamassassin and a few other applications.
A LAMP (Linux Apache MySQL Php) or WAMP (Windows Apache MySql Php) server is relatively straight forward to install and set up. If you are not too paranoid about security, you can use Ubuntu Server, http://ubuntu.org, which has an option to actually install a LAMP server during the setup prompts. If you have a old Windows machine, you can install Windows versions of Apache 2, MySql, and Php on an existing machine (although I would NEVER trust it to be secure on the Internet). Or, if you are paranoid, like me, then you can base your system on OpenBSD, or your other favorite distribution. Again, the key components are Apache, MySql, and Php. Each distribution has its own server installation instructions that range anywhere from a step-by-step walkthrough (see Ubuntu, Mandriva, Fedora), to efficient but enigmatic (see OpenBSD, SlackWare, etc).

Installation of eGroupware
The installation of the program is very straight-forward. Several Linux distributions actually offer eGroupware as a package. Installation is as easy as selecting the package and telling the system to install it.
If you want to install the package manually, simply download the latest version to the server, unzip/untar the package, and then copy it to your web base directory in Apache (usually /var/www). If you copy it to the your base directory in Apache (usually /var/www), then you can reach the program by pointing a web browser (on another computer) to http://servername/egroupware. From this point, the installation instructions are reasonably well explained in the package and on the eGroupware website. All computers are different, but I did not run across any question that I could not find an answer to on their website.

Getting up and Running:
Once the server is installed, now you get to put it into action. After logging in, you can create some users, and start setting up you backoffice environment.
The calendar can be displayed by day, weekview without weekend, weekview with weekend, planner by category, planner by user, or by activity list. If you want you can also add custom fields to the calendar. And most importantly, when you enter an activity, you can choose which users, by user or group, can view the activity.
The next most-used feature for me in Egroupware is the address book. Like the calendar you can query by group or category, and can also set the user access permissions for other users to any of your contacts.
One of the features that is especially useful is that the calendar and contacts can be synced to several support applications and devices. The information can be synced with Outlook, Evolution, Kontact or other message programs, and can also be synced with several PIMs. A list of the supported applications and devices is shown on eGroupware’s website.
The other feature that I use on a regular basis is the Document Management Server, myDMS. For me, it is a great place to store and organize all types of templates, and versions of documents. In addition to organizing documents in logical categories, you can also set user access permissions individually for any single, or group of documents.
In addition to these features, there is also an included project manager, resource manager (useful for conference rooms, etc), timesheet, and file manager. While I, admittedly, do not use these features on a regular basis, from what I have seen, they appear to be just as useful as the modules that I outlined above.

Support
In my case, any technical issue that I ran into was easily answered by a quick Google of the issue. If you cannot find it by internet search, then they have mailing lists in seven different languages, including one specifically for users of Windows.
For those who are not so inclined to read answers in the form of a mailing list digest, then you will need to find a local person who is knowledgeable of LAMP or WAMP servers to assist you with the installation and maintenance of the server.

Conclusion
EGoupware, for my small office, is a solid software project, that provides an open source implementation to share contacts, calendars, files, and other information. I admit that when I have a software need, I look to open source products instead of proprietary programs. I have used Linux for almost ten years, and I am pleased with the available software, the system security, the choices of desktops, and the flexibility of the Product. But, I also understand that Microsoft-based products have their place in the office as well…I’ve been a Microsoft Certified Systems Engineer for over 10 years, and spent several years implementing enterprise CRM, work flow, and financial systems. The good news is that the only client requirement is a working browser, and more importantly you get complete control of your data and your security. For a small to mid-sized, efficient, and frugal operation, this open source application might be a perfect fit.

Once you have CUPS installed properly, you can easily print from both Unix and Windows clients. On Windows (at least Windows XP), open up the Printers list from the Control Panel and click on Add New Printer. Windows will ask whether it is a local printer or a networked printer. Choose networked printer. From the next screen, do NOT choose browse the network. Windows will only browse the local windows network and will not show the CUPS server unless it is also running SAMBA.

Instead, go to the box to type in the URL. then put http://yourcupsserver:631/printers/YourPrinter. Of course you will need to substitute the actual ip address or host name for the CUPS server, and you will need to know the printer as it is called on the CUPs server. Additionally, unlike Unix clients, you will need to put the port information behind the server name, e.g. :631.

If you put in the correct server name, then you simply need to choose the printer, and print driver from the following Windows menus.

Happy printing.

Of all of the features that I rave about using Linux, network printing is not one of them. Linux uses CUPS (Common UNIX Printing System) to natively share printers and connect to shared printers on other UNIX boxes. Unlike Windows, this is not as simple as choosing the printer and sharing it among your peers. But, on the other hand, the network security is highly configurable albeit draconian and frustrating to figure out. Plus, once it is configured you can forget about it.

I’m sharing how I got my shared printers to work from my main server. I’ll admit that I may not have used all of the correct formatting, nor do I have a guru’s understanding of CUPS, but it works, it seems secure, and I’m hopeful that it doesn’t drain as many hours from the readers’ life as it did mine in order to get it working.

First off, the general idea is easy: just install cups, go to the web-based configuration tool, and voila, you’re up and running. Unfortunately it was not so simple in my case. My goal was to share my workstation printer among the desktops and laptops on my network.

To install CUPS on Debian or Ubuntu, simply log into the terminal and type “sudo apt-get install cups”. The system will ask you for your administrative password and will then install the latest version of the software. If you are using other distros, you can get cups by RPM on RedHat, Mandriva, and similar systems. On OpenBSD, you use the pkgadd script to get the program. At this point, there is not much to discuss. The installation programs will download and install the latest version on your system.

Once installed, open your browser and go to http://localhost:631 to access the web-based administration panel. You can choose your Basic Server Settings from the Administration tab. And now is where the frustration begins…

If you want to employ any reasonable security on your system, you will need to go to Edit Configuration File. This utility edits /etc/cups/cupsd.conf. If you choose, you can edit the file by hand using vim, pico, or your favorite edit from the terminal.

An annotated example of my cupsd.conf file. Note that all lines beginning with # are ignored, so this is where I will put my comments and explanations. Reference files and man files that describe each heading can be found at http://www.cups.org/documentation.php.
LogLevel error
#This can be set to none, emergency, alter, critical, error, warn, notice, info, and debug. I put mine to error to log all general errors.
AccessLog /var/log/cups/access_log-%s
ErrorLog /var/log/cups/error_log-%s
#You can choose where to store the logs. the -%s adds the system name behind the log name.
SystemGroup lpadmin system
#Name all system administration groups separated by spaces
# Allow remote access. Port specifies a port to listen on. 631 is the default port e.g. http:localhost:631
Port 631
Listen /var/run/cups/cups.sock

# Share local printers on the local network.
Browsing On
# Turn on port browsing to listen for clients

BrowseOrder allow,deny
# Set access. either allow, deny or deny, allow. I use allow, deny because it automatically denies all requests, then it allows requests as per the following lines, then it can specifically deny requests from within any of these groups.

BrowseAllow 10.0.0.*.*
# this allows any local address in the 10.0 network e.g your local network.

BrowseAllow nnn.nnn.nnn.nnn/255.255.255.0
#nnn… is your local internet viewable network and netmask if you have one

BrowseAddress @LOCAL
#Browse all local ports

ErrorPolicy retry-job
# what happens when there is an error. I set to retry the job.

JobRetryInterval 45
# How long to wait before retrying the job

JobRetryLimit 5
# How many times should it try to retry the job.

# And now we reach the most important part, how to allow access to CUPS.

<Location /> #Access to the root directory of CUPS
Encryption IfRequested # Use encryption if requested by client, Optional
Require user @SYSTEM #Require a system user from the server.
# Allow shared printing and remote administration…
Order allow, deny # Same as above, you can choose allow, deny or deny allow
Allow 10.0.*.* # Allow all computers on the subnet 10.0.0.0
Allow @Local # Allow all computers on the local network. If it is the same as 10.0.0.0 then you could only put this
Allow nnn.nnn.nnn.nnn/255.255.255.0 #nnn… is your local internet viewable network and netmask if you have one
</Location>

<Location /jobs> #Same as above
Encryption IfRequested
Require user @SYSTEM
Order allow, deny
Allow @Local
</Location>

<Location /printers> #Same as above
Encryption IfRequested
Require user @SYSTEM
Order allow, deny
Allow @Local
</Location>

<Location /admin> # who can access the administrative interface by going to http://yourserver:631
Encryption IfRequested
Require user @SYSTEM
Order allow, deny
Allow @Local
</Location>

<Location /admin/conf> # who can access the configuration interface by going to http://yourserver:631
Encryption IfRequested
Require user @SYSTEM
Order allow, deny
Allow @Local
</Location>

<Policy default> # Honestly, these settings are the default ones, it works, so I didn’t touch them.

<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job Suspend-Current-Job Resume-Job CUPS-Move-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>

<Limit CUPS-Add-Modify-Printer CUPS-Delete-Printer CUPS-Add-Modify-Class CUPS-Delete-Class CUPS-Set-Default>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>

<Limit Pause-Printer Resume-Printer Enable-Printer Disable-Printer Pause-Printer-After-Current-Job Hold-New-Jobs Release-Held-New-Jobs Deactivate-Printer Activate-Printer Restart-Printer Shutdown-Printer Startup-Printer Promote-Job Schedule-Job-After CUPS-Accept-Jobs CUPS-Reject-Jobs>
AuthType Default
Require user @SYSTEM
Order deny,allow
</Limit>

<Limit CUPS-Authenticate-Job>
Require user @OWNER @SYSTEM
Order deny,allow
</Limit>

<Limit All>
Order deny,allow
</Limit>
</Policy>

If you are familiar with CUPS and see an error, I would appreciate any corrections. For a complete explanation of all options in the cupsd.conf, go to http://www.cups.org/documentation.php/ref-cupsd-conf.html

Now for the client side:

Using this configuration, I never was able to browse the IPP queues using the printers manager applet system-config-printer.py So I used the web interface on my client computers by going to http://localhost:631

From the client configuration page, shut down all access to the client as a server by unchecking everything but Allow users to cancel any job on the Basic Server Settings. I leave the Allow users to cancel any job because we have a small office and there is not a problem with persons usurping print queues.

Then go to Add Printer.

From here you can put in the printer name, no spaces no special characters. e.g. LaserPrinter. The next two fields allow you to add human readable text to describe the printer location and the printer itself. Click on Continue and move one.

The next screen lets you choose how the client computer will access the device. Choose Internet Printing Protocol and click on continue.

Now is when I wish that the browse function worked in system-config-printer.py, because you have to input the actual address. Fortunately it is relatively logical. type in ipp://yourprintserverhostname/printers/LaserPrinter Of course you will need the hostname of your print server and the actual name of your printer.

Click Continue and move on to choosing the driver for your printer. If you cannot find the specific driver that works with your printer, and if you do not have a ppd file for your printer, then go to http://linuxprinting.org and look up your printer there. This site has information on most printers and will state the driver that works best, and how well the printer works with Linux.

Finally, click on my printer. Voila, you should now have access to the network printer.

I am writing this because I spent two days trying to configure my CUPS server so that I could actually browse the queues over the system-config-printer application. Alas, I was unable to actually make that part work. If there is someone who knows how to answer this conundrum, I would find it helpful.

Otherwise, happy network printing, and I hope that this was helpful.