iprint_nss_relocate script: Apache User does not exist....

  • Document ID:7009925
  • Creation Date:23-Dec-2011
  • Modified Date:24-Aug-2012
    • Micro Focus Products:
      iPrint

Environment

Novell iPrint for Linux

Situation

When running the iprint_nss_relocate script to configure iPrint to work against an NSS volume, the following message is included as part of the results log:

Apache User does not exist in container OU=<container>,O=<organization>.
Please assign rights to appropriate Apache LUM user (wwwrun) manually.
Apache Group does not exist in container <OU=<container>,O=<organization>.
Please assign rights to appropriate Apache LUM group (www) manually.

When this outcome is observed after running the iprint_nss_relocate script, 403 Forbidden is returned when hitting the iPrint page (/ipp page).

Resolution

Method 1: Re-run the iprint_nss_relocate script
Re-run the iprint_nss_relocate script, but define the location of the LUM Apache user and group. 
  1. Find the Apache user (wwwrun) and group (www) within eDirectory.
  2. Run the script again, but with the -w switch:
    • Syntax:
    • ./iprint_nss_relocate -a cn=<AdminUser>,o=<OrgName> -n /media/nss/<VolName> -w ou=<ContainerHousingApacheUser+Group>,o=<OrgName>,t=<TreeName>
    • Example:
    • ./iprint_nss_relocate -a cn=admin,o=novell -n /media/nss/IPRINTVOL1 -w ou=nssconfig,ou=belmont,o=corp,t=corptree

Method 2: Manually configure the Apache LUM user and group

  1. Create a user named wwwrun and group named www
    • Assign wwwrun to the www group.
    • Change the gidNumber and uidNumber attributes
      • iManager -> Directory Administration -> Modify Object -> Browse to the www group object -> General -> Other -> Highlight gidNumber -> "Edit..." button -> change value to 8 -> OK -> Apply
      • iManager -> Directory Administration -> Modify Object -> Browse to the wwwrun user object -> General -> Other -> Highlight gidNumber -> "Edit..." button -> change value to 8 -> OK -> Highlight uidNumber -> "Edit..." button -> change value to 30 -> OK -> Apply
  2. LUM enable the Apache user and group objects
    • iManager -> Linux User Management -> Enable Users for Linux -> browse to the wwwrun user (click next) -> next -> choose "An Existing eDirectory Group. This group will be Linux-Enabled." and browse to the newly created www group object (click Next) -> Browse to the Unix Workstation object represent the server which will host the NSS volume and browse to the Unix Config Object in the tree for the lower selection (click Next) -> Finish
  3. Assign the Apache user and group the necessary rights
    • iManager -> Files and Folders -> Properties -> Browse to the cluster volume object, then var, opt, novell, iprint (click the link for "iprint" -> "Rights" tab -> Add the wwwrun user and www group using the "Add Trustee" browse button -> check boxes for R W C E M F in upper right of the page -> Apply
  4. Refresh the LUM Cache on the server
    • Type this command:
      • namconfig cache_refresh
  5. Verify the Apache user and group are provided by LUM (and not locally)
    • Place a # in front of the www line of the /etc/group file
    • Place a # in front of the wwwrun line of the /etc/passwd file
    • Type this command:
      • id wwwrun
        • If configured correctly, something similar to this will be returned
        • uid=30(wwwrun) gid=8(www) groups=8(www)
  6. Verify the Apache user and group have rights to the var iprint directory,
    • Type this command:
      • rights -f /media/nss/IPRINTVOL1/var/opt/novell/iprint show
        • Something similar to this shoudl be returned:
          • File: /media/nss/IPRINTVOL1/var/opt/novell/iprint
          • Trustees:
          •   (1) .CN=iprint.O=corp.T=corptree.
          •     [read, write, create, erase, scan, modify]
          •   (2) .CN=wwwrun.OU=nssconfig.OU=belmont.O=corp.T=corptree.
          •     [read, write, create, erase, scan, modify]
          •   (3) .CN=www.OU=nssconfig.OU=belmont.O=corp.T=corptree.
          •     [read, write, create, erase, scan, modify]
  7. Test to see if the /ipp page returns the list of printers
    • Restart Apache (rcapache2 restart)
    • Ensure the Print Manager is running (rcnovell-ipsmd status)
    • Hit the /ipp page (within a browser, go to http://<IPorDNS>/ipp )

Note: If the NSS resource is a cluster volume, you will need to ensure the Apache user and group are configured for each node of the cluster.  The iprint_nss_relocate script should handle this.  However, it doesn't try Method 1.  If Method 1 doesn't work, use iManager -> Modify Unix Workstation Ojbect to assign the Apache user and group to the other nodes of the cluster.  Then repeat steps 4 and 5 on each node which will host the iPrint NSS Cluster resource.

Additional Information

The iprint_nss_relocate script does not create the Apache User or Group objects.  Instead, the script finds the exist LUM objects, which is assumed to reside in the container where the NCP Server object resides, and configures them.  If the script cannot find the LUM Apache user and group objects, the error stated in the Situation section of this TID is displayed.
 
The iprint_nss_relocate script does, however, create and LUM enable the iprint and iprintgrp objects.