Message: "Printer authentication failed. Do you want to try again?"

  • 3110036
  • 14-Aug-2007
  • 26-Apr-2012

Environment

Novell Distributed Print Services (NDPS)

Situation

Message: "Printer authentication failed. Do you want to try again?"
Fail to authenticate with secure iPrint even though entering correct credentials.
Fail to authenticate when installing SSL iPrint printer.


Error 401
The server could not verify your username or password. Please try again.

Resolution

Fix #1: Populate the uniqueID attribute for all users in the Tree.

This solution requires the following steps:

  1. Export LDIF
  2. Modify LDIF Export
  3. Import Modified LDIF
  4. (Optional) Confirm Results

Step 1. Export all users missing the uniqueID attribute.

a. Open ConsoleOne, click Wizards -> NDS Import/Export
b. Choose "Export LDIF File" radio button, click Next
c. Populate "Server DNS Name/IP Address" field and Port 389
d. Choose "Authenticated Login" radio button. Fill in username/password information, click Next
e. Populate "Base DN" field with top level Organization. Example: o=novell
f. Choose "Sub Tree" radio button.
g. Filter Tab, delete the text in the Search Filter field and add the following:

(&(objectclass=user)(!(uid=*)))

h. Attributes Tab, Choose the "Entry names only (don't get attributes)" radio button, click Next
i. Choose a file name for LDIF File. For example: myfile.ldif. The default save location is public\mgmt\ConsoleOne\1.2\bin, click Next and Finish.

Open the exported LDIF file using NotePad or other editor and ensure the entries you intend to give uniqueID attributes are listed. If you don't want some of the entries to receive the uniqueID attribute, then remove the entire line and the following blank line. There must be only one blank line between entries.

Step 2: Populate uniqueID to the entries in the exported LDIF.

a. Download a Perl package to workstation. While Novell does not recommend any specific Perl package, this process has been known to be successful using Active Perl from www.activestate.com.
b. Create a Perl script named UID.PL using the instructions in the Addition Notes section of this TID. Save the file to your Windows workstation, for example C:\test
c. Copy the exported LDIF file to the same location as the Perl Script. The default save location for the exported LDIF file is public\mgmt\ConsoleOne\1.2\bin
d. Open a Command prompt
e. Change Directory to the folder with the Perl script.
f. Type the following in the CMD box:

PERL UID.PL MYFILE.LDIF (MYFILE.LDIF being the exported file from Step 1n above)

A file named UID.LDIF will be created in the same directory. The Perl script will populate the uniqueID attribute with the user's CN.

Step 3: Import updated LDIF File

a. Open ConsoleOne, click Wizards -> NDS Import/Export
b. Choose "Import LDIF File" radio button, click Next
c. Browse to the UID.LDIF, click Next
d. Populate "Server DNS Name/IP Address" field and Port 389
e. Choose "Authenticated Login" radio button. Fill in username/password information, click Next and Finish

(Optional) Step 4: Confirm users received the uniqueID attribute.

a. Open ConsoleOne.
b. Open the properties of a user object that previously did not have the uniqueID attribute.
c. Click the "Other" tab.
d. Look for the uniqueID attribute.

Fix #2: Manually add the uniqueID attribute to the user. This can be done through iManager or ConsoleOne.

iManager:
- Directory Administration
- Modify Object
- Browse for user object name and click OK
- Click the "Other link" within the "Other" tab.
- Move the attribute of uniqueID from the Unvalued Attributes column to the Valued Attributes column. During the move, you are prompted to enter a value. A typical value would be the user ID name, however, be sure that the name is unique. For this reason, it may be best to use something such as an email address name. The user will need to know the value you entered to authenticate when using secure iPrint.
- Click OK

ConsoleOne:
- Properties of the user object
- Other tab
- Highlight "Attributes"
- Click Add
- Highlight uniqueID, click OK
- Add a value. A typical value would be the user ID name, however, be sure that the name is unique. For this reason, it may be best to use something such as an email address name. The user will need to know the value you entered to authenticate when using secure iPrint.
- Click OK
Follow the fix statement found in TID TID 3696528 - Error: "HTTP 401 - Unauthorized." when uploading drivers to the Broker.

This can be corrected by doing one of the following:

a. Remove the alias object

b. Follow TID 10083497 - NAM 3.0: LDAP error 16 in agent log files with alias objectsto dereference aliases when resolving names, or

c. Add the following line in the iPrint server's Apache2\iprint\ipp.conf file under the AuthLDAPURL line:
AuthLDAPDereferenceAliases Off

Then, restart apache with the following commands:
ap2webdn
ap2webup



Additional Information

The iPrint authentication relies on LDAP. LDAP requires a unique ID. Because NDS CNs (usernames) are not necessarily unique, the newer administrative tools like iManager and ConsoleOne create a uniqueID attribute on the user object. This attribute is used during the LDAP authentication. However, if the user was created using NWAdmin, the user object will not have this attribute and therefore the authentication will fail with the above message.
The above message can also be returned even if the uniqueID exists (which is required for SSL iPrint) and an ALIAS object exists for the user object. An LDAP trace reveals that the LDAP server returns the user information twice when an . Example below:

[2004/06/03 13:09:05] (192.168.1.147:1215)(0x0027:0x63) Sending search result entry "cn=bob,ou=ISD,ou=ADM,o=NOVELL" to connection 0x8cb00ee0

[2004/06/03 13:09:05] (192.168.1.147:1215)(0x0027:0x63) Sending search result entry "cn=bob,ou=ISD,ou=ADM,o=NOVELL" to connection 0x8cb00ee0

The iPrint client cannot handle the duplicate response.

========================================
====== Instructions to create the UID.PL script ======
====== Copy/Paste the contents bellow and =========
====== save the file as UID.PL =============
========================================

#!/usr/bin/perl

# Name: uid.pl
# Author: Jim Schnitter
# Purpose: Creates an LDIF file to populate the uid attribute on user entries.
# Version: 1.0

use warnings;

sub usage();

if (@ARGV == 1) {
$in = $ARGV[0];
} else {
usage();
}

open (IN, $in) or die "\nCan't open $in: $!\n\n";
open (OUT, ">uid.ldif");

while (<IN>) {
chomp;
if (/^dn: cn=(.*?),(.*)$/g) {
print OUT;
print OUT "\nchangetype: modify\n";
print OUT "add: uid\n";
print OUT "uid: $1\n\n";
}
}

print "\nCreated uid.ldif to add uids\n\n";

sub usage() {
die "\nUsage: uid.pl input_ldif \n\n";
}

close IN;
close OUT;

=====================================

Formerly known as TID# 10088627

Change Log

2008-11-19 - Ray Dassen - Use new style TID links; updated TID link 10097177 -> 3696528.