HTTP 401 or 500 Errors managing Linux iPrint objects

  • 3897348
  • 27-Mar-2008
  • 05-Sep-2012

Environment

Novell iPrint
Novell Open Enterprise Server 1.0 - Linux
Novell Open Enterprise Server 2.0 - Linux

Situation

Error: Create Driver Store Failure
Authorization Required
IPP Error: 0xF0191
HTTP Error: 401

or

Internal Server Error
IPP Error: 0xF01F4
HTTP Error: 500

Resolution

While 500 and 401 errors differ in cause, the troubleshooting and resolving of these errors is very similar.

1.The uniqueID attribute is not set on the user.
For more information to see if the uniqueID attribute is set for the user and how to populate the uniqueID, see KB 3110036.

2. Duplicate uniqueID attributes
Create a unique user in the tree that is not found in any other context. Give that user rights to the container where you want to create the Driver Store and Manager. Log into iManager with that user to manage iPrint.

3. The uniqueID attribute cannot be found during the LDAP query.
a. CN doesn't equal the UID - Compare the CN value to the uniqueID attribute by going to the properties of the user and choosing the "Other" tab. If there is a difference, then change the uniqueID value to match the CN. After changing, verify that the new uniqueID is acutally unique using the command "Cause 2"

b. Multiple Organization objects - Modify
the /etc/opt/novell/iprint/httpd/conf/iprint_ssl.conf file from:

AuthLDAPURL"ldaps://[IPorDNSofPrintServer]/[LDAPSearchBase]???(objectClass=user)"
to
AuthLDAPURL "ldaps://[IPorDNSofPrintServer]/???(objectClass=user)"

Restart Apache to make that take affect. (rcapache2 restart)

4. Problem Contacting LDAP Server
In the /etc/opt/novell/iprint/httpd/conf/iprint_ssl.conf, change:
AuthLDAPURLldaps://[DNS]/O=[YourOrganizationName]???(objectClass=user)
to
AuthLDAPURLldaps://[IP_OF_SERVER]/O=[YourOrganizationName]???(objectClass=user)

Use the word localhost. Restart Apache to make the change take effect. (rcapache2 restart)

5. Certificate Invalid, Expired, or Untrusted
The iPrint authentication relies on a secure connection to the LDAP server specified in /etc/opt/novell/iprint/httpd/conf/iprint_ssl.conf. This secure connection requires the /etc/opt/novell/certs/SSCert.pem to be valid. (Note: The location of SSCert.pem for OES 1 is /etc/opt/novell/.)

There are three methods to fixing or working around this problem:

a. Re-export the SSCert.pem

Follow the steps documented in the "Certificate Recreation Script for OES1 and OES2" Novell Cool Solution.

https://www.novell.com/communities/node/5704/certificate-recreation-script-oes1-and-oes2

b. Change the certificate used in the iPrint authentication
- Modify the following line in /etc/opt/novell/httpd/conf.d/iprint_g.conf from
LDAPTrustedCA /etc/opt/novell/certs/SSCert.pem
to
LDAPTrustedCA /etc/ssl/servercerts/servercert.pem
- Restart apache
rcapache2 restart


Note: The above example is for OES 2. If the server is OES 1, then the original LDAPTrustedCA location will be /etc/opt/novell/SSCert.pem.

c. Change LDAP Server Connections setting
By default LDAP uses SSL CertificateDNS to establish a secure connection. That can be changed to use the SSL CertificateIP. The steps to accomplish that are:
- iManager -> LDAP -> LDAP Options -> General -> Connections -> Server Certificate
- Browse to SSL CertificateIP and click Apply
- Restart eDirectory
cd /etc/init.d
./ndsd restart
 
6. Using iManager or ConsoleOne perform the following steps :
  1. Delete the SSL CertificateDNS, SSL CertificateIP & SAS object of the server in question.
  2. From the Terminal window of the server in question run ndsconfig upgrade.
 
7.  Make sure that namcd is running.    At a terminal type:  ps -eaf |grep namcd
rcnamcd status   (or stop, start, restart)
 
8. Makes sure the line in the /etc/openwbem/openwbem.conf is the same as the one below:
 
owcimomd.allowed_users = *

9. Make sure that the /etc/hosts file has the correct IP address and DNS entry.
Example: 192.168.1.20  myserver.mycompany.com myserver

10. Make sure that the organization is specified correctly.

In the /etc/opt/novell/iprint/httpd/conf/iprint_ssl.conf, verify
AuthLDAPURLldaps://[DNS]/O=[YourOrganizationName]???(objectClass=user)



Additional Information

A 401 error can be presented when attempting to create a print manager, create a driver store, create a printer, upload a driver, create a driver profile, or any operation using iprntman. This problem can be caused by one or more of the following reasons. If you resolve one of the conditions below and the error continues, continue investigating the other causes and solutions to the problem.

1.The uniqueID attribute is not set on the user.
Users created by iManager or ConsoleOne will have a uniqueID attribute set for each account. By default, the uniqueID string will match the CN. For example, the uniqueID for admin.acct is admin. The LDAP authentication performed by the iPrint client relies on this uniqueID attribute. If the attribute is not present, then the authentication will fail. Users created with NWAdmin will not have a uniqueID. The results to the above search will let you know if that uniqueID exists.

2.Duplicate UniqueID attributes
Because iPrint's LDAP authentication doesn't use context, a user's uniqueID attribute must be unique. For example, in NDS, you might have admin.acct and admin.marketing as two different users, but if both have the uniqueID of "admin" then neither could log in to iPrint with the name "admin" since the server wouldn't know which one was trying to log in. A 401 error is returned when the iPrint client queries LDAP for admin and receives multiple responses. You can determine if the uniqueID exists more than once in your tree by doing the following LDAP search.

ldapsearch -b [LDAPSearchBase] -x -a always -H ldaps://%5BDNSorIPofIPRINTserver/] '(&(uid=[USERNAME])(objectClass=user))'

The items in brackets [ ] must be replaced with the value from your environment. Below is a example:

ldapsearch -b o=novell -x -a always -H ldaps://10.0.1.9/ '(&(uid=admin)(objectClass=user))'

3. The uniqueID attribute cannot be found during the LDAP query.
Before the authentication can occur, the user's uniqueID attribute must be found by an LDAP query. Below lists 2 reasons the uniqueID (UID) may not be found:

a. CN doesn't equal the UID
If the value for the CN does not match the value of the uniqueID, then the UID will not be found during the LDAP lookup. Unmatching CN's and UID's will occur only if the CN or UID was manually changed.

b. Multiple Organization objects or search bases
By default, the /etc/opt/novell/iprint/httpd/conf/iprint_ssl.conf specifies the Organization object or other search bases that will be searched to find the user that logged into iManager. For example, if the tree has multiple O's (Organization objects), then users only in the O listed in the iprint_ssl.conf will be searched. Users outside of that O will see the 401 error.

4.Problem Contacting LDAP Server
/etc/opt/novell/iprint/httpd/conf/iprint_ssl.confreferences the LDAP server used for authentication by DNS name. If the DNS lookup takes longer than expected, the server is unreachable or down, or the LDAP service is not running on the server, a 401 error will be returned.

5. Certificate Expired
The authentication relies on the DNS SSL Certificate object for the iPrint server. To verify that the LDAP server's certificate is signed by the CA's key, type the following at the server:

OES 1:
echo -n | SSL_CERT=/no_dir openssl s_client -connect localhost:636 -CAfile /etc/opt/novell/SSCert.pem -verify 255

OES 2:
echo -n | SSL_CERT=/no_dir openssl s_client -connect localhost:636 -CAfile /etc/opt/novell/certs/SSCert.pem -verify 255

Look to the bottom of the output returned from the above command.

The output from a valid certificiate will end with:
Verify return code: 0 (ok)

Note: Even if the status shows OK, be sure to check the DNS name returned in the certificate. If the DNS name in the certificate doesn't match the server's true name, then you must resolve this problem following the steps in the FIX section of this TID.

The output from an expired certificate will end with:
Verify return code: 10 (certificate has expired)

The output from certificates not matching will end with:
verify error:num=19:self signed certificate in certificate chain
verify return:0
31352:error:14090086:SSL routines:
SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:842:
 
6. Certificate Invalid
Steps to check the certificate validity :-
  1. In iManger go to  Novell Certificate Access | Server Certificates.
  2. Browse and select the suspected Server and check mark SSL CertificateDNS and click on Export.
  3. From the Certificates Drop Down list choose SSL CertificateDNS and Uncheck Export private key.
  4. Export format should be DER click on Next.
  5. Save the Exported Certificate.
  6. Go to eDirectory Maintenance | Import Convert Export Wizard.
  7. Select Export data to a file on disk and click on Next.
  8. Provide the IP address of the server in question and use port 636.
  9. Browse and select the Exported Certificate file.
  10. Choose Authenticated login and provide Admin credentials and click on Next.
  11. Provide Base DN as O=Organization (Replace Organization with the name of your Organzation object in eDirectory).
  12. Select Base and click on Next.
  13. Keep defaults for rest of the options.
If the LDIF export is successful using the Certificates then its clear that the Certificates are fine.
If the LDIF export is unsuccessful then follow the Step No. 6 in the resolution section of this TID.

Formerly known as TID# 10098616