iPrint Appliance 3.0 to 3.2 - Authentication Problem

Hi

I've been trying to run up a test iPrint appliance so I can compare the web print portal with what is available through PaperCut. If I deploy the 3.0 appliance (vmware - vsphere 6.5), add my directory server, sync users etc all works as expected. (The only attribute that seems to sync is surname, no first name or email address etc but that is another story.)

If I then go to https://test-iprint.domain/print/printers and click login I can authenticate as a user from my test user tree.

However, once I upgrade to 3.2, this authentication stops working, and I get an "invalid credentials" error. It seems that the appliance is now trying to authenticate against its own internal eDirectory tree rather than the tree I am synchronising users from. If I set the password for a user in iManager on the appliance, I can then authenticate as that user. But I know this isn't how it is meant to work.

As background, when I set up the appliance I left the DNS for Print Service and Authentication Realm settings at the defaults (ie address of the appliance and IPRINT).

Also, I've tried upgrading to 3.2 before adding the directory server stuff, but I still get the same problem.

Authentication on my live appliance, also patched to 3.2, does work, but it has come up through the ranks from, I think, 2.x to 3.0 to 3.1 to 3.2.

Anyone else experienced this, or better still have a fix?

Thanks
Robert
  • On 19-12-18 05:44, rshera wrote:
    >
    > Hi
    >
    > I've been trying to run up a test iPrint appliance so I can compare the
    > web print portal with what is available through PaperCut. If I deploy
    > the 3.0 appliance (vmware - vsphere 6.5), add my directory server, sync
    > users etc all works as expected. (The only attribute that seems to sync
    > is surname, no first name or email address etc but that is another
    > story.)
    >
    > If I then go to https://test-iprint.domain/print/printers and click
    > login I can authenticate as a user from my test user tree.
    >
    > However, once I upgrade to 3.2, this authentication stops working, and I
    > get an "invalid credentials" error. It seems that the appliance is now
    > trying to authenticate against its own internal eDirectory tree rather
    > than the tree I am synchronising users from. If I set the password for a
    > user in iManager on the appliance, I can then authenticate as that user.
    > But I know this isn't how it is meant to work.
    >
    > As background, when I set up the appliance I left the DNS for Print
    > Service and Authentication Realm settings at the defaults (ie address
    > of the appliance and IPRINT).
    >
    > Also, I've tried upgrading to 3.2 before adding the directory server
    > stuff, but I still get the same problem.
    >
    > Authentication on my live appliance, also patched to 3.2, does work, but
    > it has come up through the ranks from, I think, 2.x to 3.0 to 3.1 to
    > 3.2.
    >
    > Anyone else experienced this, or better still have a fix?
    >
    > Thanks
    > Robert
    >
    >


    Check /etc/opt/novell/iprint/conf/iprintconf.properties.

    The two mobility entries needs to be in true. If they're in false,
    change it to true and restart mobiles services (rcnovell-iprint-mobile
    restart)
    Then go to the web console, directory servers and run a sync. No error
    should be returned. Now authentication should work
  • Excellent - thank you - that fixed it!

    I still don't see any of the attributes such as firstName, emailAddress etc coming in. Do you know if there is any fix for this?

    Thanks again
    Robert
  • On 21-12-18 00:14, rshera wrote:
    >
    > Excellent - thank you - that fixed it!
    >
    > I still don't see any of the attributes such as firstName, emailAddress
    > etc coming in. Do you know if there is any fix for this?
    >
    > Thanks again
    > Robert
    >
    >


    you're welcome

    This is working as design. You do not see any of those in the edir
    object on the appliance. Only the cn is shown as it is the mandatory
    attribute to create the edir object but this edit object is just a
    pointer to the real one on the source ldap server.
    you still can use them. For example tid 7017467 explain one of them, but
    you'll not see the value in the appliance edir.
    The attributes shown on the import page are just left from the FILR
    appliance (both appliance use the same base code) but they are not used
    in iprint.
  • OK - thanks for the clarification. That makes sense if the object is
    really just a pointer. The TID is interesting - not sure how I would use
    it, but at least I know about the option.

    Thanks again
    Robert


    On 21/12/2018 7:22 pm, Mysterious wrote:
    > On 21-12-18 00:14, rshera wrote:
    >>
    >> Excellent - thank you - that fixed it!
    >>
    >> I still don't see any of the attributes such as firstName, emailAddress
    >> etc coming in. Do you know if there is any fix for this?
    >>
    >> Thanks again
    >> Robert
    >>
    >>

    >
    > you're welcome
    >
    > This is working as design. You do not see any of those in the edir
    > object on the appliance. Only the cn is shown as it is the mandatory
    > attribute to create the edir object but this edit object is just a
    > pointer to the real one on the source ldap server.
    > you still can use them. For example tid 7017467 explain one of them, but
    > you'll not see the value in the appliance edir.
    > The attributes shown on the import page are just left from the FILR
    > appliance (both appliance use the same base code) but they are not used
    > in iprint.