iPrint management via iPrint-Client: which account is needed?

I try to manage an iPrint environment via the iPrint-Client. Because the iPrint Management via iManager is broken in OES2023.

Which account should i use to access the manager? cn=admin,o=MyOrg is not working.

(The host who run the iprtmgr has no eDir-Replica)

  • Whom ever has the Manager Role for the Print Manager should work.

    Looking at the Trustees of a Print Manager object appears to match that of the Manager Role  (each Assigned Entry Right of Supervisor)

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

  • I had upgraded my iprint-appliance from 3.x to 23.04 and tried to manage the printerdriver via iprint-client.
    I'm logged to the appliance-tree as admin (also shown in iprint-client) and getting the login window. What credentials to use?
    server <ip of appliance>, User: cn=admin,o=iPrintAppliance don't work.

    Any hints for me?

  • 1. The user is the one set as printmanager manager role, in the appliance is cn=admin,o=iprintappliance

    2. Use the iPrint client version 6.24.0

    3. Check in C:\NDPS\Users\User name\iPrintManage.exe\*.log file what error gives

    4. Check /var/log/apache2/error_log to see what error gives

    5. I hope you did not change admin user password in iManager on the appliance

  • Here is the apache-log:

    No entries at time of try to login.

    But found this from time to time.
    [Mon Nov 13 09:39:41.581716 2023] [:error] [pid 28884] BindPsm : NDPS object not found
    [Mon Nov 13 09:39:56.542407 2023] [:warn] [pid 19931] IPP Operation error=CLNT_ERR_NOT_FOUND, operation=Get Jobs
    [Mon Nov 13 09:39:57.443282 2023] [:warn] [pid 24655] IPP Operation error=CLNT_ERR_NOT_FOUND, operation=Get Jobs

    Here is the iPrintManage.log:
    [KLA][2023-11-13 09:58:19][INFO][thrd=0x00000001][@0] - Logger Started...
    [KLA][2023-11-13 09:58:19][INFO][thrd=0x00000001][?@?] - ApplicationController initialized...
    [KLA][2023-11-13 09:58:19][ERROR][thrd=0x00000001][@0] - DoHttpPost() : Web exception
    System.Net.WebException: Die Anfrage wurde abgebrochen: Es konnte kein geschützter SSL/TLS-Kanal erstellt werden..
       bei System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
       bei System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult)
       bei System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
    --- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---
       bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       bei iPrint.Common.Net.Http.iPrintHttpRequest.<DoHttpPost>d__24.MoveNext()
    [KLA][2023-11-13 09:58:19][ERROR][thrd=0x00000001][?@?] - AdminLogin() : Login Failed. User: cn=admin,o=iPrintAppliance@iprint-klbg.evac.emg. Error :Failure

    Local User at Workstation is kla.

    Upload to driver-store with iprntcmd.exe is working.

  • 1. Apache log errors are normal and not related

    2. The  iPrintManage.log shows a failure ssl connection:

    Die Anfrage wurde abgebrochen: Es konnte kein geschützter SSL/TLS-Kanal erstellt werden..

    Verify certificates on appliance, if usin third party, that the info in the SAN attribute of the server certificate can be resolve by this PC along with the ipsmd hostname and ldap cert is fine. Also if you're using any proxy or firewall, let the PC connect directly to the appliance. A lan trace on hte PC when duplicating the error may show as well if issue is during tls negotiation .

    A quick way to get a look at how appliance is configured is installing latest support plug in and generating an iPrintInfo -b file:

    zypper in -f supportutils-plugin-iprint

    then

    iPrintInfo -b

    authenticate using cn=admin,o=iprintappliance 

  • Wireshark show me this:

    Internet Protocol Version 4, Src: 192.168.73.19, Dst: 192.168.104.103
    Transmission Control Protocol, Src Port: 443, Dst Port: 33701, Seq: 1, Ack: 139, Len: 7
        Source Port: 443
        Destination Port: 33701
        [Stream index: 14]
        [Conversation completeness: Complete, WITH_DATA (31)]
        [TCP Segment Len: 7]
        Sequence Number: 1    (relative sequence number)
        Sequence Number (raw): 1318941041
        [Next Sequence Number: 8    (relative sequence number)]
        Acknowledgment Number: 139    (relative ack number)
        Acknowledgment number (raw): 1479361778
        0101 .... = Header Length: 20 bytes (5)
        Flags: 0x018 (PSH, ACK)
        Window: 501
        [Calculated window size: 64128]
        [Window size scaling factor: 128]
        Checksum: 0x5671 [unverified]
        [Checksum Status: Unverified]
        Urgent Pointer: 0
        [Timestamps]
        [SEQ/ACK analysis]
        TCP payload (7 bytes)
    Transport Layer Security
        TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
            Content Type: Alert (21)
            Version: TLS 1.2 (0x0303)
            Length: 2
            Alert Message
                Level: Fatal (2)
                Description: Handshake Failure (40)

  • handshake failure. My previous comments are still valid.

  • Clearly some basic PKI level failing going on as Gonzalo points out and his directions stand

            Version: TLS 1.2 (0x0303)
            Alert Message
                Level: Fatal (2)
                Description: Handshake Failure (40)

    are these the actual boxes you are trying to connect, or is one an intermediary?
        Src: 192.168.73.19, Dst: 192.168.104.103

    the new system will most likely be TLS 1.2 and up, so if the client is having issue with that new a TLS or they just don't have a matching cypher, then there'd be issues.   openssl commands may be your tool kit here.

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

  • Src is the actual iprint-appliance, dst is my workstation when using your notation.

    So my workstation (win10 Pro) has a problem to connect secure to the iprint-appliance, right?

    How to check with openssl?