iPrint management via iPrint-Client: which account is needed?

I try to manage an iPrint environment via the iPrint-Client. Because the iPrint Management via iManager is broken in OES2023.

Which account should i use to access the manager? cn=admin,o=MyOrg is not working.

(The host who run the iprtmgr has no eDir-Replica)

Parents
  • 0

    I had upgraded my iprint-appliance from 3.x to 23.04 and tried to manage the printerdriver via iprint-client.
    I'm logged to the appliance-tree as admin (also shown in iprint-client) and getting the login window. What credentials to use?
    server <ip of appliance>, User: cn=admin,o=iPrintAppliance don't work.

    Any hints for me?

  • 0 in reply to 

    "The credentials are not valid

  • 0   in reply to 

    1. The user is the one set as printmanager manager role, in the appliance is cn=admin,o=iprintappliance

    2. Use the iPrint client version 6.24.0

    3. Check in C:\NDPS\Users\User name\iPrintManage.exe\*.log file what error gives

    4. Check /var/log/apache2/error_log to see what error gives

    5. I hope you did not change admin user password in iManager on the appliance

  • 0 in reply to   

    Here is the apache-log:

    No entries at time of try to login.

    But found this from time to time.
    [Mon Nov 13 09:39:41.581716 2023] [:error] [pid 28884] BindPsm : NDPS object not found
    [Mon Nov 13 09:39:56.542407 2023] [:warn] [pid 19931] IPP Operation error=CLNT_ERR_NOT_FOUND, operation=Get Jobs
    [Mon Nov 13 09:39:57.443282 2023] [:warn] [pid 24655] IPP Operation error=CLNT_ERR_NOT_FOUND, operation=Get Jobs

    Here is the iPrintManage.log:
    [KLA][2023-11-13 09:58:19][INFO][thrd=0x00000001][@0] - Logger Started...
    [KLA][2023-11-13 09:58:19][INFO][thrd=0x00000001][?@?] - ApplicationController initialized...
    [KLA][2023-11-13 09:58:19][ERROR][thrd=0x00000001][@0] - DoHttpPost() : Web exception
    System.Net.WebException: Die Anfrage wurde abgebrochen: Es konnte kein geschützter SSL/TLS-Kanal erstellt werden..
       bei System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext& context)
       bei System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult)
       bei System.Threading.Tasks.TaskFactory`1.FromAsyncCoreLogic(IAsyncResult iar, Func`2 endFunction, Action`1 endAction, Task`1 promise, Boolean requiresSynchronization)
    --- Ende der Stapelüberwachung vom vorhergehenden Ort, an dem die Ausnahme ausgelöst wurde ---
       bei System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
       bei iPrint.Common.Net.Http.iPrintHttpRequest.<DoHttpPost>d__24.MoveNext()
    [KLA][2023-11-13 09:58:19][ERROR][thrd=0x00000001][?@?] - AdminLogin() : Login Failed. User: cn=admin,o=iPrintAppliance@iprint-klbg.evac.emg. Error :Failure

    Local User at Workstation is kla.

    Upload to driver-store with iprntcmd.exe is working.

  • 0   in reply to 

    1. Apache log errors are normal and not related

    2. The  iPrintManage.log shows a failure ssl connection:

    Die Anfrage wurde abgebrochen: Es konnte kein geschützter SSL/TLS-Kanal erstellt werden..

    Verify certificates on appliance, if usin third party, that the info in the SAN attribute of the server certificate can be resolve by this PC along with the ipsmd hostname and ldap cert is fine. Also if you're using any proxy or firewall, let the PC connect directly to the appliance. A lan trace on hte PC when duplicating the error may show as well if issue is during tls negotiation .

    A quick way to get a look at how appliance is configured is installing latest support plug in and generating an iPrintInfo -b file:

    zypper in -f supportutils-plugin-iprint

    then

    iPrintInfo -b

    authenticate using cn=admin,o=iprintappliance 

  • 0 in reply to   

    Wireshark show me this:

    Internet Protocol Version 4, Src: 192.168.73.19, Dst: 192.168.104.103
    Transmission Control Protocol, Src Port: 443, Dst Port: 33701, Seq: 1, Ack: 139, Len: 7
        Source Port: 443
        Destination Port: 33701
        [Stream index: 14]
        [Conversation completeness: Complete, WITH_DATA (31)]
        [TCP Segment Len: 7]
        Sequence Number: 1    (relative sequence number)
        Sequence Number (raw): 1318941041
        [Next Sequence Number: 8    (relative sequence number)]
        Acknowledgment Number: 139    (relative ack number)
        Acknowledgment number (raw): 1479361778
        0101 .... = Header Length: 20 bytes (5)
        Flags: 0x018 (PSH, ACK)
        Window: 501
        [Calculated window size: 64128]
        [Window size scaling factor: 128]
        Checksum: 0x5671 [unverified]
        [Checksum Status: Unverified]
        Urgent Pointer: 0
        [Timestamps]
        [SEQ/ACK analysis]
        TCP payload (7 bytes)
    Transport Layer Security
        TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
            Content Type: Alert (21)
            Version: TLS 1.2 (0x0303)
            Length: 2
            Alert Message
                Level: Fatal (2)
                Description: Handshake Failure (40)

  • 0   in reply to 

    handshake failure. My previous comments are still valid.

  • 0   in reply to 

    Clearly some basic PKI level failing going on as Gonzalo points out and his directions stand

            Version: TLS 1.2 (0x0303)
            Alert Message
                Level: Fatal (2)
                Description: Handshake Failure (40)

    are these the actual boxes you are trying to connect, or is one an intermediary?
        Src: 192.168.73.19, Dst: 192.168.104.103

    the new system will most likely be TLS 1.2 and up, so if the client is having issue with that new a TLS or they just don't have a matching cypher, then there'd be issues.   openssl commands may be your tool kit here.

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

Reply
  • 0   in reply to 

    Clearly some basic PKI level failing going on as Gonzalo points out and his directions stand

            Version: TLS 1.2 (0x0303)
            Alert Message
                Level: Fatal (2)
                Description: Handshake Failure (40)

    are these the actual boxes you are trying to connect, or is one an intermediary?
        Src: 192.168.73.19, Dst: 192.168.104.103

    the new system will most likely be TLS 1.2 and up, so if the client is having issue with that new a TLS or they just don't have a matching cypher, then there'd be issues.   openssl commands may be your tool kit here.

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.

Children
  • 0 in reply to   

    Src is the actual iprint-appliance, dst is my workstation when using your notation.

    So my workstation (win10 Pro) has a problem to connect secure to the iprint-appliance, right?

    How to check with openssl?

  • Suggested Answer

    0   in reply to 

    Assuming running from linux, I don't have a windows instance of openssl at the moment, where syntax may be different.

    To check general bits such as the SAN and the dates of the server's cert:
    #     openssl s_client -connect ip.addr.goes.here:443 -showcerts | openssl x509 -text

    To check if the server can work with a given level of TLS:
        (the last part you swap out between -tls1_2|-tls1_1|-tls1 to check which it supports or otherwise
    #     openssl s_client -connect ip.addr.goes.here:443 -tls1_2

    So if the server only supports tls1_2, and the client can't handle it (up to date Win10+ should be able to) then we'd have to tell apache to stop blocking the older TLS. 
    in     /etc/apache2/ssl-global.conf
    change 
            SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    to
           # SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
            SSLProtocol all -SSLv3 -TLSv1


    (The host who run the iprtmgr has no eDir-Replica)

    If that is your case as well, would it be possible to put a replica there?  I've generally been able to put at least one that helps things along a lot.

    ________________________

    Andy of KonecnyConsulting.ca in Toronto
    Please use the "Like" and/or "Verified Answers" as appropriate as that helps us all.