Re: LDAP Authentication -401 - Micro Focus Community

Anonymous_User · ‎2007-05-07

I am having mixed results with iPrint authentication. Some users are
working, and some are not. Below is output from a dstrace and apache
debug. Both users have Unique ID's. The iPrint server is NW 6.5 SP6 with
the iPrint client 4.26.

A DSTRACE of the LDAP server shows:

Non-working
LDAP: [2007/05/07 11:11:51] DoSearch on connection 0x8295b760
LDAP: [2007/05/07 11:11:51] Search request: base:
"CN=username1,OU=Administration,O=clc" scope:0 derefence:3 sizelimit:0
timelimit:0 attrsonly:0 filter:
"(&(objectClass=user)(uid=*))"
LDAP: [2007/05/07 11:11:51] Sending operation result 0:"":"" to connection
0x8295b760 LDAP: [2007/05/07 11:11:51] DoSearch on connection 0x8295b760
LDAP: [2007/05/07 11:11:51] Search request:
base: ""
scope:2 derefence:3 sizelimit:0 timelimit:0 attrsonly:0 filter:
"(&(objectClass=user)(uid=CN=username1,OU=Administration,O=clc))"
LDAP: [2007/05/07 11:11:51] Sending operation result 0:"":"" to connection
0x8295b760

Working
LDAP: [2007/05/01 11:22:16] Search request: base: "o=clc" scope:2 derefence:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(&(objectClass=user)(uid=username2))"
LDAP: [2007/05/01 11:22:16] Sending search result entry
"cn=username2,ou=ts,o=clc" to connection 0x82775460
LDAP: [2007/05/01 11:22:16] Sending operation result 0:"":"" to connection
0x82775460
LDAP: [2007/05/01 11:22:17] DoBind on connection 0x82775460

Apache2 debug shows:

[Mon May 07 11:12:23 2007] [debug] mod_auth_ldapdn.c(457): [client
10.0.18.36] [4] auth_ldapdn authenticate: using URL
ldaps://X.X.X.X:636/???(objectClass=user)

[Mon May 07 11:12:23 2007]
[debug] mod_auth_ldapdn.c(478): [client 10.0.18.36] [4] auth_ldapdn
authenticate: filter: (&(objectClass=user)(uid=*))

[Mon May 07 11:12:23 2007] [warn] [client 10.0.18.36] [4] auth_ldapdn
authenticate: user CN=username1,OU=Administration,O=clc authentication
failed; URI /ipps/W222_Canon_C2880 [User not found][No such object]
[Mon May 07 11:12:23 2007] [debug] mod_auth_ldapdn.c(457): [client
10.0.18.36] [4] auth_ldapdn authenticate: using URL
ldaps://134.29.212.1:636/???(objectClass=user)

[Mon May 07 11:12:23 2007][debug] mod_auth_ldapdn.c(478): [client 10.0.18.36] [4] auth_ldapdn
authenticate: filter:
(&(objectClass=user)(uid=CN=username1,OU=Administration,O=clc))

[Mon May 07 11:12:23 2007] [warn] [client 10.0.18.36] [4] auth_ldapdn
authenticate: user CN=username1,OU=Administration,O=clc authentication
failed; URI /ipps/W222_Canon_C2880 [User not found][No such object]

[Mon May 07 11:12:23 2007] [error] [client 10.0.18.36] no acceptable
variant: SYS:/apache2/error/HTTP_UNAUTHORIZED.html.var

My IPP.CONF looks like:

# this is the default config for secure printing
<IfModule mod_ipp.c>
<Location /ipp>
Order deny,allow
Allow from all
</Location>

<Location /ipps>
Require valid-user
Order deny,allow
Allow from all
AuthType Basic
AuthName "CLC_ALPHA"
AuthLDAPURL "ldaps://X.X.X.X:636/???(objectClass=user)"
AuthLDAPRemoteUserIsDN on
<IfModule mod_auth_ldap.c>
AuthLDAPEnabled off
</IfModule>
AuthLDAPDNAuthoritative on
AuthLDAPAllowDNAuth on
</Location>
</IfModule>

Anonymous_User · ‎2007-05-09

Chris,

The non working request really looks odd. Have the working and the non
workking requests been done from the same workstation?
Is CN=username1,OU=Administration,O=clc the correct name for your non
working user?
--
Marcel Cox [SysOp]
http://support.novell.com/forums

Anonymous_User · ‎2007-05-10

Yes, they are both from the same workstation. Yes, "username1" will not
authenticate. Any help is greatly appreciated.

Chris

On Wed, 09 May 2007 16:00:08 +0200, Marcel Cox wrote:

> Chris,
>
> The non working request really looks odd. Have the working and the non
> workking requests been done from the same workstation?
> Is CN=username1,OU=Administration,O=clc the correct name for your non
> working user?

Anonymous_User · ‎2007-05-11

C Staples wrote:

>Yes, "username1" will not
>authenticate.

But is the container information for username1 correct?
Also, is there any difference how you login username1 and username2? For
instance, what do you enter in the login box? Just the short name or the
complete name including context information?

--
Marcel Cox
http://support.novell.com/forums

Anonymous_User · ‎2007-05-11

username1 resides in a different OU then username2. I have tried using the
CN at the NWGina, short name and any other name I can think of. Same goes
for the iPrint authentication box.

On Fri, 11 May 2007 07:09:40 +0000, Marcel Cox wrote:

> C Staples wrote:
>
>>Yes, "username1" will not
>>authenticate.
>
> But is the container information for username1 correct?
> Also, is there any difference how you login username1 and username2? For
> instance, what do you enter in the login box? Just the short name or the
> complete name including context information?

Anonymous_User · ‎2007-05-11

What's puzzling is that the working and the non working case produce
completely different LDAP requests. I'm trying to figure out why these 2
behave so differently.
BTW are both users actually authorized to access your printer?

--
Marcel Cox (using XanaNews 1.18.1.6)

Anonymous_User · ‎2007-05-11

I believe I have it fixed. I was able to narrow it down this morning to users
only in the specific container having the issue. I removed and
re-established public rights to that container (to browse for LDAP)and it
is working.

On Fri, 11 May 2007 19:26:40 +0000, Marcel Cox wrote:

> What's puzzling is that the working and the non working case produce
> completely different LDAP requests. I'm trying to figure out why these 2
> behave so differently.
> BTW are both users actually authorized to access your printer?

Anonymous_User · ‎2007-05-23

I'm having the same issue - same LDAP sequence for failure (base=CNxxxxx,
then uid=CNxxxx), same LDAP sequence for those that work (base=CNxxxx, Send
search result entry, DoBind).

On the failures, it would appear LDAP does not return a result as the LDAP
log is missing: "LDAP: [2007/05/20 11:28:47] Sending search result entry"

The kicker with the issue here is that it appears to be related to DLU
accounts. When any DLU account uses a computer for the *first* time, we get
the LDAP failure sequence (on top of that the apache log says "Empty
password not allowed" with the correct user name - as if it's not passing
the user password along with the request?).

I tell them to cancel the iprint dialogs and then log out and login again.
Then, they work without seeing an iprint login dialog on that computer.

Can I do something to make the login work the first time? This is a major
issue as we have students that use a lot of different computers.

"Marcel Cox" <cimetmc@myrealbox.com> wrote in message
news:Qr31i.339$Gp4.319@prv-forum2.provo.novell.com...
> What's puzzling is that the working and the non working case produce
> completely different LDAP requests. I'm trying to figure out why these 2
> behave so differently.
> BTW are both users actually authorized to access your printer?
>
> --
> Marcel Cox (using XanaNews 1.18.1.6)

Anonymous_User · ‎2007-05-24

How did you do that, it seems it is the same issue with have, can you
explain a bit more ?

Anonymous_User · ‎2007-05-28

grpadmin wrote:
> How did you do that, it seems it is the same issue with have, can you
> explain a bit more ?

Same question. I have tried, and re-tried everything, but haven't got
authentication to work properly. It is clearly some sort of
LDAP-problem, but I haven't been able to figure out what.

Timo Pietilä