Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
1783 views

LDAP Authentication -401

I am having mixed results with iPrint authentication. Some users are
working, and some are not. Below is output from a dstrace and apache
debug. Both users have Unique ID's. The iPrint server is NW 6.5 SP6 with
the iPrint client 4.26.

A DSTRACE of the LDAP server shows:

Non-working
LDAP: [2007/05/07 11:11:51] DoSearch on connection 0x8295b760
LDAP: [2007/05/07 11:11:51] Search request: base:
"CN=username1,OU=Administration,O=clc" scope:0 derefence:3 sizelimit:0
timelimit:0 attrsonly:0 filter:
"(&(objectClass=user)(uid=*))"
LDAP: [2007/05/07 11:11:51] Sending operation result 0:"":"" to connection
0x8295b760 LDAP: [2007/05/07 11:11:51] DoSearch on connection 0x8295b760
LDAP: [2007/05/07 11:11:51] Search request:
base: ""
scope:2 derefence:3 sizelimit:0 timelimit:0 attrsonly:0 filter:
"(&(objectClass=user)(uid=CN=username1,OU=Administration,O=clc))"
LDAP: [2007/05/07 11:11:51] Sending operation result 0:"":"" to connection
0x8295b760

Working
LDAP: [2007/05/01 11:22:16] Search request: base: "o=clc" scope:2 derefence:3 sizelimit:0 timelimit:0 attrsonly:0
filter: "(&(objectClass=user)(uid=username2))"
LDAP: [2007/05/01 11:22:16] Sending search result entry
"cn=username2,ou=ts,o=clc" to connection 0x82775460
LDAP: [2007/05/01 11:22:16] Sending operation result 0:"":"" to connection
0x82775460
LDAP: [2007/05/01 11:22:17] DoBind on connection 0x82775460

Apache2 debug shows:

[Mon May 07 11:12:23 2007] [debug] mod_auth_ldapdn.c(457): [client
10.0.18.36] [4] auth_ldapdn authenticate: using URL
ldaps://X.X.X.X:636/???(objectClass=user)

[Mon May 07 11:12:23 2007]
[debug] mod_auth_ldapdn.c(478): [client 10.0.18.36] [4] auth_ldapdn
authenticate: filter: (&(objectClass=user)(uid=*))

[Mon May 07 11:12:23 2007] [warn] [client 10.0.18.36] [4] auth_ldapdn
authenticate: user CN=username1,OU=Administration,O=clc authentication
failed; URI /ipps/W222_Canon_C2880 [User not found][No such object]
[Mon May 07 11:12:23 2007] [debug] mod_auth_ldapdn.c(457): [client
10.0.18.36] [4] auth_ldapdn authenticate: using URL
ldaps://134.29.212.1:636/???(objectClass=user)

[Mon May 07 11:12:23 2007][debug] mod_auth_ldapdn.c(478): [client 10.0.18.36] [4] auth_ldapdn
authenticate: filter:
(&(objectClass=user)(uid=CN=username1,OU=Administration,O=clc))

[Mon May 07 11:12:23 2007] [warn] [client 10.0.18.36] [4] auth_ldapdn
authenticate: user CN=username1,OU=Administration,O=clc authentication
failed; URI /ipps/W222_Canon_C2880 [User not found][No such object]

[Mon May 07 11:12:23 2007] [error] [client 10.0.18.36] no acceptable
variant: SYS:/apache2/error/HTTP_UNAUTHORIZED.html.var


My IPP.CONF looks like:

# this is the default config for secure printing
<IfModule mod_ipp.c>
<Location /ipp>
Order deny,allow
Allow from all
</Location>

<Location /ipps>
Require valid-user
Order deny,allow
Allow from all
AuthType Basic
AuthName "CLC_ALPHA"
AuthLDAPURL "ldaps://X.X.X.X:636/???(objectClass=user)"
AuthLDAPRemoteUserIsDN on
<IfModule mod_auth_ldap.c>
AuthLDAPEnabled off
</IfModule>
AuthLDAPDNAuthoritative on
AuthLDAPAllowDNAuth on
</Location>
</IfModule>

0 Likes
9 Replies
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Authentication -401

Chris,

The non working request really looks odd. Have the working and the non
workking requests been done from the same workstation?
Is CN=username1,OU=Administration,O=clc the correct name for your non
working user?
--
Marcel Cox [SysOp]
http://support.novell.com/forums

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Authentication -401

Yes, they are both from the same workstation. Yes, "username1" will not
authenticate. Any help is greatly appreciated.

Chris


On Wed, 09 May 2007 16:00:08 +0200, Marcel Cox wrote:

> Chris,
>
> The non working request really looks odd. Have the working and the non
> workking requests been done from the same workstation?
> Is CN=username1,OU=Administration,O=clc the correct name for your non
> working user?


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Authentication -401

C Staples wrote:

>Yes, "username1" will not
>authenticate.


But is the container information for username1 correct?
Also, is there any difference how you login username1 and username2? For
instance, what do you enter in the login box? Just the short name or the
complete name including context information?

--
Marcel Cox
http://support.novell.com/forums
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Authentication -401

username1 resides in a different OU then username2. I have tried using the
CN at the NWGina, short name and any other name I can think of. Same goes
for the iPrint authentication box.


On Fri, 11 May 2007 07:09:40 +0000, Marcel Cox wrote:

> C Staples wrote:
>
>>Yes, "username1" will not
>>authenticate.

>
> But is the container information for username1 correct?
> Also, is there any difference how you login username1 and username2? For
> instance, what do you enter in the login box? Just the short name or the
> complete name including context information?


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Authentication -401

What's puzzling is that the working and the non working case produce
completely different LDAP requests. I'm trying to figure out why these 2
behave so differently.
BTW are both users actually authorized to access your printer?

--
Marcel Cox (using XanaNews 1.18.1.6)
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Authentication -401

I believe I have it fixed. I was able to narrow it down this morning to users
only in the specific container having the issue. I removed and
re-established public rights to that container (to browse for LDAP)and it
is working.

On Fri, 11 May 2007 19:26:40 +0000, Marcel Cox wrote:

> What's puzzling is that the working and the non working case produce
> completely different LDAP requests. I'm trying to figure out why these 2
> behave so differently.
> BTW are both users actually authorized to access your printer?


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Authentication -401

I'm having the same issue - same LDAP sequence for failure (base=CNxxxxx,
then uid=CNxxxx), same LDAP sequence for those that work (base=CNxxxx, Send
search result entry, DoBind).

On the failures, it would appear LDAP does not return a result as the LDAP
log is missing: "LDAP: [2007/05/20 11:28:47] Sending search result entry"

The kicker with the issue here is that it appears to be related to DLU
accounts. When any DLU account uses a computer for the *first* time, we get
the LDAP failure sequence (on top of that the apache log says "Empty
password not allowed" with the correct user name - as if it's not passing
the user password along with the request?).

I tell them to cancel the iprint dialogs and then log out and login again.
Then, they work without seeing an iprint login dialog on that computer.

Can I do something to make the login work the first time? This is a major
issue as we have students that use a lot of different computers.



"Marcel Cox" <cimetmc@myrealbox.com> wrote in message
news:Qr31i.339$Gp4.319@prv-forum2.provo.novell.com...
> What's puzzling is that the working and the non working case produce
> completely different LDAP requests. I'm trying to figure out why these 2
> behave so differently.
> BTW are both users actually authorized to access your printer?
>
> --
> Marcel Cox (using XanaNews 1.18.1.6)



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Authentication -401

How did you do that, it seems it is the same issue with have, can you
explain a bit more ?


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Authentication -401

grpadmin wrote:
> How did you do that, it seems it is the same issue with have, can you
> explain a bit more ?


Same question. I have tried, and re-tried everything, but haven't got
authentication to work properly. It is clearly some sort of
LDAP-problem, but I haven't been able to figure out what.

Timo Pietilä
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.