Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
1590 views

iPrint and LDAP.

Hi all.

I'm searching info about how this LDAP-stuff really works with iPrint.
What exactly does it look at e-dir and how iPrint server handles them
and that kind of stuff. And how that Novell client integration works.
Credentials are passed to iPrint client which way?

What I'm trying to figure out is why iPrint needs UniqueID when e-dir
could return fully qualified ldap name (like
cn=user,ou=department,o=treeroot) based on what novell client knows
about that user. Using attribute that might not even exists, and what
isn't even unambiguous seems like a stupid idea for me. If it is
possible to disable "username (LDAP)", and instead use "username
LDAP_DN), then I might be able to solve my problems. If that is the
problem. Based on answers I have got (0) nobody seems to know how to
debug iPrint.

Timo Pietilä
0 Likes
3 Replies
Anonymous_User Absent Member.
Absent Member.

iPrint and LDAP.

iPrint makes use of Apache for all of its request/responses and Apache
makes use of auth_ldap. When secure printing is used we make use of
SSL/TLS and the Apache module then uses LDAP to authenticate the user with
eDir. We have modified a module that loads with Apache and provides a
capability of doing LDAP_DN style names to work around the flat directory
structure that LDAP makes use of (otherwise LDAP would require that all
names on the network be unique).

That being said, the newest iPrint clients will attempt to send an LDAP_DN
style credential to the server if the server version is at least NW65/SP4
(otherwise it defaults to LDAP). The iPrint client has a registered login
extension with client32 to grab the eDir login name. The iPrint client
then puts the eDir name into an LDAP_DN style and uses this name to talk
to the server. Hope this helps.


> Hi all.
>
> I'm searching info about how this LDAP-stuff really works with iPrint.
> What exactly does it look at e-dir and how iPrint server handles them
> and that kind of stuff. And how that Novell client integration works.
> Credentials are passed to iPrint client which way?
>
> What I'm trying to figure out is why iPrint needs UniqueID when e-dir
> could return fully qualified ldap name (like
> cn=user,ou=department,o=treeroot) based on what novell client knows
> about that user. Using attribute that might not even exists, and what
> isn't even unambiguous seems like a stupid idea for me. If it is
> possible to disable "username (LDAP)", and instead use "username
> LDAP_DN), then I might be able to solve my problems. If that is the
> problem. Based on answers I have got (0) nobody seems to know how to
> debug iPrint.
>
> Timo Pietilä


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: iPrint and LDAP.

iprint@novell.com wrote:
> iPrint makes use of Apache for all of its request/responses and Apache
> makes use of auth_ldap. When secure printing is used we make use of
> SSL/TLS and the Apache module then uses LDAP to authenticate the user with
> eDir. We have modified a module that loads with Apache and provides a
> capability of doing LDAP_DN style names to work around the flat directory
> structure that LDAP makes use of (otherwise LDAP would require that all
> names on the network be unique).
>
> That being said, the newest iPrint clients will attempt to send an LDAP_DN
> style credential to the server if the server version is at least NW65/SP4
> (otherwise it defaults to LDAP). The iPrint client has a registered login
> extension with client32 to grab the eDir login name. The iPrint client
> then puts the eDir name into an LDAP_DN style and uses this name to talk
> to the server. Hope this helps.


Thanks. This was very illuminating description. If iPrint client uses
LDAP_DN instead of LDAP, then I'm very puzzled why it fails to
authenticate every now and then, while novell client login goes thru
without problem. We have pretty much latest SP:s, clients and all that
stuff, so those shouldn't be problem, and I have checked and rechecked
all configurations around 100 times by now.

When iPrint login fails there is long delay between client login going
thru, and login script appearing. Some sort timing issue? Network
problem that causes LDAP_DN to fail and client reverts back to use LDAP
(and fails)?

I'm out of clues what to do.

Major pain is that this isn't happening all of time. Only now and then.
It would be quite a bit easier to debug if I could reproduce this every
time.

Timo Pietilä
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: iPrint and LDAP.

Timo Pietilä wrote:
> iprint@novell.com wrote:
>> iPrint makes use of Apache for all of its request/responses and Apache
>> makes use of auth_ldap. When secure printing is used we make use of
>> SSL/TLS and the Apache module then uses LDAP to authenticate the user
>> with eDir. We have modified a module that loads with Apache and
>> provides a capability of doing LDAP_DN style names to work around the
>> flat directory structure that LDAP makes use of (otherwise LDAP would
>> require that all names on the network be unique).
>>
>> That being said, the newest iPrint clients will attempt to send an
>> LDAP_DN style credential to the server if the server version is at
>> least NW65/SP4 (otherwise it defaults to LDAP). The iPrint client has
>> a registered login extension with client32 to grab the eDir login
>> name. The iPrint client then puts the eDir name into an LDAP_DN style
>> and uses this name to talk to the server. Hope this helps.

>
> Thanks. This was very illuminating description. If iPrint client uses
> LDAP_DN instead of LDAP, then I'm very puzzled why it fails to
> authenticate every now and then, while novell client login goes thru
> without problem. We have pretty much latest SP:s, clients and all that
> stuff, so those shouldn't be problem, and I have checked and rechecked
> all configurations around 100 times by now.
>
> When iPrint login fails there is long delay between client login going
> thru, and login script appearing. Some sort timing issue? Network
> problem that causes LDAP_DN to fail and client reverts back to use LDAP
> (and fails)?


I did a ipptrace and there is line that says "IppSendSimpleRequest
FAILED" just after that long delay (53671ms - 116062ms). Ipptrace for
nwlscrpt.exe shows no errors, but starting time is oddly late (delay
begins at 53671ms nwlscrpt.exe trace begins at 112796ms)

And when I get that authentication box I can just ignore it, minimize it
or do whatever I want *except* put any username or password to it and
printing still works. IPrint client does get correct credentials and
eventually does also authenticate with them, but not at login-time.

Any ideas what's going on? This might be a genuine bug in software.

Timo Pietilä
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.