Environment
Situation
Fail to authenticate with secure iPrint even though entering correct credentials.
Fail to authenticate when installing SSL iPrint printer.
Error 401
Resolution
This solution requires the following steps:
- Export LDIF
Modify LDIF Export Import Modified LDIF (Optional) Confirm Results
Step 1. Export all users missing the uniqueID attribute.
a. Open ConsoleOne, click Wizards -> NDS Import/Export
b. Choose "Export LDIF File" radio button, click Next
c. Populate "Server DNS Name/IP Address" field and Port 389
d. Choose "Authenticated Login" radio button. Fill in
username/password information, click Next
e. Populate "Base DN" field with top level Organization. Example:
o=novell
f. Choose "Sub Tree" radio button.
g. Filter Tab, delete the text in the Search Filter field and add
the following:
(&(objectclass=user)(!(uid=*)))
h. Attributes Tab, Choose the "Entry names only (don't get
attributes)" radio button, click Next
i. Choose a file name for LDIF File. For example: myfile.ldif. The
default save location is public\mgmt\ConsoleOne\1.2\bin, click Next
and Finish.
Open the exported LDIF file using NotePad or other editor and ensure the entries you intend to give uniqueID attributes are listed. If you don't want some of the entries to receive the uniqueID attribute, then remove the entire line and the following blank line. There must be only one blank line between entries.
Step 2: Populate uniqueID to the entries in the exported LDIF.
a. Download a Perl package to workstation. While Novell does not
recommend any specific Perl package, this process has been known to
be successful using Active Perl from www.activestate.com.
b. Create a Perl script named UID.PL using the instructions in the
Addition Notes section of this TID. Save the file to your
Windows workstation, for example C:\test
c. Copy the exported LDIF file to the same location as the Perl
Script. The default save location for the exported LDIF file is
public\mgmt\ConsoleOne\1.2\bin
d. Open a Command prompt
e. Change Directory to the folder with the Perl script.
f. Type the following in the CMD box:
PERL UID.PL MYFILE.LDIF (MYFILE.LDIF being the exported file from Step 1n above)
A file named UID.LDIF will be created in the same directory. The Perl script will populate the uniqueID attribute with the user's CN.
Step 3: Import updated LDIF File
a. Open ConsoleOne, click Wizards -> NDS Import/Export
b. Choose "Import LDIF File" radio button, click Next
c. Browse to the UID.LDIF, click Next
d. Populate "Server DNS Name/IP Address" field and Port 389
e. Choose "Authenticated Login" radio button. Fill in
username/password information, click Next and Finish
(Optional) Step 4: Confirm users received the uniqueID attribute.
a. Open ConsoleOne.
b. Open the properties of a user object that previously did not
have the uniqueID attribute.
c. Click the "Other" tab.
d. Look for the uniqueID attribute.
Fix #2: Manually add the uniqueID attribute to the user. This can be done through iManager or ConsoleOne.
iManager:
- Modify Object
- Browse for user object name and click OK
- Click the "Other link" within the "Other" tab.
- Move the attribute of uniqueID from the Unvalued Attributes
column to the Valued Attributes column. During the move, you are
prompted to enter a value. A typical value would be the user ID
name, however, be sure that the name is unique. For this reason, it
may be best to use something such as an email address name. The
user will need to know the value you entered to authenticate when
using secure iPrint.
ConsoleOne:
- Other tab
- Highlight "Attributes"
- Click Add
- Highlight uniqueID, click OK
- Add a value. A typical value would be the user ID name, however,
be sure that the name is unique. For this reason, it may be best to
use something such as an email address name. The user will need to
know the value you entered to authenticate when using secure
iPrint.
- Click OK
Follow the fix statement found in TID TID 3696528 - Error: "HTTP 401 - Unauthorized." when uploading drivers to the Broker.
This can be corrected by doing one of the following:
a. Remove the alias object
b. Follow TID 10083497 - NAM 3.0: LDAP error 16 in agent log files with alias objectsto dereference aliases when resolving names, or
c. Add the
following line in the iPrint server's Apache2\iprint\ipp.conf file
under the AuthLDAPURL line:
Then, restart
apache with the following commands:
ap2webdn
ap2webup
Additional Information
The above message can also be returned even if the uniqueID exists (which is required for SSL iPrint) and an ALIAS object exists for the user object. An LDAP trace reveals that the LDAP server returns the user information twice when an . Example below:
[2004/06/03 13:09:05] (192.168.1.147:1215)(0x0027:0x63) Sending search result entry "cn=bob,ou=ISD,ou=ADM,o=NOVELL" to connection 0x8cb00ee0
[2004/06/03 13:09:05] (192.168.1.147:1215)(0x0027:0x63) Sending search result entry "cn=bob,ou=ISD,ou=ADM,o=NOVELL" to connection 0x8cb00ee0
The iPrint client cannot handle the duplicate response.
========================================
====== Instructions to create the UID.PL script ======
====== Copy/Paste the contents bellow and =========
====== save the file as
UID.PL
=============
========================================
#!/usr/bin/perl
# Name: uid.pl
# Author: Jim Schnitter
# Purpose: Creates an LDIF file to populate the uid attribute on
user entries.
# Version: 1.0
use warnings;
sub usage();
if (@ARGV == 1) {
$in = $ARGV[0];
} else {
usage();
}
open (IN, $in) or die "\nCan't open $in: $!\n\n";
open (OUT, ">uid.ldif");
chomp;
if (/^dn: cn=(.*?),(.*)$/g) {
print OUT;
print OUT "\nchangetype: modify\n";
print OUT "add: uid\n";
print OUT "uid: $1\n\n";
}
}
print "\nCreated uid.ldif to add uids\n\n";
sub usage() {
die "\nUsage: uid.pl input_ldif \n\n";
}
close IN;
close OUT;
=====================================
Formerly known as TID# 10088627