403 error accessing iprint web page

  • 7006561
  • 03-Aug-2010
  • 14-Sep-2017

Environment

Novell iPrint for Linux Open Enterprise Server

Situation

403 error accessing the iprint web page
403 forbidden attempting to load the /ipp page
403 errors on one iprint cluster node
403 errors accessing the /ipp page on all nodes after migration (See Additional Information)

Resolution

Novell has received reports of several different causes to this problem. Below lists 3 of them.  See KB 7009925 for other causes and solutions.
 
Cause 1: This issue is caused by mis-configuration of /etc/opt/novell/iprint/httpd/conf/iprint_g.conf

Resoulution: Edit the following lines to include the nss path (currently, they will only have /var/opt/novell/iprint...)

Alias /ippdocs/ "/media/nss/YOURVOLUME/var/opt/novell/iprint/htdocs/"
<Directory/media/nss/YOURVOLUME/var/opt/novell/iprint/htdocs>
   Options FollowSymLinks MultiViews
   AllowOverride None
   Order allow,deny
   Allow from all
   AddType application/x-rpm .rpm
   AddType application/octet-stream dmg
   ExpiresDefault A86400
   ExpiresByType application/octet-stream A300
   ExpiresByType application/x-rpm A300
</Directory>

Cause 2: www group / wwwrun user are no longer lum enabled or they are in a problematic state.
 
Resolution:
  1. Open iManager
  2. Go to Linux User Management in Roles & Task.
  3. Click on Enable Groups for Linux.
  4. Browse and select "www" group and ensure that "Linux-enable all users in these groups" is selected and click Next.
  5. Keep defaults and Click Next (You may see a warning below stating that group is already lum enabled, ignore that warning and continue).
  6. Browse and select your "Unix Workstation object" and click Next.
  7. Click Finish.
Cause 3: wwwrun user assigned to incorrect www group
The LUM enabled Apache user (wwwrun) is assigned to the wrong LUM enabled Apache group (www).
 
To identify and resolve this issue:
  • Run this command:
    • rights -f /media/nss/<iPrintVolumeName>/var/opt/novell/iprint show
      • replace <iPrintVolumeName> with the name of the volume hosting iPrint.
      • Make note of the context with wwwrun user and www group reside.
  • Go to iManager -> Directory Administration -> Modify Object -> Browse to the wwwrun user shown from the 'rights -f show' command -> General -> Group Membership.
    • Does the same www group noted from the rights -f show command appear in the list?  If not, add the www group.  Remove other www groups which may be listed as a Group Membership.
  • Go to iManager -> Directory Administration -> Modify Object -> Browse to the www group shown from the 'rights -f show' command -> Members.
    • Do wwwrun users show (other than the one which shows from the 'rights -f show' command)?  If yes, remove them.
  • At the server's terminal, type
    • namconfig cache_refresh

Additional Information

If you are seeing the 403 error in a clustered iPrint environment, in most cases the issue can be resolved by running the iprint_nss_relocate script.  In a terminal or putty session logged in as root execute the following commands:

cd /opt/novell/iprint/bin

./iprint_nss_relocate -a cn=admin,o=
<the O where admin resides> -p <admin password> -n /media/nss/<volume where iPrint is located> -l cluster

As an example, if the admin user is in the novell Organization and the password is novell and the iPrint files are on the DATA volume the command would be:
./iprint_nss_relocate -a cn=admin,o=novell -p novell -n /media/nss/DATA -l cluster

If this resolves the issue, migrate the iPrint services to each node experiencing the 403 error and repeat the process.