iPrint 401 error when public is removed as trustee of the tree

  • Document ID:7025185
  • Creation Date:02-Jul-2021
  • Modified Date:16-Aug-2021
    • Micro Focus Products:
      iPrint

Environment

Micro Focus Open Enterprise Server 2018 with iPrint

Situation

Some organizations have a security requirement to remove public as a trustee of the tree. Doing so requires users to log into iManager with the full context (in dot notation). This action also results in the following error when attempting to manage iPrint objects within iManager:

Exception reading manager information
Unauthorized
IPP Error: 0xF0191
HTTP Error: 401

Resolution

  • Update the iprint_ssl.conf:
    • Add the following two lines to the /etc/opt/novell/iprint/httpd/conf/iprint_ssl.conf file:
AuthLDAPDNBindDN cn=LDAP_Proxy,o=novell
AuthLDAPDNBindPassword novell
        • Note 1: In the above example, the password to the LDAP_Proxy user is novell.
        • Note 2: Highlighted are characters which have been known to be overlooked or forgotten when implementing this solution.
        • Note 3: The LDAP_Proxy user above is an example.  This can be any user.  The user must have Browse [Entry Rights] to the Tree.
      • Below is an example of the location to add these lines:
AuthLDAPDNRemoteUserIsDN on
AuthzLDAPDNAuthoritative Off
AuthLDAPDNAllowDNAuth on
AuthLDAPDNBindDN cn=LDAP_Proxy,o=novell
AuthLDAPDNBindPassword novell
</LocationMatch>
</IfModule>
  • Update the apache2 configuration file:
    • Add the following Apache modules to the /etc/sysconfig/apache2 file:
APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_core authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout proxy proxy_ajp rewrite php5 authn_core auth_ldap authnz_ldap ldap"
    • The highlighted text is what is to be added.
  • Restart Apache
    • rcapache2 restart

Cause

When managing iPrint objects within iManager, the public rights are used to search the tree for the user which logged into iManager.  If that user can't be found and authenticated, then the 401 error is presented to the administrator.  Adding a proxy user to the iPrint Apache configuration file provides the rights needed for the iManager background authentication to succeed.