IPrint Authentication Issues

From MicroFocusInternationalWiki
Jump to: navigation, search


Troubleshooting iPrint authentication

Sometimes people have authentication problems when enabling secure printing on iPrint. This document tries to explain how things are supposed to work, and where to look if things are not working. So far, this document only handles the case of the iPrint client for Windows.

General working

Starting with NetWare 6.0, Novell wanted NetWare to become more independent of the Novell client, and as such, included a number of components that allowed using the NetWare server without Novell client. For file services, the new services they included were NFAP (native file access protocols) and for printing, they introduced iPrint. Because iPrint has to be able to operate all on its own without Novell client, the iPrint client includes its own authentication mechanisms. This means that when doing secure printing, the iPrint client itself has to get a userID and a password and send it to the server. In a standalone iPrint configuration, this means that the iPrint client will prompt the user for userID and password if secure printing is required. When other Novell components exist on the client, there are possibilities to integrate the iPrint client to achieve a single sign-on thus avoiding the user having to enter his userID and password multiple times. On the server side, the IPP protocol used by iPrint is handled by some web server, and it is that web server that is responsible for handling authentication. On NetWare 6.0, the web server used in HTTPSTK.NLM, the same mini web server that is also used for Novell Remote Manager and NDS iMonitor. HTTPSTK.NLM uses the NDS userID and password for authentication. On NetWare 6.5 and on OES, iPrint uses Apache2 with LDAP authentication on the server side. Furthermore, this LDAP authentication is not done with the user’s CN attribute, but rather using the uniqueID attribute. Because of this, it is important that the uniqueID is set on all users that want to do secure printing. For users created with ConsoleOne or iManager, the uniqueID attribute is added automatically at creation time, but for users created with NWADMN32, the uniqueID attribute is generally missing. For more information on this issue, see the following articles:

http://support.novell.com/cgi-bin/search/searchtid.cgi?/10088627.htm
http://www.novell.com/coolsolutions/tip/17303.html

iPrint standalone

If you install the iPrint client without any other Novell client software, then you have no login integration and the only facility you have is to enable the “save credentials” option which avoids the iPrint login after each workstation login, but this may of course also be a security issue.

Netidentity agent integration

The iPrint client is written to integrate with the Netidentity agent. This was initially the only way to integrate it with a Novell client as well. For more information on the Netidentity agent, see the documentation here:

http://www.novell.com/documentation/netidentity/treetitl.html

Novell client integration

Initially, the only passible integration betweent he Novell client for Windows and the iPrint client was through the Netidentity agent. However starting with NetWare 6.5 SP4 or OES SP1, enhancements have been done to the server and the client side of iPrint to better integrate the iPrint client with the Novell client, and this without Netidentity. To achieve this, the server side of iPrint has been enhanced to allow DN based LDAP authentication and the client side has been enhanced to provide a login extension for the Novell client to directly get the login credentials from the Novell client. This login extension is implemented through the file nipplgex.dll.

Login name gets truncated

There is a problem with the iPrint client in standalone mode, starting around version 4.20: If the login name contains a dot ".", the login name is truncated at the dot. This makes login impossible, if the uniqueid is something like "a.miller" or if the uniqueid is set to the full distinguished name (DN) instead of the common name (CN): i.e. uniqueid is set to miller.staff.org . Novell has acknowledged the problem, but as of now does not provide a fixed client.

This problem is not restricted to standalone mode, but the Novell Client integration mitigates the problem by providing a different way to identify the correct eDir obejct.

Cosmetic bugs

Some localized verions of the client have some cosmetic oddity as shown by the authentification window below. Going back to earlier versions will show a correct window. Version 4.30, 4.32, 4.34 and 4.38 are affected with this bug, you need to go back to version brior to version 4.30 to find a correct version.

Iprint-v4-30-french-authentification.png

Troubleshooting iPrint authentication

Here are some tips on troubleshooting iPrint authentication issues.

  • If you are on NetWare 6.5 or OES, make sure you have at least NetWare 6.5 SP5 or OES SP2 installed.
  • Make sure your users have a uniqueID attribute that is preferably identical to the user name.
  • Verify that the iPrint client correctly installed the login extension for the Novell client. Your registry should contain the following information:
[HKEY_LOCAL_MACHINE\SOFTWARE\Novell\Graphical Login\NWLGE\iPrint]
"LoginExtDesc"="iPrint Login Notification"
"LoginExtName"="nipplgex.dll"
"LoginExtType"=dword:00008007
  • Enable LDAP debugging on the server and see how the client tries to authenticate. This often gives important hints on what went wrong. To enable LDAP tracing, use the following console commands on a NetWare server (or use the equivalent DSTRACE options in NDS iMonitor):
SET DSTRACE = ON
SET DSTRACE = -ALL
SET DSTRACE = +LDAP +TIME
LDAP DSTRACE = +ALL

If you want to capture the trace to file, use the following additional commands:
SET TTF = ON
SET DSTRACE = *R
Once you finished tracing, use
SET TTF = OFF
The resulting trace file is called DSTRACE.DBG and can be found in SYS:SYSTEM
  • Verify the LDAP attribute mapping in your LDAP group object. For details, see the description of error -306 in the following document.
  • visit the iPrint forum on the Novell support forums and post as much information about your problem as possible (exact server and client versions and possibly an LDAP trace from the server). The support forums can be found at http://support.novell.com/forums/

Useful links