APAR status
Closed as program error.
Error description
When AUTHLDAPUrl points to a z/OS LDAP server that is SDBM, or RACF, based, it cannot accept standard LDAP search filters. Other LDAP backends are not affected. The error log reports the following generic message: Directory server is unwilling to perform the operation The platform of the webserver is not relevant.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IHS 7.0 users on any platform who point to * * a z/OS system runnning SDBM/RACF-backed LDAP with their * * AuthLDAPUrl directive * **************************************************************** * PROBLEM DESCRIPTION: LDAP authentication error when LDAP * * server is RACF-based. **************************************************************** * RECOMMENDATION: Apply this fix if your environment matches * * the error description and your LDAP server is hosted on z/OS * **************************************************************** SDBM/RACF-backed LDAP on z/OS does not support the same search and filter semantics of a typical LDAP server, including verbatim filters from the LDAP RFC. By default, mod_authnz_ldap uses a no-op (objectClass=*) term as a filter unless overriden. When combined with the filter required to perform authentication, this results in: (&(cn=user1)(objectClass=*)) which is not permitted by SDBM.
Problem conclusion
mod_authnz_ldap was modified to allow a new special value of "none" in the AuthLDAPUrl directive where the search filter is specified. The filter is the final parameter below: AuthLDAPURL ldap://example.com/o=apache,c=US?racfid?sub?none This results in a user-lookup filter of simply (racfid=user1) which is accepted by SDBM. Using LDAP with RACF/SDBM on z/OS: - The first parameter after the port on AuthLDAPURL should generally be your "LDAP suffix" configured in the z/OS LDAP server. In the example above, this is Áo=apache,c=USÁ - The second parameter on AuthLDAPURL is the entry in LDAP that the webserver will use to determine a web users LDAP distinguished name. 'racfid' is a commonly used with z/OS LDAP. - If using LDAP groups for authorization, specify the groups distinguished name such as Require ldap-group racfid=GROUP02,profiletype=GROUP,o=MYSUFFIX and specify 'AuthLDAPGroupAttribute racfgroupuserids' to allow the webserver to resolve groups. This fix is targeted for IHS fixpacks: - 7.0.0.5
Temporary fix
Comments
APAR Information
APAR number
PK81733
Reported component name
WAS IHS ZOS
Reported component ID
5655I3510
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2009-03-03
Closed date
2009-05-01
Last modified date
2019-02-27
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WAS IHS ZOS
Fixed component ID
5655I3510
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS7K4U","label":"WebSphere Application Server for z\/OS"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0"}]
Document Information
Modified date:
14 December 2020