IBM Support

Collecting Data for DB2 LDAP Authentication

Troubleshooting


Problem

This document helps you learn more about the methods used to collect data to help solve DB2 LDAP authentication problems.

Environment

First, determine whether Transparent LDAP or the LDAP plug-ins are in use by checking the SRVCON_PW_PLUGIN, CLNT_PW_PLUGIN, and GROUP_PLUGIN database manager configuration parameters. If the configuration parameter is blank, the default OS plugin is used.

The following shows an example of when the OS authentication plug-ins are enabled.
 Client Userid-Password Plugin          (CLNT_PW_PLUGIN) =
 Group Plugin                             (GROUP_PLUGIN) =
 Server Userid-Password Plugin        (SRVCON_PW_PLUGIN) =

or

 Client Userid-Password Plugin          (CLNT_PW_PLUGIN) = IBMOSauthclient
 Group Plugin                             (GROUP_PLUGIN) = IBMOSgroups
 Server Userid-Password Plugin        (SRVCON_PW_PLUGIN) = IBMOSauthserver
If the default OS plug-ins are enabled, check the value of the DB2AUTH registry variable to determine whether local authentication or Transparent LDAP is enabled. When the DB2AUTH registry variable is set to OSAUTHDB, Transparent LDAP is enabled. 
$ db2set -all
[i] DB2AUTH=OSAUTHDB
Note: OSAUTHDB must be set when Transparent LDAP is enabled, otherwise local authentication is used. In addition, the OSAUTHDB option of DB2AUTH has no effect when the OS authentication plug-ins are not in use.

The following shows an example of when the LDAP plug-ins are enabled.
 Client Userid-Password Plugin          (CLNT_PW_PLUGIN) = IBMLDAPauthclient
 Group Plugin                             (GROUP_PLUGIN) = IBMLDAPgroups
 Server Userid-Password Plugin        (SRVCON_PW_PLUGIN) = IBMLDAPauthserver

Next, determine the impact of the problem by checking the health of the LDAP server independently of Db2:
  • Are you able to authenticate to the LDAP server outside of DB2?
  • Are you able to query the groups within LDAP for the user outside of DB2?
  • Is the performance accessing the LDAP outside of DB2 similar to within DB2?
  • Can the problem be reproduced on demand? If so, can a test case or a sequence of steps can be provided?
  • Is this a production, development or test environment?
  • What is the business impact of this problem?
  • Are there other repercussions to the problem occurring?

Diagnosing The Problem

Diagnostics to collect for both Transparent LDAP and LDAP plug-ins
  • Collect a db2support package with the "-s" option: db2support . -s
  • If the error is reproducible on-demand, collect a Db2 trace of the error.
    • db2trc on -f trace.dmp
      <reproduce the problem>
      db2trc off
      db2trc fmt trace.dmp trace.fmt
      db2trc flw trace.dmp trace.flw
      db2trc fmt -c trace.dmp trace.fmtc
  • If TLS is enabled on the LDAP server, run a test with OpenSSL. The default port for LDAP over TLS is 636. 
    • openssl s_client -connect <hostname>:<port>

Diagnostics to collect for Transparent LDAP on Linux
  • As root, run the linuxTransLdap testing utility with the user ID and password of the user reporting the error.
    linuxTransLdap is available from the following page: https://www.ibm.com/support/pages/node/567799 
    • ./linuxTransLdap -u <username> -p <password>
  • Collect the following configuration files 
    • /etc/pam.d/db2
    • /etc/pam.d/system-auth, /etc/pam.d/system-auth-ac
    • /etc/pam.d/password-auth, /etc/pam.d/password-auth-ac
    • /etc/nsswitch.conf
  • Collect /var/log/messages
Diagnostics to collect for Transparent LDAP on AIX
  • As root, run the aixAuthTest testing utility with the user ID and password of the user reporting the error.
    aixAuthTest is available from the following page: https://www.ibm.com/support/pages/node/567799 
    • ./aixAuthTest -OSAUTH <userid> <password>
    • If the DB2 version is 11.1.1.1/10.5.0.8 or prior, use the -legacy mode of operation: 
      ./aixAuthTest -OSAUTH -legacy <userid> <password>
  • Collect the following configuration files
    • /usr/lib/security/methods.cfg
    • /etc/secuirity/user
Diagnostics to collect for LDAP plug-ins

Enable LDAP debugging with the following steps:
  • Add the following line to the IBMLDAPSecurity.ini, found in ~/sqllib/cfg
    • DEBUG=TRUE
  • Set the DIAGLEVEL database manager configuration parameter to 4. This setting allows the LDAP plug-ins to write extra information to the Db2 diagnostic log.
    • db2 update dbm cfg using DIAGLEVEL 4
  • Set the following environment variables to enable LDAP Tracing
    • export LDAP_DEBUG=65535
      export LDAP_DEBUG_FILE=<filename>
      db2set DB2ENVLIST="LDAP_DEBUG LDAP_DEBUG_FILE"
  • Restart DB2 (db2stop/db2start)
Note: If errors are being returned by the Db2 command line processor, but diagnostic information is not being written to the log, Db2 might be affected by the following APARs. Ensure Db2 is updated to a level containing a fix.

Resolving The Problem

Once you have collected your information, you can begin Problem Determination through the product Support web page, or simply submit the diagnostic information to IBM support. Use the document Submitting diagnostic information to IBM Technical Support for problem determination for submitting information to IBM Support.

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"ARM Category":[{"code":"a8m500000008PmmAAE","label":"Security and Plug-Ins->Authentication"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"All Versions"}]

Document Information

Modified date:
25 January 2022

UID

swg21447085

Page Feedback