Content Manager OnDemand V8.5 and later LDAP authentication to active directory server fails with an error

Technote (troubleshooting)


Problem(Abstract)

Using LDAP authentication in the IBM Content Manager OnDemand Server V8.5 and later to search for a user ID in a Microsoft Active Directory server results in an error labeled "Operations error."

Symptom

Attempting to log on through an OnDemand client results in the error "The server failed while attempting to logon."

Taking an OnDemand server trace shows that the initial bind to the Active Directory server was successful, but the search failed with the error "Operations error":

ArcLDAP_Startup:
LDAP Config ArcLDAPServerPtr=example.com
ArcLDAPPort=389
ArcLDAPBaseDN=DC=example,DC=com
ArcLDAPBindDN=CN=sample-user,OU=sample,DC=example,DC=com
ArcLDAPBindAttrib=sAMAccountName
ArcLDAPMappedAttrib=sAMAccountName
ArcLDAPKeyRingFile=(null)
ArcLDAPKeyRingLabel=(null)
LDAP use SSL=FALSE
LDAP allow anonymous bind=FALSE
LDAP referrals=TRUE
LDAP SaslBind=FALSE
LDAP OD Authentication Fallback=TRUE
...
ArcLDAP_Startup:
...
ArcLDAP_Startup:Return
ArcLDAP_Authenticate:Enter
ArcLDAPP_Connect:Enter
ArcLDAPP_Connect:LDAP initialization successful
ArcLDAPP_Connect:Return arccs return code=0,ARCCS_OKAY
ArcLDAPP_Bind:Enter
ArcLDAPP_Bind:ldap_sasl_bind ldap_rc=0 extra_rc=1
ArcLDAPP_Bind:ldap_parse_result ldap_rc=0 extra_rc=0
ArcLDAPP_Bind:ldap_sasl_bind ldap_rc=0 extra_rc=0
ArcLDAPP_Bind:Return arccs return code=0,ARCCS_OKAY
ArcLDAP_Authenticate:Searching cur_userid=USER1 os_filter=sAMAccountName=USER1
ArcLDAP_Authenticate:ldap_search_s ldap_rc=1 ldap_ext=0 ldap_errno=1 extra_rc=0 ldap_str=Operations error extended_str=(null) errno_str=(null) err_msg=(null)
ArcLDAP_Authenticate:ldap_unbind ldap_rc=0 extra_rc=0
ArcLDAP_Authenticate:Return arccs return code=6,ARCCS_FAILED

This error typically occurs when OnDemand is configured with a base distinguished name that searches across subordinate domains that are direct descendants of the directory server domain. In the previous example, the base distinguished name was set to DC=example,DC=com, which is at the root level of the Active Directory server example.com.

The OnDemand Server V8.5 and later uses the Tivoli Directory Server LDAP API to communicate with the Active Directory server. The search scope is set to subtree and by default the referral option is enabled. With these conditions set, referral chasing might occur. See the Related information section for more information.

Cause

This problem is caused by referral chasing.

With referral chasing enabled, when a subtree search is performed, the Active Directory server sends back referrals that might require the LDAP API to bind (authenticate) to another Active Directory server at a different domain inside the Active Directory forest. If the bind fails due to incorrect credentials or insufficient access, the entire authentication process fails with the operations error.

Environment

This error can occur with an OnDemand server running on UNIX, Windows or zOS operating systems.

Diagnosing the problem

Enable the OnDemand Server trace and examine the trace file for "Operations error".

Resolving the problem

There are three options that you can use to resolve this issue:

  • Search the Active Directory Global Catalog instead. This search can be accomplished by changing the ARS_LDAP_PORT in the ars.cfg file of your OnDemand server to communicate through the Active Directory Global Catalog port, 3268. When you make the change to search the global catalog instead, you bypass referral chasing. See the Related information section for more information about the Active Directory Global Catalog.

  • Disable referrals for the OnDemand server. To disable referrals, modify the file ars.cfg and add the following line to the end of the file:

    ARS_LDAP_REFERRALS=FALSE

  • Specify a non-root level base distinguished name in the ARS_LDAP_BASE_DN parameter of the ars.cfg file of your OnDemand server. In the example from the Symptom section, the base distinguished name is set at the root level or top level, DC=example,DC=com. Changing it to a lower, more specific, non-root level distinguished name such as OU=sample,DC=example,DC=com might resolve the problem by eliminating the possibility of a referral being issued to a subordinate domain.

Related information

Active Directory Referral Chasing
Active Directory Global Catalog

Rate this page:

(0 users)Average rating

Document information


More support for:

Content Manager OnDemand for Multiplatforms
Server

Software version:

8.5, 9.0

Operating system(s):

UNIX, Windows

Reference #:

1610510

Modified date:

2013-01-08

Translate my page

Machine Translation

Content navigation