MustGather: LDAP authentication problems with IBM HTTP Server.
 Technote (troubleshooting)
 
Problem(Abstract)
Collecting data for problems with the IBM® HTTP Server for LDAP authentication problems. Gathering this MustGather information before calling IBM support will help you understand the problem and save time analyzing the data.
 
Cause
Collecting data for problems with the IBM® HTTP Server for LDAP authentication problems. Gathering this MustGather information before calling IBM support will help you understand the problem and save time analyzing the data.
 
Resolving the problem
If you have already contacted support, continue to the component-specific MustGather information. Otherwise, click: MustGather: Read first for IBM HTTP Server.
LDAP authentication specific MustGather information
The following list of files are needed for debugging two types of LDAP authentication with IBM HTTP Server:
  1. LDAP authentication over non-Secure Socket Layers (SSL)
  2. LDAP authentication over SSL



  1. LDAP authentication over non-Secure Socket Layers (SSL)
    1. IBM HTTP Server version.

      Type one of the following commands to display the full version:
      • For Windows®:
        • For all releases of V1.3.12, 1.3.19, 1.3.26, 1.3.28, 2.0.42, 2.0.47, 6.0:

          install_root/apache -v

      • For UNIX®:
        • For all releases of V1.3.12, 1.3.19, 1.3.26, 1.3.28:

          install_root/bin/httpd -ver

        • For all releases of V2.0.42, 2.0.47, 6.0:

          install_root/bin/apachectl -V

    2. Configuration file:

      install_root/conf/httpd.conf

    3. Error log:
      • For Windows:

        install_root/logs/error.log

      • For UNIX:

        install_root/logs/error_log

    4. Access log:
      • For Windows:

        install_root/logs/access.log

      • For UNIX:

        install_root/logs/access_log

    5. LDAP properties file:
      • For Windows:

        install_root/conf/ldap.prop

      • For UNIX:

        install_root/conf/ldap.prop

    6. LDAP Client version (for example: V3.2.1, 3.2.2, 4.1, and so on).

    7. Traces: IBM HTTP Server LDAP (non-SSL)
      1. Stop IBM HTTP Server.
      2. Clear all logs in the install_root/logs directory.
      3. Edit the httpd.conf file. Change Loglevel to debug.
      4. Enable LDAP tracing:
        • For Windows:
          1. Create a system variable called:

            LDAP_TRACE_FILE

          2. Set the value with the name for the log file (for example: c:\ldaptrace.log).

          3. Create a system variable called:

            LDAP_DEBUG

          4. Set the value to 65535.
        • For UNIX:
          1. As the user ID that starts the IBM HTTP Server, create an environment variable called:

            LDAP_TRACE_FILE

            The environment variable can be created in either of these two ways:
            • setenv LDAP_TRACE_FILE value (full path and filename)

              csh example:

              setenv LDAP_TRACE_FILE /usr/HTTPServer/logs/ldaptrace_log

              OR

            • export LDAP_TRACE_FILE=value (full path and filename)

              ksh example:

              export LDAP_TRACE_FILE=/usr/HTTPServer/logs/ldaptrace_log

          2. As the user ID that starts the IBM HTTP Server, create an environment variable called:

            LDAP_DEBUG

            The environment variable can be created in either of these two ways:
            1. csh example:

              setenv LDAP_DEBUG=65535

              OR

            2. ksh example:

              export LDAP_DEBUG=65535

      5. Start IBM HTTP Server.
      6. Recreate the problem.
      7. Capture the following:

        netstat -na > netstat.out

    8. Collect the following data files:
      • httpd.conf, error_log, access_log
      • netstat.out
      • ldaptrace_log
      • ldap.prop
      • IBM HTTP Server version and LDAP Client version.
      • Include the date and time of failure along with the browser version and the full URL that resulted in the LDAP failure. For example:

        http: //www.mycompany.com/mystuff/goodies/index.html

    9. Follow instructions to send diagnostic information to IBM support.


  2. LDAP over SSL
    1. IBM HTTP Server version.

      Type one of the following commands to display the full version:
      • For Windows:
        • For all releases of V1.3.12, 1.3.19, 1.3.26, 1.3.28, 2.0.42, 2.0.47, 6.0:

          install_root/apache -v

      • For UNIX:
        • For all releases of V1.3.12, 1.3.19, 1.3.26, 1.3.28:

          install_root/bin/httpd -ver

        • For all releases of V2.0.42, 2.0.47, 6.0:

          install_root/bin/apachectl -V

    2. Configuration file:

      install_root/conf/httpd.conf

    3. Error log:
      • For Windows:

        install_root/logs/error.log

      • For UNIX:

        install_root/logs/error_log

    4. Access log:
      • For Windows:

        install_root/logs/access.log

      • For UNIX:

        install_root/logs/access_log

    5. LDAP properties file:
      • For Windows:

        install_root/conf/ldap.prop

      • For UNIX:

        install_root/conf/ldap.prop

    6. LDAP Client version (for example: V3.2.1, 3.2.2, 4.1, and so on).

    7. Global Security Kit (GSKit) version.

      Type one of the following commands to display the full GSKit version:
      • For Windows:
        • For all releases of V1.3.12:

          /program files/ibm/gsk4/bin/gsk4ver.exe

        • For all releases of V1.3.19, 1.3.26, 2.0.42:

          /program files/ibm/gsk5/bin/gsk5ver.exe

        • For all releases of V1.3.28, 2.0.47, 6.0:

          /program files/ibm/gsk7/bin/gsk7ver.exe

      • For AIX®:
        • For all releases of V1.3.12:

          /usr/opt/ibm/gskit/bin/gsk4ver

        • For all releases of V1.3.19, 1.3.26, 2.0.42:

          /usr/opt/ibm/gskkm/bin/gsk5ver

        • For all releases of V1.3.28, 2.0.47, 6.0:

          /usr/opt/ibm/gskkm/bin/gsk7ver

      • For Solaris™:
        • For all releases of V1.3.12:

          /opt/ibm/gsk4/bin/gsk4ver

        • For all releases of V1.3.19, 1.3.26, 2.0.42:

          /opt/ibm/gsk5/bin/gsk5ver

        • For all releases of V1.3.28, 2.0.47, 6.0:

          /opt/ibm/gsk7/bin/gsk7ver

      • For HP-UX:
        • For all releases of V1.3.12:

          /opt/ibm/gsk4/bin/gsk4ver

        • For all releases of V1.3.19, 1.3.26, 2.0.42:

          /opt/ibm/gsk5/bin/gsk5ver

        • For all releases of V1.3.28, 2.0.47, 6.0:

          /opt/ibm/gsk7/bin/gsk7ver

      • For Linux®:
        • For all releases of V1.3.12:

          /usr/local/ibm/gsk4/bin/gsk4ver

        • For all releases of V1.3.19, 1.3.26, 2.0.42:

          /usr/local/ibm/gsk5/bin/gsk5ver

        • For all releases of V1.3.28, 2.0.47, 6.0:

          /usr/local/ibm/gsk7/bin/gsk7ver

    8. Traces: IBM HTTP Server LDAP over SSL
      1. Stop IBM HTTP Server.
      2. Clear all logs in the install_root/logs directory.
      3. Edit the httpd.conf file:
        • Change Loglevel to debug.
        • Add SSLTrace directive to the bottom of the httpd.conf file.
      4. Enable LDAP tracing:
        • For Windows:
          1. Create the following system variable:

            LDAP_TRACE_FILE

          2. Set the value with the name for the log file (for example: c:\ldaptrace.log).

          3. Create the following system variable:

            LDAP_DEBUG

          4. Set the value to 65535.
        • For UNIX:
          1. As the user ID that starts the IBM HTTP Server, create an environment variable called:

            LDAP_TRACE_FILE

            The environment variable can be created in either of the two ways:
            • setenv LDAP_TRACE_FILE value (full path and filename)

              csh example:

              setenv LDAP_TRACE_FILE /usr/HTTPServer/logs/ldaptrace_log

              OR

            • export LDAP_TRACE_FILE=value (full path and filename)

              ksh example:

              export LDAP_TRACE_FILE=/usr/HTTPServer/logs/ldaptrace_log


          2. As the user ID that starts the IBM HTTP Server, create an environment variable called:

            LDAP_DEBUG

            The environment variable can be created in either of the two ways:
            • csh example:

              setenv LDAP_DEBUG=65535

              OR

            • ksh example:

              export LDAP_DEBUG=65535

      5. Enable GSKit trace:
        • For Windows:
          1. Create the following system variable:

            GSK_TRACE_FILE.

          2. Set the value with the name for the log file (for example: c:\gsktrace.log).
        • For UNIX:
          1. As the user ID that starts the IBM HTTP Server create an environment variable called:

            GSK_TRACE_FILE.

            The environment variable can be created in either of the two ways:
            • setenv GSK_TRACE_FILE value (full path and filename)

              csh example:

              setenv GSK_TRACE_FILE /usr/HTTPServer/logs/gsktrace_log

              OR

            • export GSK_TRACE_FILE=value (full path and filename)

              ksh example:

              export GSK_TRACE_FILE=/usr/HTTPServer/logs/gsktrace_log

      6. Start IBM HTTP Server.
      7. Recreate the problem.
      8. Capture the following:

        netstat -na > netstat.out

    9. Collect the following data files:
      • httpd.conf, error_log, access_log
      • netstat.out
      • ldaptrace_log
      • gsktrace_log
      • ldap.prop
      • IBM HTTP Server version, LDAP Client version, and GSKit version.
      • Include the date and time of failure along with the browser version and the full URL that resulted in the LDAP failure. For example:

        https: //www.mycompany.com/mystuff/goodies/index.html

    10. Follow instructions to send diagnostic information to IBM support.


For a listing of all technotes, downloads, and educational materials specific to the LDAP authentication problems, search the IBM HTTP Server support site.
 
Related information
Submitting information to IBM support
Steps to getting support
MustGather: Read first
Troubleshooting guide
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server IBM HTTP Server
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > IBM HTTP Server > Security (LDAP- Authentication- etc.)
Operating system(s): Windows
Software version: 6.0
Software edition:
Reference #: 1141304
IBM Group: Software Group
Modified date: Jan 4, 2005