IHS LDAP Problem Must-Gather

Known issues to check for first

z/OS LDAP server-specific issues

When an LDAP server on z/OS is configured to use the SDBM (or RACF) backend, the LDAP functionality is greatly diminished. This limits the ability of IBM HTTP Server to use such an LDAP server for access control.

LDAP FAQs

Documents to gather

Collecting data for problems with the IBM HTTP Server for LDAP authentication problems. Gathering this MustGather information before calling IBM support will help you understand the problem and save time analyzing the data.

There are two possible modules that IHS might be using for LDAP authentication.

If using IHS before version 7.0 on non-z/OS platforms, you are using mod_ibm_ldap. If using IHS on z/OS, or version 7.0 or later, you might be using mod_ibm_ldap, or mod_ldap and mod_authnz_ldap; check the IHS configuration file to see which modules are loaded.

The following list of files are needed. Include the SSL information if the HTTP request is being received over SSL, or the LDAP server is being accessed over SSL.

1. Stop IBM HTTP Server.
2. Clear all logs in the install_root/logs directory.
3. Edit the httpd.conf file. Change Loglevel to debug.
4. Enable LDAP tracing:
(If using mod_ldap instead of mod_ibm_ldap, you can skip defining LDAP_TRACE_FILE; it is ignored and all LDAP trace goes to the IHS error log.)
* For Windows:
1. Create a system variable called:
LDAP_TRACE_FILE
2. Set the value with the name for the log file (for example: c:\ldaptrace.log).
3. Create a system variable called:
LDAP_DEBUG
4. Set the value to 65535.
* For UNIX:
Edit install_root/bin/envvars with a text editor to add these lines:
LDAP_TRACE_FILE=/path/ldaptrace.log
export LDAP_TRACE_FILE
LDAP_DEBUG=65535
export LDAP_DEBUG
                
5. If using SSL, enable SSL traces:
To enable mod_ibm_ssl trace, add this line to the bottom of the httpd.conf file:
SSLTrace
To enable GSKit trace:
Windows
1. Create the following system variable:
GSK_TRACE_FILE.
2. Set the value with the name for the log file
(for example: c:\gskit.log).
Unix
Edit install_root/bin/envvars with a text editor to add these lines:
GSK_TRACE_FILE=/path/gskit.log
export GSK_TRACE_FILE
6. Start IBM HTTP Server.
7. If possible, setup a binary, unlimited capture length packet capture between IHS and the LDAP server.
8. Recreate the problem, noting the time/URL and expected/observed result.
9. Capture the following:
netstat -na > netstat.out
10. Stop IBM HTTP Server.
11. Collect the following data files:
12. Follow instructions to send diagnostic information to IBM support.