IHS LDAP Problem Must-Gather
Known issues to check for first
z/OS LDAP server-specific issues
When an LDAP server on z/OS is configured to use the SDBM (or RACF) backend, the LDAP functionality
is greatly diminished. This limits the ability of IBM HTTP Server to use such an LDAP server
for access control.
- mod_ibm_ldap can successfully authenticate, but authorization will generally not work (checking of groups or attributes)
- mod_ldap/mod_authnz_ldap can perform both authentication and basic authorization (see APAR PK81733).
LDAP FAQs
Does LDAP authentication work with Active Directory?
Yes, but for reasonable performance either the "global catalog" port must be used or Active Directory
must be front-ended by the Active Directory Application Mode daemon
Can IHS require a user to be a member of two groups?
The two LDAP modules behave differently, and neither is configurable.
mod_ibm_ldap
only grants access when all LDAPRequire
directives are satisfied.
mod_ldap/mod_authnz_ldap
, as well as most standard Apache HTTP Server modules, grants access
when any Require
directive is satisfied.
Documents to gather
Collecting data for problems with the IBM HTTP Server for LDAP authentication problems. Gathering this MustGather information before calling IBM support will help you understand the problem and save time analyzing the data.
There are two possible modules that IHS might be using for
LDAP authentication.
If using IHS before version 7.0 on non-z/OS platforms, you are using
mod_ibm_ldap. If using IHS on z/OS, or version 7.0 or later, you
might be using mod_ibm_ldap, or mod_ldap and mod_authnz_ldap; check
the IHS configuration file to see which modules are loaded.
The following list of files are needed. Include the SSL information
if the HTTP request is being received over SSL, or the LDAP server is
being accessed over SSL.
-
- 1. Stop IBM HTTP Server.
- 2. Clear all logs in the install_root/logs directory.
- 3. Edit the httpd.conf file. Change Loglevel to debug.
- 4. Enable LDAP tracing:
-
(If using mod_ldap instead of mod_ibm_ldap, you can skip defining
LDAP_TRACE_FILE; it is ignored and all LDAP trace goes to the IHS
error log.)
- * For Windows:
-
- 1. Create a system variable called:
- LDAP_TRACE_FILE
- 2. Set the value with the name for the log file (for example: c:\ldaptrace.log).
- 3. Create a system variable called:
- LDAP_DEBUG
- 4. Set the value to 65535.
- * For UNIX:
- Edit install_root/bin/envvars with a text editor to add these lines:
LDAP_TRACE_FILE=/path/ldaptrace.log
export LDAP_TRACE_FILE
LDAP_DEBUG=65535
export LDAP_DEBUG
- 5. If using SSL, enable SSL traces:
-
- To enable mod_ibm_ssl trace, add this line to the bottom of the httpd.conf file:
- SSLTrace
- To enable GSKit trace:
-
- Windows
- 1. Create the following system variable:
- GSK_TRACE_FILE.
- 2. Set the value with the name for the log file
- (for example: c:\gskit.log).
- Unix
- Edit install_root/bin/envvars with a text editor to add these lines:
GSK_TRACE_FILE=/path/gskit.log
export GSK_TRACE_FILE
- 6. Start IBM HTTP Server.
- 7. If possible, setup a binary, unlimited capture length packet capture between IHS and the LDAP server.
- 8. Recreate the problem, noting the time/URL and expected/observed result.
- 9. Capture the following:
- netstat -na > netstat.out
- 10. Stop IBM HTTP Server.
11. Collect the following data files:
- The output of the DescribeConfig must-gather tool
- httpd.conf, error_log, access_log
- netstat.out
- If using mod_ibm_ldap:
- ldaptrace.log
- ldap.prop (value of LDAPConfigFile)
- If using SSL:
- gskit.log
- The GSKit version (entire file with output from version command)
- IBM HTTP Server version and LDAP Client version.
- Include the date and time of failure along with the browser version and the full URL that resulted in the LDAP failure. For example:
Feb. 10, 2010 8:32:07 PM
Firefox 3.6 (Linux)
http: //www.mycompany.com/mystuff/goodies/index.html
- A binary, unformatted packet capture of the traffic between IHS and LDAP if available.
12. Follow instructions to send diagnostic information to IBM support.