IBM Support

tacmd LDAP login fail after upgrade

Technical Blog Post


Abstract

tacmd LDAP login fail after upgrade

Body

tacmd LDAP login fail after upgrade

Came across this the other day, and it is just one to be aware of.  

This type of issue has been seen before but usually only on  AIX (as it was in this case), however it could happen on any machine type.

LDAP was working correctly before the upgrade and no configuration changes were done other than the upgrade.

The TEMS came up correctly and ITM processes were working, however tacmd logins via LDAP were not working.

Reviewing the RAS1 log  *ms*-0n.log it was seen that the error was:

:kglldp1.c,1229,"LDP1_ValidateLDAPSearch") User Fred LDAP bind error CN=happy,OU=Simple ,OU=Default Users,DC=corp,DC=home,DC=end xxxxxxxx (81): Can't contact LDAP server.
:kdspac1.c,1605,"VPA1_CreatePath") VPA1_CreatePath failure detected 1021.
F:kdssqrun.c,965,"CreatePath") Create Path Error. status 1021 path CT/DS:{SERVER=SRVR01 USER=KSH}
:kshdsr.cpp,361,"login") Create Path Error st=1021 for 'Fred' 'xxxxxxxx' 'ip.ssl'
F:kshhttp.cpp,493,"writeSoapErrorResponse") faultstring: CMS logon validation failed.
:kshhttp.cpp,523,"writeSoapErrorResponse") Client: ip.ssl:#nn.nnn.nnn.nn:35660


It was confirmed  that the LDAP server and port were contactable from the HUB TEMS machine.

The next step was to review the  *ms*-0n.log  in more detail, it was useful to review the log file from before the upgrade as well as the file from after the upgrade.

In the log from 'after' the upgrade it could be seen that the GSKIT was running at a lower level than it was in the previous log.

Obviously if it does change (and it will not always change)  it should be to a higher version.

Checking the cinfo  list it could be seen the GSKIT level was seen to be the correct version for the fix pack (in this case 6.3 fixpack7):

gs IBM GSKit Security Interface aix526 08.00.50.69 d6276a - 0

but the log showed:

:kdebenc.c,821,"ssl_provider_constructor") GSKit Environment
                       Version Number: 8.0.14.28


 Checking the libraries loading for the GSKIT,   which can be seen in the log starting with:

:kdebenc.c,120,"listSharedLibs")
           Shared Libraries for GSKit:

It was seen the first libraries were being loaded from a path outside of the TEMS install directory structure; so that the wrong version was being used.

The values for the LD_LIBRARY_PATH and LIBPATH in the ms.config were then checked.

In this case these had to be edited to allow the correct path to the gskit to be found and loaded first,  by putting them earlier in the line of directories to  be searched.

The path needed to be moved was  /<install dir>/<interp> /gs/lib64.

The TEMS was then restarted for the changes to be picked up ,  and then the correct GSKIT could be seen in the logs and the tacmd command logged in correctly.

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"","label":""},"Component":"","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

UID

ibm11083273