Troubleshooting pass-through authentication
Use the pass-through authentication troubleshooting information to identify and fix any issues with the Directory Server environment.
- If you modify the entries in a pass-through server that affect the mapping, you must update the mapping in the authentication server for consistency. Ensure that the DNs are updated so that any modifications or renames in the pass-through server are applied to the authentication server.
- You can run pass-through authentication against a Proxy Server only if the pass-through subtree is part of the partition base on the Proxy Server.
- If you observe an unexpected result for an operation against a
Proxy Server, check the ibmslapd.log file on
the proxy back-end server for error messages. Search for the following
error messages in the ibmslapd.log file:
The unexpected result might be because of the operation timeout. In such situations, increase the value of the ibm-slapdPtaResultTimeout attribute in the pass-through authentication entry under the cn=Passthrough Authentication, cn=Configuration. The timeout value is specified in milliseconds. The maximum supported value for this attribute is 60000 milliseconds, which is 60 seconds.12/20/11 15:08:56 GLPSRV165E Pass-through authentication failed due to a timeout. 12/20/11 15:08:56 Pass-through authentication search failed on host ’ldapServer’, port ’389’, url ldap://ldapServer:389’ 12/20/11 15:08:56 GLPSRV163E Pass-through bind failed on ’ldap://ldapServer:389’ for entry ’cn=user_21,o=sample’ - If you configure pass-through authentication in a distributed directory, check the ibmslapd.log file on the proxy back-end servers to resolve any issues.
- To audit pass-through authentication, set the ibm-auditPTABindInfo attribute
to true on the authentication server. The ibm-auditPTABindInfo attribute
is under the cn=Audit, cn=Log Management, cn=Configuration DN
entry in the configuration file. By default, ibm-auditPTABindInfo is
set to true. A prerequisite to include pass-through details for bind
or compare operations is that the ibm-audit attribute
must be set to true. The bind and compare operations
must be audited. The following example shows an audit log entry for
a pass-through authentication: AuditV3--2011-06-21-11:17:39.813+00:00--V3
Bind--bindDN: cn=XXX,ou=users,o=sample -client: 127.0.0.1:51900--connectionID:
10--received: 2011-06-21-11:17:39.811+00:00 --Success controlType:
1.3.6.1.4.1.42.2.27.8.5.1 criticality: false passthroughBindDN: uid=XXX,c=in,dc=com
passthroughServer: ldap://server:port passthroughBindRC: 0 AuditV3--2011-06-21-11:17:39.815+00:00--V3
Compare--bindDN: cn= XXX,ou=users,o=sample --client: 127.0.0.1:51900--connectionID:
10--received: 2011-06-21-11:17:39.813+00:00 --Success controlType:
1.3.6.1.4.1.42.2.27.8.5.1 criticality: false passthroughBindDN: uid=XXX,c=in,dc=com
passthroughServer: ldap://server:port passthroughBindRC: 0where,
- passthroughBindDN: is the DN that was used to validate bind against pass-through server
- passthroughServer: is the LDAP URL of the pass-through server
- passthroughBindRC: is the return code for bind operation from pass-through server