Resolving problems with the LDAP directory server

If you are having problems with password authentication, verify that you completed all of the configuration steps correctly. Have you defined the base distinguished name (Base DN) on the LDAP directory server? Did you set the LDAPURL option?

After you install the Tivoli Storage Manager V6.3.3 or later server, or the IBM Spectrum Protect V7.1.3 or later server, you must configure the LDAP directory server to communicate with the server.

If you have connection problems, complete the following steps with an LDAP utility such as ldapsearch or ldp.exe:
  1. Test forward- and reverse-DNS lookup of the LDAP server system on the server system.
  2. Test the network connection between the server operating system and the LDAP directory server operating system.
  3. Connect to the LDAP directory server with the host name and port that you specified in the LDAPURL option.
  4. Establish a Transport Layer Security (TLS) connection by issuing the StartTLS option.
  5. Use simple bind authentication to authenticate with the parameters that you defined for the LDAPUSER and the LDAPPASSWORD.
  6. Search the LDAP directory server for the BaseDN that you specified in the LDAPURL option.
An LDAP server administrator might use the ldapsearch utility, as follows, to troubleshoot LDAP directory authentication problems:
Using OpenLDAP (specify the certificate file using the TLS_CACERT option in the ldap.conf file)
Without SSL/TLS
ldapsearch -H <hostname>
-D <LDAPUSER> -W -s base -b
<BaseDN from LDAPURL> -v -x objectclass="*"
With SSL/TLS
ldapsearch -H <hostname>
 -D <LDAPUSER> -W -s base -b 
<BaseDN from LDAPURL> -v -x -ZZ objectclass="*"
Using the LDAP client (installed with AIX or downloaded from ibm.com)
Without SSL/TLS
ldapsearch -h <hostname>
-D <LDAPUSER>  -w ? -s base -b 
<BaseDN from LDAPURL> -v objectclass="*"
With SSL/TLS
ldapsearch -h <hostname>
-D <LDAPUSER> -w ? -s base -b
<BaseDN from LDAPURL> -v -Y -x -K "cert.kdb" objectclass="*"
For the previous commands, the following parameters apply:
  • hostname = the URL from the LDAPURL option, for example 
    ldap://ldap.ibm.com:389/
  • LDAPUSER = the parameters from the SET LDAPUSER command, for example 
    cn=tsmserver,cn=users,dc=ibm,dc=com
  • BaseDN from LDAPURL = the Base DN from the LDAPURL option, for example 
    "OU=tsm,DC=ibm,DC=com"