Validating the LDAP configuration and troubleshooting LDAP user authentication problems

If you have problems with LDAP user authentication, follow these steps to validate the LDAP configuration and troubleshoot the problems.

For more information about LDAP user authentication, see Integrating LDAP with Content Manager Enterprise Edition.

Finding information in the log files

Before version 8.7.0.1

  1. Look in the library server log file (icmserver.log) for entries that contain the user exit’s return code and error code, like this:
    RC=8025 Reason=0, ExtRC=0, ExtReason=0

    To find this log file, see Finding the log files that help with LDAP troubleshooting.

    The log file might contain error messages from the user exit. They are in this range: ICM8020 - ICM8030; for more information, see Library server messages.

    Usually, these error messages contain enough information to resolve the problem.

  2. If you need more information about why the LDAP user authentication failed, look in the user exit log file (UE.log).

    The information is near the end of the file, and it looks like this:

    DIRECT user is cn=test1,cn=fvt,O=IBM.COM
    rc from client init is : 113
    SSL client init failed : 408
    Connect to Server failed **

    The user exit log file might contain the SDS error code and the GSkit return code for SSL communication. For more information about these, see:

    LDAP_ERROR (SDS error code)

    Possible extended error codes returned by LDAP SSL function codes

    GSKit return codes

Version 8.7.0.1 and later

The return code from the LDAP authentication is set in the ExtRC field of the error messages. The return code values are usually the SDS error codes; see LDAP_ERROR.

The trace log files might contain additional errors: for example, the GSKit can be logged under the heading "failurereasoncode".

Binding the LDAP user

To bind an LDAP user full DN with its own password against the LDAP server, run the ldapsearch command on the computer that the library server is on. This command validates the communication between the library server and the LDAP server; validates the LDAP user DN and password; and if SSL is enabled, validates the kdb file and its password. For TLS 1.2 and TLS 1.3 support, make sure that the LDAP server side enables TLS protocol for communication. It is recommended to enable SSL, TLS 1.2, and TLS 1.3. ldapsearch is installed as part of the SDS client.

For information about how to use ldapsearch, see idsldapsearch, ldapsearch.

For example, you might use a command like this:

ldapsearch -h 10.1.222.111 -p 636 -D "cn=test1,cn=admin,o=ibm.com" -w userpassword -b "cn=admin,o=ibm.com" -s sub -K "C:\IBM\db2cmv8\cmgmt\clientkey.kdb" -P kdbpassword "(cn=test1*)" 

The command reports any errors; follow the output and error code to resolve the problem. Make sure that the command runs without any errors before you move to the next step.

Common error messages

For more information about these error messages, see Library server messages.

ICM8023: The LDAP library loading failed

This message means that the user exit cannot load a library that it needs from the SDS client.

  1. Make sure the SDS client is correctly installed: see Installing the prerequisite software for LDAP user authentication.
  2. Complete one of the following tasks:
    • Linux and AIX: Make sure that you have run the idslink command after installing the SDS client.
    • Windows: Make sure that the SDS client’s library lib64 is in the PATH environment variable.

ICM8025: There was an LDAP properties file read error

This error message might mean that:

  • The user exit cannot read the IBMCMROOT/cmgmt/cmbcmenv.properties file. If the log file also contains a message that says, “IBMCMROOT is not set !!", set the IBMCMROOT variable in the Db2 or Oracle environment.
  • The file does not have enough permission: it needs 755.

ICM8027: The connection to the LDAP server failed

This error might mean that:

  • The LDAP configuration is incorrect. In the System Administration client, check the configuration: see Integrating LDAP with Content Manager Enterprise Edition.
  • The file was corrupted when it was transferred from a Windows computer to a Linux or AIX computer. Open the file to check it, and then transfer it again.

ICM8030: The LDAP user bind failed

If you have resolved all the configuration issues, this error message means that either the full DN or the password is incorrect.

  • Make sure you have used the LDAP import tool to import the LDAP users; do not type or create the full DN and user name for a LDAP user.
  • Make sure that the correct password is specified, and that the LDAP user account is not locked or expired.

SSL 118: LDAP_SSL_NOT_AVAILABLE

This error message means the GSKit cannot be loaded; this might be because it is not installed, or it installed in a location that is not accessible.

To install or check the GSKit, see Installing the prerequisite software for LDAP user authentication (step 3).

SSL 113: LDAP_SSL_INITIALIZE_FAILED

If this error message occurs, look in the user exit log file (UE.log) for the GSKit failure reason code. For example, the SDS client return code looks like this:

rc from client init is : 113

The GSKit return code looks like this:

SSL client init failed : 408

If non-SSL authentication works, the most common errors for SSL_init are related to the security certificate. For example:

GSKit reason code 403: GSK_ERROR_NO_CERTIFICATE
If this error message occurs, make sure that the kdb file is in the IBMCMROOT/cmgmt/ directory, and that it has read permission.
GSKit reason code 408: GSK_ERROR_BAD_KEYFILE_PASSWORD
This error message indicates that the password for kdb is wrong, or that it was not correctly encrypted in the cmbcmenv.properties file. Make sure that the password that is specified in the LDAP configuration dialog is correct, and that the cmbcmenv.properties file is not corrupted.