Error messages for LDAP authenticated passwords

When you authenticate passwords with an LDAP directory server, common errors can occur over the connection between the IBM® Tivoli® Storage Manager server and the LDAP directory server.

These error messages are the result of communicating with an LDAP directory server:
ANR3114E
Message ANR3114E is issued whenever an unexpected error is encountered during an LDAP operation. The message gives you more information to assist you in resolving the error. For example,
ANR3114E LDAP error 
LDAP error code (error description) occurred during operation.
LDAP error code
The error number that is returned by either the LDAP client interface or the LDAP Directory server.
error description
A description of the LDAP error code, indicating the cause of the error.
operation
The LDAP client operation that is running when the error occurred.
In the following example, error code 53 is returned by the LDAP client interface or the LDAP directory server. The operation that was in progress at the time of the error is also flagged. In this example, ldap_search_s.
ANR3114E
LDAP error 53 (DSA is unwilling to perform) occurred during ldap_search_s.
ANR3115E
Message ANR3115E is issued when there is an error with the LDAP directory server. For example,
ANR3115E The LDAP directory server returned the following error message 
(LDAP server message) with the LDAP error.
LDAP server message
This message text is returned by the LDAP directory server and gives more information about the error that just occurred.
ANR3116E
Error message ANR3116E is issued when the Global Security ToolKit (GSKit) component encounters an error during an LDAP operation. GSKit provides Secure Sockets Layer/Transport Layer Security (SSL/TLS) for LDAP operations. This error message is usually related to SSL/TLS, certificates, cryptography, or network operations. For example:
ANR3116E LDAP SSL/TLS error GSKIT error code 
(error description) occurred during operation.
GSKit error code
The error number that is returned by the GSKit component.
error description
A text description that is associated with the error code indicating the cause of the error.
operation
The LDAP client operation that is running when the error occurred.
If you cannot determine the cause of the errors, work through the following steps:
  1. Examine the server messages that were issued around the same time as the error message to determine the cause and the impact of the error. Issue the QUERY ACTLOG command to view the activity log file and to search for error messages.
  2. Look for network problems.
  3. Check the status of the LDAP directory server.
  4. For error message ANR3116E, look for problems with the certificates that the LDAP directory server uses or the Tivoli Storage Manager server key database (cert.kdb).
  5. Examine the LDAP directory server log files.
  6. Use LDAP utilities such as “ldapsearch” or “ldp” to isolate the problem.
The following table contains errors that you might find if your configuration is not correct:
Table 1. Errors that might occur when you authenticate passwords with an LDAP directory server
Error messages Resolution
ANR3114E LDAP error 118 (The SSL library cannot be loaded)

ANR3116E LDAP SSL/TLS error 118 (Unknown SSL error)

ANR3103E Failure occurred while initializing LDAP directory services
The library path might not be set properly. Make sure that you are using the correct version of the GSKit.
ANR3114E LDAP error 116 (Failed to connect to the SSL server)

ANR3116E LDAP SSL/TLS error 406 (I/O error)

ANR3103E Failure occurred while initializing LDAP directory services

ANR2732E Unable to communicate with the LDAP directory server
The level of GSKit might be incorrect on the Tivoli Directory Server. Upgrade GSKit to the correct level. See the technote.

For Active Directory, disable automatic root certificates updates with Windows Update if an internet connection is not available.

ANR3114E LDAP error 52 (DSA is unavailable)

ANR3103E Failure occurred while initializing LDAP directory services

ANR2732E Unable to communicate with the LDAP directory server
The Active Directory server does not have a certificate available for TLS/SSL. Create a signed certificate that can be used by Microsoft Active Directory.
ANR3114E LDAP error 116 (Failed to connect to SSL server)

ANR3116E LDAP SSL/TLS error 414 (Bad certificate)

ANR3103E Failure occurred while initializing LDAP directory services

ANR2732E Unable to communicate with the LDAP directory server
The LDAP directory server certificate is not trusted. Add the root certificate authority (CA) certificate to the Tivoli Storage Manager server key database file (cert.kdb) and verify that the certificates are not expired.
ANR3094E The distinguished name (DN) that is specified in the LDAPURL option does not exist on the LDAP directory server

ANR3103E Failure occurred while initializing LDAP directory services
If the DN exists, the LDAPUSER might not have full access control rights to the Base DN that is specified in the LDAPURL option.
ANR3114E LDAP error 50 (Insufficient access)

ANR1885E LDAP directory service initialization: Permission was denied when the LDAP directory entry was accessed as LDAPUSER

ANR3103E Failure occurred while initializing LDAP directory services

ANR1885E SET LDAPPASSWORD: Permission was denied when the LDAPUSER entry was accessed
The LDAPUSER does not have full access control rights to the base DN that is specified in the LDAPURL option.
ANR3114E LDAP error 116 (Failed to connect to SSL server)

ANR3116E LDAP SSL/TLS error 420 (Socket closed)
For Tivoli Directory Server, the SSL_TIMEOUT_MILLISEC is not set high enough. See the technote.
ANR3114E LDAP error 4 (Size limit exceeded) Increase the LDAP server search size limit to accommodate the total number of LDAP-authenticated nodes and administrators.
ANR3114E LDAP error 91 (Connection error) occurred during ldap_sasl_bind.

ANR3103E Failure occurred while initializing LDAP directory services.
The LDAP server is not active or is offline.