When you authenticate passwords with an LDAP directory server, common errors can occur over the connection between the IBM® Tivoli® Storage Manager server and the LDAP directory server.
These error messages are the result of communicating with
an LDAP directory server:
- ANR3114E
- Message ANR3114E is issued whenever an unexpected error is encountered
during an LDAP operation. The message gives you more information to
assist you in resolving the error. For example,
ANR3114E LDAP error LDAP error code (error description) occurred during operation.- LDAP error code
- The error number that is returned by either the LDAP client interface or the LDAP Directory server.
- error description
- A description of the LDAP error code, indicating the cause of the error.
- operation
- The LDAP client operation that is running when the error occurred.
ANR3114E LDAP error 53 (DSA is unwilling to perform) occurred during ldap_search_s.
- ANR3115E
- Message ANR3115E is issued when there is an error with the LDAP
directory server. For example,
ANR3115E The LDAP directory server returned the following error message (LDAP server message) with the LDAP error.- LDAP server message
- This message text is returned by the LDAP directory server and gives more information about the error that just occurred.
- ANR3116E
- Error message ANR3116E is issued when the Global Security ToolKit
(GSKit) component encounters an error during an LDAP operation. GSKit
provides Secure Sockets Layer/Transport Layer Security (SSL/TLS) for
LDAP operations. This error message is usually related to SSL/TLS,
certificates, cryptography, or network operations. For example:
ANR3116E LDAP SSL/TLS error GSKIT error code (error description) occurred during operation.- GSKit error code
- The error number that is returned by the GSKit component.
- error description
- A text description that is associated with the error code indicating the cause of the error.
- operation
- The LDAP client operation that is running when the error occurred.
If you cannot determine the cause of the errors,
work through the following steps:
- Examine the server messages that were issued around the same time as the error message to determine the cause and the impact of the error. Issue the QUERY ACTLOG command to view the activity log file and to search for error messages.
- Look for network problems.
- Check the status of the LDAP directory server.
- For error message ANR3116E, look for problems with the certificates that the LDAP directory server uses or the Tivoli Storage Manager server key database (cert.kdb).
- Examine the LDAP directory server log files.
- Use LDAP utilities such as “ldapsearch” or “ldp” to isolate the problem.
The following table contains errors that you might find
if your configuration is not correct:
| Error messages | Resolution |
|---|---|
| ANR3114E LDAP error 118 (The SSL library cannot be loaded) ANR3116E LDAP SSL/TLS error 118 (Unknown SSL error) ANR3103E Failure occurred while initializing LDAP directory services | The library path might not be set properly.
Make sure that you are using the correct version of the GSKit. For more information,
see the following topics:
|
| ANR3114E LDAP error 116 (Failed to connect to the SSL server) ANR3116E LDAP SSL/TLS error 406 (I/O error) ANR3103E Failure occurred while initializing LDAP directory services ANR2732E Unable to communicate with the LDAP directory server | The level of GSKit might be incorrect on the Tivoli Directory Server. Upgrade
GSKit to the correct level. See the technote. For Active Directory, disable automatic root certificates updates with Windows Update if an internet connection is not available. |
| ANR3114E LDAP error 52 (DSA is unavailable) ANR3103E Failure occurred while initializing LDAP directory services ANR2732E Unable to communicate with the LDAP directory server | The Active Directory server does not have a certificate available for TLS/SSL. Create a signed certificate that can be used by Microsoft Active Directory. |
| ANR3114E LDAP error 116 (Failed to connect to SSL server) ANR3116E LDAP SSL/TLS error 414 (Bad certificate) ANR3103E Failure occurred while initializing LDAP directory services ANR2732E Unable to communicate with the LDAP directory server | The LDAP directory server certificate is not trusted. Add the root certificate authority (CA) certificate to the Tivoli Storage Manager server key database file (cert.kdb) and verify that the certificates are not expired. |
| ANR3094E The distinguished name (DN) that is specified in the LDAPURL option does not exist on the LDAP directory server ANR3103E Failure occurred while initializing LDAP directory services | If the DN exists, the LDAPUSER might not have full access control rights to the Base DN that is specified in the LDAPURL option. |
| ANR3114E LDAP error 50 (Insufficient access) ANR1885E LDAP directory service initialization: Permission was denied when the LDAP directory entry was accessed as LDAPUSER ANR3103E Failure occurred while initializing LDAP directory services ANR1885E SET LDAPPASSWORD: Permission was denied when the LDAPUSER entry was accessed | The LDAPUSER does not have full access control rights to the base DN that is specified in the LDAPURL option. |
| ANR3114E LDAP error 116 (Failed to connect to SSL server) ANR3116E LDAP SSL/TLS error 420 (Socket closed) | For Tivoli Directory Server, the SSL_TIMEOUT_MILLISEC is not set high enough. See the technote. |
| ANR3114E LDAP error 4 (Size limit exceeded) | Increase the LDAP server search size limit to accommodate the total number of LDAP-authenticated nodes and administrators. |
| ANR3114E LDAP error 91 (Connection error) occurred during ldap_sasl_bind. ANR3103E Failure occurred while initializing LDAP directory services. | The LDAP server is not active or is offline. |
AIX: Creating the server instance
HP-UX: Creating the server
instance
Linux: Creating the server
instance
Oracle Solaris: Creating
the server instance
Windows: Creating the
server instance