LDAP object retrieval problems
Before you begin, if you are having problems receiving policies from an LDAP server, run Policy Agent with the -d 1 or 2 startup options.
In Table 1, select actions as indicated according to the problem you are experiencing.
| Problem | Cause/action | Symptom |
|---|---|---|
| Unable to connect to the LDAP server | Check the attributes specified on the ReadFromDirectory statement in the configuration file that relate to the LDAP server connection. These include the primary and backup server addresses and ports, the user ID and password, and SSL parameters. | Message EZZ8440I is issued to the
console. If Policy Agent fails to connect to the LDAP server, check
the log file for the specific error encountered. The Policy Agent
keeps trying to connect to the server, using a sliding time window
(one minute, then at five minute intervals, with the maximum time
between connect attempts being 30 minutes). Tip: If a backup
LDAP server is configured, the EZZ8440I message is only issued if
neither the primary or backup server can be connected.
|
| No objects, or incorrect objects, retrieved from the LDAP server | Check that the schema version specified on the ReadFromDirectory statement in the configuration file matches the version defined on the LDAP server. The different versions are distinguished by the set of supported object classes. See z/OS Communications Server: IP Configuration Guide for supported schema object classes. | Missing or incorrect policies are displayed by the pasearch command, or the NETSTAT SLAP or netstat -j commands. |
| Wrong set of objects retrieved from the LDAP server | Check that the search and selection criteria
specified on the ReadFromDirectory statement in the configuration
file are correct. For version 1 policies, verify that the correct Base and SelectedTag attributes are used. For version 2 and later policies, check the SearchPolicyBaseDN, SearchPolicyGroupKeyword, SearchPolicyKeyword, and SearchPolicyRuleKeyword attributes. |
Missing or incorrect policies are displayed by the pasearch command, or the NETSTAT SLAP or netstat -j commands. |
| LDAP DLL not found Restriction: Policy Agent must have access to the LDAP DLL at
run time.
|
Check that the LIBPATH environment variable
is specified, and that it contains the directory in which the LDAP
DLL (GLDCLDAP) resides. This is normally /usr/lib. Policy Agent accesses the LDAP DLL using the LIBPATH environment variable. |
Policy Agent terminates unexpectedly with a CEEDUMP. The reason for termination in the CEEDUMP indicates that the LDAP DLL (GLDCLDAP) was not found. |
| Version 1 policies not shared among multiple TCP/IP stacks | Policy Agent uses two attributes when it
searches an LDAP server for version 1 policies that apply to a given
TCP/IP image. One attribute is the TCP/IP image name and the other
is a selector tag. The selector tag attribute can be defined such
that LDAP scopes the search. The TCP/IP image name attribute is set
by default to scope the search for a particular image. Each of the two attributes (TCPImageName and SelectorTag) is a multivalue field, meaning you can specify TCPImpageName/SelectorTag multiple times in one object defined to LDAP. Both multiple MVS™ images and multiple TCP/IP stacks can exist. If a policy object is to be used in multiple MVS LPARs, that object can have multiple SelectorTag attributes defined, one for each LPAR. If a policy object is to be used in multiple TCP/IP images, that object can have multiple TCPImageName attributes defined, one for each image. |
Version 1 policies not shared among multiple TCP/IP stacks |