LDAP object storage problems

Policies can be defined on an LDAP server using the appropriate definitions, known as schemas. The policies are defined as object classes with certain attributes, which are a superset of the attributes that can be defined in a local file using the PolicyAction and PolicyRule statements. Policy Agent acts as an LDAP client to communicate with and retrieve policies from an LDAP server. Policy Agent uses an LDAP DLL to perform its LDAP client functions.

Before you begin, if you are having problems initializing the LDAP server with the Policy Agent schema definitions or adding policy objects to the server, perform the following steps to diagnose LDAP object storage problems.

In Table 1, select actions as indicated according to the problem you are experiencing.

Table 1. LDAP object storage problems
Problem	Cause/action	Symptom
Unable to add the Policy Agent schema definitions to an LDAPv3 server	The Policy Agent LDAPv3 schema definition files are shipped as the following sample files: pagent_r8qosschema.ldif pagent_r5idsschema.ldif These files need to be installed on the LDAP server in the proper order as an object in the server's database, rather than as configuration information. This process is known as schema publication. See RFCs 1804 and 2251. The files need to be specified on ldapmodify commands to modify the cn:schema entry in the server's database, in the order as specified in z/OS Communications Server: IP Configuration Guide. Verify that the <suffix> value on the first noncomment line of these files has been changed to the suffix value defined for your LDAP server, as explained in the prologues in these files. For more information about installing the schema definition files, see z/OS Communications Server: IP Configuration Guide.	Symptoms can include error messages issued by the server. Because server implementations are different, check the documentation for your server for the types and locations of error or log messages.
Unable to add policy objects to an LDAP server	Check the following: Are the Policy Agent schema definitions installed on the LDAP server? Are the correct object classes identified for any attributes you have defined in the object? For example, the ibm-policySubtreesAuxContainedSet attribute is defined for the ibm-policySubtreesPtrAuxClass object class. Does the server recognize all of your objects?	Symptoms can include error messages issued by the server. Since server implementations are different, check the documentation for your server for the types and locations of error or log messages. A typical error message might indicate object class violation. There are several possible reasons for an LDAP server rejecting a policy object. The following symptoms correspond to the numbered actions in the cause and action column. If the server does not know about policy attributes or object classes, then it fails any objects that contain them. If you define a policy object with this attribute attached, but do not include the object class value, the server flags the object as an object class violation. The symptoms for this are missing objects when you search the server or errors when adding the objects. Some servers can impose strict syntax rules on ldif files that contain objects. Lines that separate objects might need just a single newline character. If the separator lines contain other characters, the following object is processed as a continuation of the previous object. If the object file was transferred using FTP from a host, character translation might result in characters other than newlines separating objects. These additional characters must be removed. There must be no blanks at the ends of lines.