APAR status
Closed as documentation error.
Error description
After configuring IBM Systems Director's (ISD) Lightweight Directory Access Protocol (LDAP) client to integrate with Active Directory's (AD) LDAP interface, a user may or may not be able to login, seemingly randomly, to the ISD Console. This behavior can be caused when the LDAP host configuration in the ISD SecurityLDAP.properties file is set to a host that can be resolved by Domain Name System (DNS) to different Internet Protocol (IP) addresses (round-robbining to do load balancing for example) where the AD servers may or may not have the full LDAP directory for the query being made. If an AD server can satisfy the LDAP query (usually for users, groups, and group membership), then the user will be able to login however if the AD server cannot satisfy the LDAP query it normally issues a LDAP referral to an AD server that can. ISD does not follow AD referrals so when a referral is issued, the subsequent LDAP search will fail and the user will not be able to log into the ISD console. This situation can also happen if DNS is misconfigured such that the AD server resolved will never have the correct LDAP information. For example if ISD is configured to use abc.ibm.com as the AD LDAP server, but DNS resolves that hostname to an ip that corresponds to the xyz.abc.ibm.com child/sub domain user login will fail because the child/sub domain will issue a referral to abc.ibm.com where the request can be satisfied. Impact: AD LDAP Users will inconsistently be able to log into the ISD console.
Local fix
Configure DNS so that the AD LDAP server resolved by DNS always has the complete LDAP group, user, and group membership information of the users trying to login.
Problem summary
IBM Systems Director does not follow LDAP referrals. As such if a network environment's DNS points ISD's LDAP client towards an AD LDAP server (domain) that does not contain the LDAP information required, a referral will be issued to a domain that does have the information, this referral will not be followed, leading to a failure to authenticate. There is no plan to change the ISD design to support LDAP referrals. Platforms: ALL Versions: 6.3.x
Problem conclusion
DOC
Temporary fix
Comments
APAR Information
APAR number
IT11189
Reported component name
IBM DIR SRV WIN
Reported component ID
5765DRXWS
Reported release
630
Status
CLOSED DOC
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-09-11
Closed date
2015-09-11
Last modified date
2015-10-25
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SUPPORT","label":"IBM Worldwide Support"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SGZ2Z3","label":"IBM Systems Director"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
Document Information
Modified date:
22 August 2022