IY81006: TAM REPORTS USER AUTHENTICATION ERROR WHEN SERVER ACCOUNT CAN NOT AUTHENTICATE. IY74998 FIX NOT INCLUDED IN FIXPACK.

5.1.0-TIV-TAM-IF0043-WIN
5.1.0-TIV-TAM-IF0043-LIN
5.1.0-TIV-TAM-IF0043-PPC
5.1.0-TIV-TAM-IF0043-SOL
5.1.0-TIV-TAM-IF0043-S390
5.1.0-TIV-TAM-IF0043-HP
5.1.0-TIV-TAM-IF0043-AIX
Tivoli Access Manager for e-business Base 5.1, Patch 5.1.0-TIV-TAM-FP0041
Tivoli Access Manager for e-business Base 5.1, Patch 5.1.0-TIV-TAM-FP0042
Tivoli Access Manager for e-business Base 5.1, Patch 5.1.0-TIV-TAM-FP0039

APAR status

• Closed as program error.

Error description

• IY74998 is listed as being included in 5.1.0-TIV-TAM-LA0019 but
  it was pulled from the fixpack. This APAR is being opened so a
  fix may be provided.
  
  Error description from IY74988 -
  
  ERROR DESCRIPTION:
  Environment: Access Manager 5.1.
  
  Problem: If a TAM server account cannot be used for
  authentication to LDAP, the TAM server will indicate that the
  failed authentication is for the user attempting to log in:
  
  2005-08-07-11:55:04.673+00:00I----- 0x16B480C9 pdmgrd ERROR rgy
  ira ira_handle.c 678 0x00001214 HPDRG0201E   Error code 0x31 was
  received from the LDAP server. Error text: "Invalid
  credentials".
  
  2005-08-07-11:55:04.674+00:00I----- 0x132120DD pdmgrd WARNING
  ias authsvc pdauthn.cpp 1435 0x00001214 HPDIA0221W
  Authentication for user sec_master failed. You have used an
  invalid user name, password or client certificate.
  
  However, a component trace, not normally collected in a case
  like this, demonstrates that the invalid credentials belong to
  the server account, not the user account.
  
  2005-08-07-11:55:04.648+00:00I----- pdmgrd DEBUG8 ivc ira
  /project/am510/build/am510/src/ivrgy/ira_auth.c 2163 0x00001214
  CII ENTRY: ira_determine_ldap_server_type()
  
  2005-08-07-11:55:04.648+00:00I----- pdmgrd DEBUG7 ivc ira
  /project/am510/build/am510/src/ivrgy/ira_handle.c 628 0x00001214
  
  ldap_ssl_init() server: itamlb.tgr.net port: 636
  
  2005-08-07-11:55:04.649+00:00I----- pdmgrd DEBUG7 ivc ira
  /project/am510/build/am510/src/ivrgy/ira_handle.c 658 0x00001214
  
  ira_ldap_simple_bind_s() DN:
  cn=ivmgrd/master,cn=SecurityDaemons,secAuthority=Default
  
  2005-08-07-11:55:04.649+00:00I----- pdmgrd DEBUG7 ivc ira
  /project/am510/build/am510/src/ivrgy/ira_ldap.c 1250 0x00001214
  
  ira_ldap_simple_bind_s(): No timeout - calling
  ldap_simple_bind_s
  
  2005-08-07-11:55:04.672+00:00I----- pdmgrd DEBUG7 ivc ira
  /project/am510/build/am510/src/ivrgy/ira_ldap.c 1293 0x00001214
  
  ira_ldap_simple_bind_s: Returning LDAP rc x31
  
  2005-08-07-11:55:04.672+00:00I----- pdmgrd DEBUG7 ivc ira
  /project/am510/build/am510/src/ivrgy/ira_handle.c 665 0x00001214
  
  LDAP rc: x31
  
  2005-08-07-11:55:04.672+00:00I----- pdmgrd DEBUG7 ivc ira
  /project/am510/build/am510/src/ivrgy/ira_handle.c 675 0x00001214
  
  ldap_unbind_s()
  
  2005-08-07-11:55:04.673+00:00I----- pdmgrd DEBUG8 ivc ira
  /project/am510/build/am510/src/ivrgy/ira_auth.c 2289 0x00001214
  CII EXIT ira_determine_ldap_server_type() with rc:  0x00000031
  
  This problem can occur because the LDAP account or password has
  been disabled, or because the LDAP account is missing.
  

Local fix

Problem summary

• When ivmgrd/master daemon ID fails to get LDAP
  handle due to password problem, Policy Server does not log a mea
  ningful error in the log file.
  

Problem conclusion

• The fix for this APAR is expected to be cont
  ained in the following maintenance delivery vehicles:
  | LA interim fix | 5.1.0-TIV-AWS-LA0023
  | fixpack | 5.1.0-TIV-AWS-FP0024
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  ACCESS MGR E-BU

• Fixed component ID

  5724C0800

Applicable component levels

• R510 PSN

     UP