OA47638: LDAPADD:INCORRECT FORMAT (LINE 'N' OF ENTRY 'DN) WHERE THAT LINE IN THE INPUT LDIF FILE CONTAINS A BASED64 ENCODED BIN ATT VALUE

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• Customer ran ldapsearch with the -L option to unload an entry
  into an ldif file. Part of that entry's contents is the
  usercertificate binary attribute - which is return as output
  from ldapsearch (and into an ldif file when the -L option is
  used) in base64 encoded format.
  This ldif file is used on an ldapadd which failed with error:
  
  ldapadd: incorrect format (line 6 of entry: <customer_dn>
  
   EXTERNAL SYMPTOMS:
   ldapadd: incorrect format (line 'n'  of 'dn')
   ANALYSIS:
   There appears to be an error involving the parsing of the last
   4 chars of the data when writing the ldif file.
   KNOWN IMPACT:
   invalid ldif output for binary attributes returned in basse64
   encoded format - disallows use of that ldif file attribute for
   reuse such as to relaod the attribute data.
   VERIFICATION STEPS:
   ldapadd receieves noted sympton
  

Local fix

• BYPASS/CIRCUMVENTION:
   None
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: Users of IBM Tivoli Directory Client for     *
  *                 z/OS who utilize the ldapsearch utility.     *
  ****************************************************************
  * PROBLEM DESCRIPTION: The ldapsearch utility with the '-L'    *
  *                      option displays entries in LDIF format, *
  *                      with binary attribute values shown in   *
  *                      base64 encoded sequences. However, the  *
  *                      generated base64 encoded sequence is    *
  *                      sometimes incorrect when the value      *
  *                      spans multiple output lines. Reloading  *
  *                      the resulting LDIF data using the       *
  *                      ldapadd utility can result in error     *
  *                      "ldapadd: incorrect format".            *
  ****************************************************************
  * RECOMMENDATION: APPLY PTF                                    *
  ****************************************************************
  The client side base64 encoding flow is flawed where padding is
  performed and the output is split into multiple lines. According
  to the base64 encoding algorithm, the input data is grouped by
  three bytes and each group is converted into four printable
  output characters. Padding is done if the last group contains
  less than three input characters and one or two '=' characters
  are appended to the last encoded block to indicate null input
  bytes that should be ignored by the decoding flow.  If the last
  encoded four bytes span a line, the equal mark may be placed
  in the wrong place and invalidate the whole encoded sequence.
  

Problem conclusion

• In this APAR, a new padding mechanism is applied to the client
  side base64 encoding flow to ensure the padding characters are
  placed in the correct place.
  
  This APAR support was provided through internal defect 4850.
  
  FMIDs affected:
     HRSL3D0 - IBM TDS on z/OS V1.13
     HRSL410 - IBM TDS on z/OS V2.1
  
  This APAR updates the following parts:
  
    GLDSRCH
    GLDAH014
    GLDAX007
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UA77671 UA77672

Modules/Macros

• GLDAH014 GLDAX007 GLDSRCH
  

Fix information

• Fixed component name

  SECURITY SERVR

• Fixed component ID

  565506803

Applicable component levels

• R3D0 PSY UA77671

     UP15/07/14 P F507

• R410 PSY UA77672

     UP15/07/14 P F507

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.