Troubleshooting
Problem
Using LDAP authentication in the IBM Content Manager OnDemand server to search for a user ID in a Microsoft Active Directory server results in an error labeled "Operations error."
Symptom
Attempting to log on through an OnDemand client results in the error "The server failed while attempting to logon."
Taking a Content Manager OnDemand server trace shows that the initial bind to the Active Directory server was successful, but the search failed with the error "Operations error":
ArcLDAP_Startup:
LDAP Config ArcLDAPServerPtr=example.com
ArcLDAPPort=389
ArcLDAPBaseDN=DC=example,DC=com
ArcLDAPBindDN=CN=sample-user,OU=sample,DC=example,DC=com
ArcLDAPBindAttrib=sAMAccountName
ArcLDAPMappedAttrib=sAMAccountName
ArcLDAPKeyRingFile=(null)
ArcLDAPKeyRingLabel=(null)
LDAP use SSL=FALSE
LDAP allow anonymous bind=FALSE
LDAP referrals=TRUE
LDAP SaslBind=FALSE
LDAP OD Authentication Fallback=TRUE
...
ArcLDAP_Startup:
...
ArcLDAP_Startup:Return
ArcLDAP_Authenticate:Enter
ArcLDAPP_Connect:Enter
ArcLDAPP_Connect:LDAP initialization successful
ArcLDAPP_Connect:Return arccs return code=0,ARCCS_OKAY
ArcLDAPP_Bind:Enter
ArcLDAPP_Bind:ldap_sasl_bind ldap_rc=0 extra_rc=1
ArcLDAPP_Bind:ldap_parse_result ldap_rc=0 extra_rc=0
ArcLDAPP_Bind:ldap_sasl_bind ldap_rc=0 extra_rc=0
ArcLDAPP_Bind:Return arccs return code=0,ARCCS_OKAY
ArcLDAP_Authenticate:Searching cur_userid=USER1 os_filter=sAMAccountName=USER1
ArcLDAP_Authenticate:ldap_search_s ldap_rc=1 ldap_ext=0 ldap_errno=1 extra_rc=0 ldap_str=Operations error extended_str=(null) errno_str=(null) err_msg=(null)
ArcLDAP_Authenticate:ldap_unbind ldap_rc=0 extra_rc=0
ArcLDAP_Authenticate:Return arccs return code=6,ARCCS_FAILED
This error typically occurs when Content Manager OnDemand is configured with a base distinguished name that searches across subordinate domains that are direct descendants of the directory server domain. In the previous example, the base distinguished name was set to DC=example,DC=com, which is at the root level of the Active Directory server example.com.
The Content Manager OnDemand server uses the Tivoli Directory Server LDAP API to communicate with the Active Directory server. The search scope is set to subtree and by default the referral option is enabled. With these conditions set, referral chasing might occur. See the Related Information section for more information.
Taking a Content Manager OnDemand server trace shows that the initial bind to the Active Directory server was successful, but the search failed with the error "Operations error":
ArcLDAP_Startup:
LDAP Config ArcLDAPServerPtr=example.com
ArcLDAPPort=389
ArcLDAPBaseDN=DC=example,DC=com
ArcLDAPBindDN=CN=sample-user,OU=sample,DC=example,DC=com
ArcLDAPBindAttrib=sAMAccountName
ArcLDAPMappedAttrib=sAMAccountName
ArcLDAPKeyRingFile=(null)
ArcLDAPKeyRingLabel=(null)
LDAP use SSL=FALSE
LDAP allow anonymous bind=FALSE
LDAP referrals=TRUE
LDAP SaslBind=FALSE
LDAP OD Authentication Fallback=TRUE
...
ArcLDAP_Startup:
...
ArcLDAP_Startup:Return
ArcLDAP_Authenticate:Enter
ArcLDAPP_Connect:Enter
ArcLDAPP_Connect:LDAP initialization successful
ArcLDAPP_Connect:Return arccs return code=0,ARCCS_OKAY
ArcLDAPP_Bind:Enter
ArcLDAPP_Bind:ldap_sasl_bind ldap_rc=0 extra_rc=1
ArcLDAPP_Bind:ldap_parse_result ldap_rc=0 extra_rc=0
ArcLDAPP_Bind:ldap_sasl_bind ldap_rc=0 extra_rc=0
ArcLDAPP_Bind:Return arccs return code=0,ARCCS_OKAY
ArcLDAP_Authenticate:Searching cur_userid=USER1 os_filter=sAMAccountName=USER1
ArcLDAP_Authenticate:ldap_search_s ldap_rc=1 ldap_ext=0 ldap_errno=1 extra_rc=0 ldap_str=Operations error extended_str=(null) errno_str=(null) err_msg=(null)
ArcLDAP_Authenticate:ldap_unbind ldap_rc=0 extra_rc=0
ArcLDAP_Authenticate:Return arccs return code=6,ARCCS_FAILED
This error typically occurs when Content Manager OnDemand is configured with a base distinguished name that searches across subordinate domains that are direct descendants of the directory server domain. In the previous example, the base distinguished name was set to DC=example,DC=com, which is at the root level of the Active Directory server example.com.
The Content Manager OnDemand server uses the Tivoli Directory Server LDAP API to communicate with the Active Directory server. The search scope is set to subtree and by default the referral option is enabled. With these conditions set, referral chasing might occur. See the Related Information section for more information.
[{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEPCD","label":"Content Manager OnDemand for Multiplatforms"},"ARM Category":[{"code":"a8m0z0000001gP1AAI","label":"technote"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSB2EG","label":"Content Manager OnDemand for i"},"ARM Category":[{"code":"a8m0z0000001gP1AAI","label":"technote"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSQHWE","label":"Content Manager OnDemand for z\/OS"},"ARM Category":[{"code":"a8m0z0000001gP1AAI","label":"technote"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Log InLog in to view more of this document
This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.
Was this topic helpful?
Document Information
Modified date:
07 October 2022
UID
swg21610510