Troubleshooting
Problem
Using LDAP authentication in the IBM Content Manager OnDemand server to search for a user ID in a Microsoft Active Directory server results in an error labeled "Operations error."
Symptom
Attempting to log on through an OnDemand client results in the error "The server failed while attempting to logon."
Taking a Content Manager OnDemand server trace shows that the initial bind to the Active Directory server was successful, but the search failed with the error "Operations error":
ArcLDAP_Startup:
LDAP Config ArcLDAPServerPtr=example.com
ArcLDAPPort=389
ArcLDAPBaseDN=DC=example,DC=com
ArcLDAPBindDN=CN=sample-user,OU=sample,DC=example,DC=com
ArcLDAPBindAttrib=sAMAccountName
ArcLDAPMappedAttrib=sAMAccountName
ArcLDAPKeyRingFile=(null)
ArcLDAPKeyRingLabel=(null)
LDAP use SSL=FALSE
LDAP allow anonymous bind=FALSE
LDAP referrals=TRUE
LDAP SaslBind=FALSE
LDAP OD Authentication Fallback=TRUE
...
ArcLDAP_Startup:
...
ArcLDAP_Startup:Return
ArcLDAP_Authenticate:Enter
ArcLDAPP_Connect:Enter
ArcLDAPP_Connect:LDAP initialization successful
ArcLDAPP_Connect:Return arccs return code=0,ARCCS_OKAY
ArcLDAPP_Bind:Enter
ArcLDAPP_Bind:ldap_sasl_bind ldap_rc=0 extra_rc=1
ArcLDAPP_Bind:ldap_parse_result ldap_rc=0 extra_rc=0
ArcLDAPP_Bind:ldap_sasl_bind ldap_rc=0 extra_rc=0
ArcLDAPP_Bind:Return arccs return code=0,ARCCS_OKAY
ArcLDAP_Authenticate:Searching cur_userid=USER1 os_filter=sAMAccountName=USER1
ArcLDAP_Authenticate:ldap_search_s ldap_rc=1 ldap_ext=0 ldap_errno=1 extra_rc=0 ldap_str=Operations error extended_str=(null) errno_str=(null) err_msg=(null)
ArcLDAP_Authenticate:ldap_unbind ldap_rc=0 extra_rc=0
ArcLDAP_Authenticate:Return arccs return code=6,ARCCS_FAILED
This error typically occurs when Content Manager OnDemand is configured with a base distinguished name that searches across subordinate domains that are direct descendants of the directory server domain. In the previous example, the base distinguished name was set to DC=example,DC=com, which is at the root level of the Active Directory server example.com.
The Content Manager OnDemand server uses the Tivoli Directory Server LDAP API to communicate with the Active Directory server. The search scope is set to subtree and by default the referral option is enabled. With these conditions set, referral chasing might occur. See the Related Information section for more information.
Taking a Content Manager OnDemand server trace shows that the initial bind to the Active Directory server was successful, but the search failed with the error "Operations error":
ArcLDAP_Startup:
LDAP Config ArcLDAPServerPtr=example.com
ArcLDAPPort=389
ArcLDAPBaseDN=DC=example,DC=com
ArcLDAPBindDN=CN=sample-user,OU=sample,DC=example,DC=com
ArcLDAPBindAttrib=sAMAccountName
ArcLDAPMappedAttrib=sAMAccountName
ArcLDAPKeyRingFile=(null)
ArcLDAPKeyRingLabel=(null)
LDAP use SSL=FALSE
LDAP allow anonymous bind=FALSE
LDAP referrals=TRUE
LDAP SaslBind=FALSE
LDAP OD Authentication Fallback=TRUE
...
ArcLDAP_Startup:
...
ArcLDAP_Startup:Return
ArcLDAP_Authenticate:Enter
ArcLDAPP_Connect:Enter
ArcLDAPP_Connect:LDAP initialization successful
ArcLDAPP_Connect:Return arccs return code=0,ARCCS_OKAY
ArcLDAPP_Bind:Enter
ArcLDAPP_Bind:ldap_sasl_bind ldap_rc=0 extra_rc=1
ArcLDAPP_Bind:ldap_parse_result ldap_rc=0 extra_rc=0
ArcLDAPP_Bind:ldap_sasl_bind ldap_rc=0 extra_rc=0
ArcLDAPP_Bind:Return arccs return code=0,ARCCS_OKAY
ArcLDAP_Authenticate:Searching cur_userid=USER1 os_filter=sAMAccountName=USER1
ArcLDAP_Authenticate:ldap_search_s ldap_rc=1 ldap_ext=0 ldap_errno=1 extra_rc=0 ldap_str=Operations error extended_str=(null) errno_str=(null) err_msg=(null)
ArcLDAP_Authenticate:ldap_unbind ldap_rc=0 extra_rc=0
ArcLDAP_Authenticate:Return arccs return code=6,ARCCS_FAILED
This error typically occurs when Content Manager OnDemand is configured with a base distinguished name that searches across subordinate domains that are direct descendants of the directory server domain. In the previous example, the base distinguished name was set to DC=example,DC=com, which is at the root level of the Active Directory server example.com.
The Content Manager OnDemand server uses the Tivoli Directory Server LDAP API to communicate with the Active Directory server. The search scope is set to subtree and by default the referral option is enabled. With these conditions set, referral chasing might occur. See the Related Information section for more information.
Cause
This problem is caused by referral chasing.
With referral chasing enabled, when a subtree search is performed, the Active Directory server sends back referrals that might require the LDAP API to bind (authenticate) to another Active Directory server at a different domain inside the Active Directory forest. If the bind fails due to incorrect credentials or insufficient access, the entire authentication process fails with the operations error.
With referral chasing enabled, when a subtree search is performed, the Active Directory server sends back referrals that might require the LDAP API to bind (authenticate) to another Active Directory server at a different domain inside the Active Directory forest. If the bind fails due to incorrect credentials or insufficient access, the entire authentication process fails with the operations error.
Diagnosing The Problem
Enable the Content Manager OnDemand server trace and examine the trace file for "Operations error".
Resolving The Problem
There are three options that you can use to resolve this issue:
- Search the Active Directory Global Catalog instead. This search can be accomplished by changing the ARS_LDAP_PORT in the ars.cfg file of your Content Manager OnDemand server to communicate through the Active Directory Global Catalog port, 3268. When you make the change to search the global catalog instead, you bypass referral chasing. See the Related Information section for more information about the Active Directory Global Catalog.
- Disable referrals for the Content Manager OnDemand server. To disable referrals, modify the ars.cfg file and add the following line to the end of the file:
ARS_LDAP_REFERRALS=FALSE - Specify a non-root level base distinguished name in the ARS_LDAP_BASE_DN parameter of the ars.cfg file of your Content Manager OnDemand server. In the example from the Symptom section, the base distinguished name is set at the root level or top level, DC=example,DC=com. Changing it to a lower, more specific, non-root level distinguished name such as OU=sample,DC=example,DC=com might resolve the problem by eliminating the possibility of a referral being issued to a subordinate domain.
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEPCD","label":"Content Manager OnDemand for Multiplatforms"},"ARM Category":[{"code":"a8m0z0000001gP1AAI","label":"technote"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSB2EG","label":"Content Manager OnDemand for i"},"ARM Category":[{"code":"a8m0z0000001gP1AAI","label":"technote"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSQHWE","label":"Content Manager OnDemand for z\/OS"},"ARM Category":[{"code":"a8m0z0000001gP1AAI","label":"technote"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
07 October 2022
UID
swg21610510