Resolving The Problem

1. Collect the following information from an LDAP administrator:

2. Verify the LDAP parameters with the ldapsearch command.

To check if the ldap tools are installed, run the following command:
◦
rpm -qa | grep openldap-clients
◦
If they are installed, the output will be similar to the following:
•
openldap-clients-2.2.13-6.4E

If openldap-clients is not installed, upgrade it is included in later update kits. It can be obtained from support in lower versions.



To verify connectivity to the LDAP server, run the following command:

ldapsearch -v -h <host_name> -b <base> -D <binddn> -p <port> -x -w <bindpw>



The following output shows confirmation of connectivity:

[nz@NC040101 ~]$ ldapsearch -v -h server.ibm.com -b "OU=ForNetezza,DC=itm,DC=test,DC=lab" -D "cn=netezza_user,cn=Users,dc=itm,dc=test,dc=lab" -p 389 -x -w password
ldap_initialize( ldap://server.ibm.com:389 )
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <OU=ForNetezza,DC=itm,DC=test,DC=lab> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# ForNetezza, itm.test.lab
dn: OU=ForNetezza,DC=itm,DC=test,DC=lab
objectClass: top
objectClass: organizationalUnit
ou: ForNetezza
distinguishedName: OU=ForNetezza,DC=itm,DC=test,DC=lab
instanceType: 4
whenCreated: 20110901092845.0Z
whenChanged: 20110901114426.0Z
uSNCreated: 718678
uSNChanged: 718734
name: ForNetezza
objectGUID:: RnOHWDFwyEi+HrK2tipCIQ==
objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=itm,DC=test,DC=lab

# search result
search: 2
result: 0 Success

# numResponses: 6
# numEntries: 5



Problem 1: No connectivity to LDAP Server

[nz@NC040101 ~]$ ldapsearch -v -h server.ibm.com -b "OU=ForNetezza,DC=itm,DC=test,DC=lab" -D "cn=netezza_user,cn=Users,dc=itm,dc=test,dc=lab" -p 390 -x -w netezza
ldap_initialize( ldap://server.ibm.com:390 )
ldap_bind: Can't contact LDAP server (-1)

Solution: verify server name and port on which LDAP is running. To verify if port is not blocked by firewall you can run the following command:

telnet <host_name> <port>


Problem 2: Invalid LDAP credentials

[nz@NC040101 ~]$ ldapsearch -v -h server.ibm.com -b "OU=ForNetezza,DC=itm,DC=test,DC=lab" -D "cn=netezza_user,cn=Users,dc=itm,dc=test,dc=lab" -p 389 -x -w password
ldap_initialize( ldap://server.ibm.com:389 )
ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece

Solution: verify user and password parameters (binddn and bindpw).

Problem 3: Unsuccessful LDAP bind
[nz@NC040101 ~]$ ldapsearch -v -h server.ibm.com -b "OU=ForNetezza,DC=itm,DC=test,DC=lab" -D "cn=netezza_usera,cn=Users,dc=itm,dc=test,dc=lab" -p 389 -x
ldap_initialize( ldap://server.ibm.com:389 )
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <OU=ForNetezza,DC=itm,DC=test,DC=lab> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 1 Operations error
text: 00000000: LdapErr: DSID-0C090627, comment: In order to perform this ope
 ration a successful bind must be completed on the connection., data 0, vece

Solution: user specified in binddn requires password to get in to LDAP server. Add -w option followed by <bindpw>

4. Verify that the user defined in binddn parameter has the LDAP server privileges to see all of the users you want it to see by running the following command:

ldapsearch -v -h <host_name> -b <base> -D <binddn> -p <port> -x -w <bindpw> “(cn=<user_cn>)”


5. Set up authentication as follows:

As a root user, make a backup copy of the ldap.conf file:

cp /etc/ldap.conf /etc/ldap.conf.orig

Edit the ldap.conf file and comment out following line (put # at the beginning of it):

uri ldap://127.0.0.1/ -----> #uri ldap://127.0.0.1/

Login to nzsql

Run the following command:
•
SET AUTHENTICATION LDAP BASE <base> SERVER <host_name> BINDDN <binddn> PORT <port> BINDPW <bindpw> ATTRNAME <attrname>;
•
To review authentication settings, you can use following system catalog table:

select * from _t_systemdef;

6. Create all users locally on NPS. You must also create all users who will be allowed to login to nzsql console and who will be verified with the LDAP server.

For every user execute 'create user' statement:

CREATE USER <username>;

After setting up LDAP configuration you may want to assign proper privileges to every user.

7. Verify that you are able to login to nzsql with an LDAP-stored user:

Run the following command:

nzsql -u <username>

Problem: NPS should ask you for the password. If instead of this you are getting such error:

[nz@NC040101 ~]$ nzsql -u username
nzsql: LDAP authentication failed for user 'USERNAME'

Solution: Verify that the NZ_PASSWORD variable is not set in the .bashrc file in /export/home/nz. If it is, comment out the NZ_PASSWORD variable so that the system uses LDAP authentication.
Note: remember to reload session to make this change take effect.

8. Persist the LDAP authentication changes:
You need copy the ldap.conf file to /nz/data/config directory .(During startup, NPS is copying this file in the opposite direction, so to avoid losing the configuration parameters, make sure that both files are consistent:

cp /etc/ldap.conf /nz/data/config/ldap.conf