IBM Support

Some LDAP users are unable to log into TIP (sysmtOut error DSID-0310063C)

Troubleshooting


Problem

A subset of LDAP users are unable to log into Tivoli Integrated Portal. The following error is seen in the systemOut.log: "...LDAP: error code 10 - 0000202B: RefErr: DSID-0310063C..."

Cause

The root LDAP error string ("DSID-0310063C" ) can happen in a Multiple Domain LDAP environment where a user account in DomainA contains referral data in DomainB, which is outside of the domain in which the account existed. In this case, the Authentication configuration within the WebSphere application server (WAS) failed to access a user that existed in DomainA, because that user belonged to a group association in DomainB, which was not accessible.

Diagnosing The Problem

Attempt to log into TIP with a non-working user, and then examine the systemOut log for an instance of the error similar to the following:

###
[3/21/13 7:31:10:230 EDT] 00000022 exception E com.ibm.ws.wim.adapter.ldap.LdapConnection getAttributes
com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E The 'javax.naming.PartialResultException: [LDAP: error code 10 - 0000202B: RefErr: DSID-0310063C, data 0, 1 access points
ref 1: 'org.company.com'
\u0000]; Remaining name: 'CN=user,OU=accounting,DC=org,DC=company,DC=com'; Resolved object: 'com.sun.jndi.ldap.LdapCtx@3b343b34'' naming exception occurred during processing.
###

Resolving The Problem

The error was addressed by enabling referral following in the Websphere configuration. Here are the steps to change referrals to "follow":

1. Log into the WAS Admin Console for TIP. You can launch the WAS Admin Console after logging into TIP, or log into the Admin Console directly using the following instructions:
http://www-01.ibm.com/support/docview.wss?uid=swg21618872
2. Once in the WAS Admin Console, go to Security > Global Security, and click the Configure button in the "Available realm definitions" section

3. Click on the link for the LDAP server in the "Repository identifier" column of the "Repositories in the realm" table
4. Set the "Support referrals to other LDAP servers " drop down value to follow, and then click "Apply", and then "Save".
5. Log out, and restart TIP
6. Test the failing logins.

[{"Product":{"code":"SSRLR8","label":"Tivoli Components"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Tivoli Integrated Portal (TIP)","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"2.2;2.1","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
17 June 2018

UID

swg21631889

Page Feedback