APAR status
INTRAN
Error description
1. Running LDAP programs from TSO In addition to the instructions contained in the LDAP Server Administration and Usage Guide, the following informaiton may be helpful. To establish environment variables for ldapcp, ldif2db or db2ldif, first create a dataset to hold the environment variables (see above). Then, do the following alloc command inTSO: alloc da(ENVVAR) dsn('your.envvar.dataset') If the PDS containing the LDAP executables is not in LINKLIST, the dataset can be pointed to using the following alloc command in TSO: alloc da(TSOLIB) dsn('yourLDAPHLQ.SGLDLNK') ------------------------------------------------------------- 2.If running LDAP with Program Control active, the LDAP server may generate GLD5002E error messages when a client attempts to execute any ldap utilities, such as ldapadd,ldapmodify etc The LDAP documentation only specifies that the datasets containing the LDAP DLLs (*.SGLDLNK), the C-RTL (*.SCEERUN) and SYS1.LINKLIB need to be under program control. In addition, SYS1.CSSLIB should be added to this list. * Other libraries found to require program control are: SGSKLOAD (SSL), SEZALINK, SDSNLOAD, SDSNEXIT, SCLBDLL, SCSFMOD, SCSFMOD1. If problems persist with getting LDAP to work with Program Control active, the following actions/sources of information can be helpful in determining which library is causing the error. - Activate LDAP Debug in the LDAP Server address space. - Set the _EDC_ADD_ERRNO2=1 environment variable in the LDAP Server address space. This will generate errno2 information in the LDAP Server debug output. Verify that errno2 is JRENVDIRTY (xxxx02AF). - If the problem is JRENVDIRTY, OE INFOAPAR II10548 has additional actions that can be taken to help determine what library is causing the 'dirty environment' - In addition, the OS/390 Unix System Services Planning book in the sections dealing with Unix Security, and the OS390 Security Server (RACF) Diagnosis Guide in Chapter 2, have additional information which can be useful in helping to determine what is causing the dirty environment. -------------------------------------------------------------- 3.Accessing RACF information The functions provided by LDAP are designed and implemented for use specifically with RACF as provided in OS/390. The functions are dependent on the RACF command syntax, and the format of output from RACF. Non-RACF external security managers are not supported by these LDAP functions. ---------------------------------------------------------- 4.For RDBM schema support, the generalizedTime, boolean, and integer syntaxes are not supported by name in the R10 schema definitions. Instead, cis 30, cis 5, and cis 11, respectively, should be used instead. Note 'cis' is the syntax and 30, 5, and 11 are lengths. ----------------------------------------------------------- 5.Additional information regarding use of TSO and batch jobs for compile, link, and execution of LDAP client applications. Library SGLDHDRC (PDS) contains the header files LDAP and LBER (corresponds to hfs file names ldap.h, and lber.h) that are needed to compile LDAP client applications. Library SGLDEXPC (PDS) contains the 'export / side-deck' file GLDCLDPX (corresponds to hfs file name GLDCLDAP.x) that is needed by the pre-linker to resolve LDAP DLL function calls. At execution time, the LDAP functions are obtained from LPALIB module GLDCLDAP. For the C compile step, these compiler options are needed: CPARM='LO,DLL,RENT,MARGINS(1,80),NOSEQ,DEF(SSL)' note: the MARGINS(1,80) and NOSEQ is needed because SGLDHDRC(LDAP) contains source lines that extend into columns 73-80. If sequence numbers are present in the C program source then it is necessary to manually update SGLDLNK(LDAP). These items are also needed, and it is suggested that they be made part of the C source code: #pragma runopts(POSIX(ON)) #define mvs #define _OPEN_THREADS #define MVS_PTHREADS #define _OE_SOCKETS #define _SHARE_EXT_VARS #define LOCALCP_TRANSLATION #define EBCDIC_PLATFORM #define LONGMAP It is necessary to process the compiler output with the pre-linker to resolve the references to the functions that are in the LDAP DLL. For the pre-link step, specify the PARM 'OMVS'. Also at pre-link time, INCLUDE member GLDCLDPX from SGLDEXPC, for example: //PLKED.SYSLIB DD DSN=GLD.SGLDEXPC,DISP=SHR //PLKED.SYSIN2 DD * INCLUDE SYSLIB(GLDCLDPX) /* ------------------------------------------------------------ 6.Requirement for use of RACF SDBM If the "RACF Subsystem" has not been defined and activated the LDAP Server will be unable to bind . Typical error is LDAP rc 81 / x'51' , SAF rc 8, RACF rc 12 RACF rs 12 - LDAP uses the R_admin / IRRSEQ00 function to issue RACF commands,and that function requires the RACF Subsystem. For information see the RACF System Programmer's Guide, topic "The RACF Subsystem", regarding parmlib member IEFSSNxx ------------------------------------------------------------ 7.All SDBM Users: An LDAP bind to the RACF-based backend will not work unless the user has an OMVS segment defined. Without an OMVS segment, the user could receive ldap_bind: Invalid credentials ldap_bin: additional info: R000103 The user is not defined. This is required because the 'bind' function uses __passwd function (Posix). ------------------------------------------------------------ 8. If you should receive error: LDAP_SSL_INITIALIZATION_FAILED with debug trace showing error 113 (x'71') from routine initializeSSLSupport ...this indicates a failure on loading SSL DLL 'GSKSSL' which resides in SGSKLOAD. This is 'typically' caused by either not having access to SGSKLOAD in the linklist nor steplibbed by LDAP...or also if SGSKLOAD is not APF authorized. ------------------------------------------------------------ 9 ----- MISCELLANEOUS DB2 INFO ITEMS:----------- A.If you receive SQLSTATE 58004 with RC=08 and RSNCODE= 00f30011 , the problem could be that you need to increase your IDBACK ZPARM. Refer to SQL INFOAPAR II12347 You can use DB2 command -<DB2subsys> DIS THREAD(*) ..substituting your own DB2 subsystem for <DB2subsys>. This command can be invoked periodically to help determine peak thread usage, which can help in the setting of the IDBACK DB2 ZPARM. ------------------------------------------------------------ B.SQLCODE = -950, SQLSTATE = 42705 Customers may receive error messages GLD2051I ODBC error, SQL data is: native return code=-950, SQLstate=42705 DSNT408I SQLCODE = -950, ERROR: THE LOCATION NAME SPECIFIED IN THE CONNECT STATEMENT IS INVALID OR NOT LISTED IN THE COMMUNICATIONS DATABASE when running ldif2db. SQLState 42705 means an undefined server-name was detected. This is an indication that the servername field in the slapd.conf file and the data-source-name in the associated DATA SOURCE stanza of the CLI Initialization (DSNAOINI) file may be incorrect. The servername/data-source-name should contain the "local database name" which is the name that was set during DB2 installation as 'DB2 LOCATION NAME' on DB2 installation panel DSNTIPR for the DB2 subsystem. (LOC1 is the default.) Customer's local DB2 administration staff can provide this name -------------------------------------------------------------- C.GLD2003I ERROR CODE -1 FROM ODBC STRING:" SQLALLOCENV " . GLD2051I ODBC ERROR, SQL DATA IS: NATIVE RETURN CODE=-99999, SQL MESSAGE= DB2 FOR OS/390 CLI DRIVER SQLSTATE=58004 CAF "CONNECT" FAILED USING DB2 SYSTEM:DSN RC=0C AND REASON=00F30006 This occurs when the DSNAOINI dataset attributes are not FB 80. This can also occur if there are sequence numbers in your DSNAOINI file. Remove them if present. Note: DB2 APAR PQ12672/UQ18719 now allow the DSNAOINI file to be able to be specified as either: A. A sequential dataset (fixed or variable length) B. A PDS member C. An HFS file It also supports DSNAOINI setting via exporting environment variable 'DSNAOINI'...as well as with a DD card. This APAR is for DB2 V5, this is support is in the base of DB2 V6. ------------------------------------------------------------ D. If you receive SQL return code -911, SQL STATE 40001, error: The current unit of work has been rolled back due to deadlock or timeout. Reason code 00C9008E... the problem may be the DB2 setting LOCKMAX being set to 0. Make sure that LOCKMAX is set to something other than 0, such as SYSTEM. --------------------------------------------------------------- 10. If you receive LDAP_SSL_INITIALIZATION_FAILED, with debug trace showing: ldap_ssl_client_init failed! rc == 113, failureReasonCode == 2 This indicates there was some kind of problem opening the .kdb file that ldap is trying to use for ssl communications. The cause of this could be multiple issues with the .kdb file such as: - the file does not exist - the version is incorrect --------------------------------------------------------------- 11. Copying an existing TDBM database to another TDBM database: If the DB2 UNLOAD and LOAD utilities are used to copy an existing TDBM database to another TDBM database the user must be aware that the MISCTS and REPTS tablespaces contain multiple tables. When the LOAD utility is run, the user must specify RESUME YES on each table following the first table, in each of the above two tablespaces. If this is not done properly the following message, or variation may be generated by the LDAP server on startup: GLD3091E An internal exception occurred, rc = 1. Exception text R004001 Unknown error occurred! (tdbm_attr_cache.c|1.17|541) This error can also occur when the DBUSERID is invalid. Please assure the DBUSERID in the slapd.conf file is correct. ---------------------------------------------------------------- 12)Using the LDAPCNF utility. When using the LDAPCNF utility to configure an LDAP server, there are 2 sample *.profile files shipped in /usr/lpp/ldap/etc. Both ldap.profile and ldap.msys.profile have environment variables that refer to jobcards which require modification by the user. The environment variables in these profiles are APF_JOBCARD_x , PRGCTRL_JOBCARD_x, DB2_JOBCARD_x, and RACF_JOBCARD_x, where x is a value 1-5. The LDAPCNF utility is a shell script that uses unix shell commands. The comments in these profiles indicate that each of these entries must start with a "//". It also indicates that if a '$' or a '"' are used anywhere in this field these characters must be escaped by preceding each with a '\'. THis is because these characters have special meaning to the unix environment. This list is not an all inclusive list of characters that MUST be escaped, and the '*' (if for example a user wished to include a comment in the JCL jobcard being generated?) must be added to this list. If the user wishes to use an '*' on one of these JOBCARD environment variables, they MUST escape it. Ex. APF_JOBCARD_1="//\*" Another option is to use single quotes around the jobcard text, assuming no other single quotes in jobcard text. APF_JOBCARD='//*' ------------------------------------------- 13.) When attempting to use Native Authentication you may get R004060 Entry does not contain a password error returned. This could be caused by either placing the useNativeAuth directive 'outside' of the TDBM section of the slapd.conf file... -OR- ... by providing the NativeAuthSubtree directive without putting the subtree DN value in quotes...when this dn has a space in it...such as o=Your Company PLEASE put "" around your nativeAuthSubtree dn value. Example: nativeAuthSubtree "o=Your Company" ---------------------------------------- 14.) When using native authentication to update a native password, LDAP ACLs must be set properly to allow an update of the userpassword attribute for the password modification to complete successfully. The distinguished name provided on the -D parameter of the ldapmodify command must have authority to update the userpassword attribute. To allow each individual user to update their own password, an LDAP ACL should be established to permit them to write userpasword attribute values. If you are running z/OS R2 or higher, or have applied OW50971 to OS/390 V2R10 or z/OS V1R2, you can use the special cn=this identity to establish the LDAP ACL. Run the following ldapmodify command to establish the LDAP ACL: ldapmodify -D admin DN -w admin DN password -f /tmp/aclmod.ldif where file /tmp/aclmod.ldif looks like: dn:o=Your Company changetype:modify add:x aclEntry:access-id:cn=this:critical:rwsc aclPropagate:TRUE You should substitute the root of your directory tree for the dn:o=Your Company line in the LDIF file. This will allow each user defined for Native Authentication to update their own RACF password via LDAP. Note that without sufficient ACLs to update attribute userpassword, the ldapmodify to change the native password will receive LDAP reason code R003070. Also, the RACF id designated by the ibm-nativeid attribute must have an OMVS segment associated to it. ------------------------------------------------- 15. REXX exec LDAPCP contains a bad module name. To use the LDAPCP REXX exec you must change line: "GLDLDCP /"parms to: "GLDLDPCP /"parms -------------------------------------------------- 16.) You may recieve error R001012, indicating that and attribute doesn't exist when using TDBM. This is an indication that schema was not loaded. Find the appropriate ldif file that the missing attribute is defined in, and make sure you successfully load that schema file into the TDBM database via ldapmodify. Refer to the LDAP Server Admin and Usage Guide. --------------------------------------------------
Local fix
Problem summary
Problem conclusion
Temporary fix
Comments
APAR Information
APAR number
II13026
Reported component name
V2 LIB INFO ITE
Reported component ID
INFOV2LIB
Reported release
001
Status
INTRAN
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2001-10-05
Closed date
Last modified date
2002-10-15
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19N","label":"APARs - OS\/390 environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"001","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SG19M","label":"APARs - z\/OS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"001","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":null,"label":null},"Product":{"code":"SG19O","label":"APARs - MVS environment"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"001","Edition":"","Line of Business":{"code":"","label":""}},{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"001","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
Document Information
Modified date:
15 October 2002