31
MP Server / Re: Group membership not adding user during synchronization with LDAP
« on: November 08, 2022, 11:48:57 AM »
set to ARS_LDAP_GROUP_MAPPED_ATTRIBUTE=cn
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
32
MP Server / Re: Group membership not adding user during synchronization with LDAP
« on: November 08, 2022, 11:37:47 AM »Code: [Select]
21365044:2314 11/08/2022 15:56:37:305810 INFO arsldap.c(2241)ArcLDAPP_LDAPQuery:ldap_create_page_control ldap_rc=0 extra_rc=0
21365044:2314 11/08/2022 15:56:37:307173 INFO arsldap.c(2275)ArcLDAPP_LDAPQuery:ldap_search_ext_s ldap_rc=0 extra_rc=0
21365044:2314 11/08/2022 15:56:37:307183 INFO arsldap.c(2305)ArcLDAPP_LDAPQuery:ldap_parse_result ldap_rc=0 extra_rc=0
21365044:2314 11/08/2022 15:56:37:307188 INFO arsldap.c(2340)ArcLDAPP_LDAPQuery:ldap_parse_page_control ldap_rc=0 extra_rc=0
21365044:2314 11/08/2022 15:56:37:307192 INFO arsldap.c(2355)ArcLDAPP_LDAPQuery:Current state total_cnt=0 done=1
21365044:2314 11/08/2022 15:56:37:307197 INFO arsldap.c(2380)ArcLDAPP_LDAPQuery:ldap_count_entries ldap_rc=0 extra_rc=0
21365044:2314 11/08/2022 15:56:37:307204 INFO arsldap.c(2656)ArcLDAPP_LDAPQuery:Current state group->cnt=0Current state group->cnt=0
believe that means it did not find members.
performing the ldap search with the same query, I receive expected members.
in tracelog, at the end of the query i see the following "�<8B><80>))". could be missing UTF-8 encoding. or if its just my terminal thats shows different encoding.
Code: [Select]
Current state filter=(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=...OU...DC=�<8B><80>))
33
MP Server / Re: Group membership not adding user during synchronization with LDAP
« on: November 08, 2022, 10:57:59 AM »
Directory server: AD
What would I look for in the trace log?
it shows for instance
OU=... is just me removing info.
is that where the members of that group would come from?
What would I look for in the trace log?
it shows for instance
Code: [Select]
INFO arsldap.c(2173)ArcLDAPP_LDAPQuery:Current state filter=(&(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=groupA,OU=...))OU=... is just me removing info.
is that where the members of that group would come from?
34
MP Server / Group membership not adding user during synchronization with LDAP
« on: November 08, 2022, 06:57:24 AM »
Hi,
OD version: 10.1.0.5
I am currently facing a problem where Group Memberships are not adding users, only deleting both existing and not existing users.
I have a few test cases I'd like to show, which might explain my problem
For test case "Group membership added", the user has been added to the group in AD. Group is synchronized to OD, but no users added to that group in OD.
For test case "Group membership deleted", users are deleted, but users that exist on that group in AD are also deleted. The users with membership to that same AD group, I would expect to still be part of that group in OD.
Help wanted <3
OD version: 10.1.0.5
I am currently facing a problem where Group Memberships are not adding users, only deleting both existing and not existing users.
I have a few test cases I'd like to show, which might explain my problem
| Test case | Prerequisits | Status |
| User created in OD | User created in AD | OK |
| User deleted in OD | User deleted from AD | OK |
| Group created in OD | Group created in AD | OK |
| Group deleted in OD | Group deleted from AD | OK |
| Group membership added | User added to group in AD | NOT OK, no entry in log |
| Group membership deleted | User removed from group in AD | NOT OK, user deleted from OD group even when AD group has membership of that user |
For test case "Group membership added", the user has been added to the group in AD. Group is synchronized to OD, but no users added to that group in OD.
For test case "Group membership deleted", users are deleted, but users that exist on that group in AD are also deleted. The users with membership to that same AD group, I would expect to still be part of that group in OD.
Help wanted <3
35
MP Server / Re: Verifying synchronized users from AD to OD
« on: February 08, 2022, 06:58:31 AM »
No, SSO does not work for anyone.
In OnDemand Administrator client, under System Parameters -> Login Information -> Login Processing. I now ticked on "Password Case Sensitive". I previously only ticked on "Enable LDAP".
When both "Password Case Sensitive" and "Enable LDAP" is ticked on, the user can now log in with his AD account.
In OnDemand Administrator client, under System Parameters -> Login Information -> Login Processing. I now ticked on "Password Case Sensitive". I previously only ticked on "Enable LDAP".
When both "Password Case Sensitive" and "Enable LDAP" is ticked on, the user can now log in with his AD account.
36
MP Server / Re: Verifying synchronized users from AD to OD
« on: February 03, 2022, 03:54:50 AM »
This is part of my troubleshooting regarding a new SSO setup, from Content Navigator
As you mention regarding "ignore list", this user is not part of the "ignore list", so I can assume the user is actually an AD user.
Content Navigator / OD throws me an exception: com.ibm.edms.od.ODException: The User ID or Password is not valid for the server
So this is why I am checking if there's anything wrong with the user.
the user is logged in to the same AD domain on his windows machine, so based on that the user id and password he is using is correct.
Out setup
Application versions:
WebSphere Network Deployment
Version: 8.5.5
Fixpack: 20
Interimfix: IFPH42728
Content Navigator: 3.0.7
OnDemand: 10.1.0.5
DB2: 11.1.1.1
New setup, enable SSO:
WebSphere
Content Navigator
OnDemand – ars.cfg
Do you have any suggestions for further troubleshooting?
As you mention regarding "ignore list", this user is not part of the "ignore list", so I can assume the user is actually an AD user.
Content Navigator / OD throws me an exception: com.ibm.edms.od.ODException: The User ID or Password is not valid for the server
So this is why I am checking if there's anything wrong with the user.
the user is logged in to the same AD domain on his windows machine, so based on that the user id and password he is using is correct.
Out setup
Application versions:
WebSphere Network Deployment
Version: 8.5.5
Fixpack: 20
Interimfix: IFPH42728
Content Navigator: 3.0.7
OnDemand: 10.1.0.5
DB2: 11.1.1.1
New setup, enable SSO:
WebSphere
- Federated repository with LDAP
- SPNEGO with Kerberos
Content Navigator
- Redeployed Navigator with “applicationserverauthentication”
- A desktop with SSO enabled
OnDemand – ars.cfg
- Integrating LDAP
- Synchronized users with ARSLSYNC
Do you have any suggestions for further troubleshooting?
37
MP Server / Verifying synchronized users from AD to OD
« on: February 01, 2022, 07:29:01 AM »
Hi,
I have synchronized users from AD to OD with ARSLSYNC.
After synchronization, the user is found in OD.
When I look at the user with our OD Admin client, I cant see anything referring to AD for that user.
Is there a way to distinguish a synchronized AD user from a regular OD user? with regular I mean a user I have created in OD directly.
Best regards Andreas BH
I have synchronized users from AD to OD with ARSLSYNC.
After synchronization, the user is found in OD.
When I look at the user with our OD Admin client, I cant see anything referring to AD for that user.
Is there a way to distinguish a synchronized AD user from a regular OD user? with regular I mean a user I have created in OD directly.
Best regards Andreas BH
38
Other / Create a new field on an existing folder with existing documents
« on: November 30, 2021, 06:05:31 AM »
Hi,
If I want to create a new field on an existing folder with existing documents, what happends to the existing documents in that folder?
Its snowing in Norway today
If I want to create a new field on an existing folder with existing documents, what happends to the existing documents in that folder?
- will the existing documents get the new field with some kind of default / null value so I can update this field on the existing documents?
- will only new documents created after the field has been created, get this new field?
Its snowing in Norway today
39
MP Server / Re: OD SSO - issue calling websphere java class WSCallbackHandlerImpl
« on: November 22, 2021, 02:36:35 PM »
As a dirty test, I copied sas.jar to WAS_installation/profiles/profile/installedApps/Cell/navigatorEAR.ear/lib
Now it seems the class com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl is being loaded.
Looks like you are correct with something is up with my classpath, I'll update with my solution.
Thanks rjrussel
Now it seems the class com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl is being loaded.
Looks like you are correct with something is up with my classpath, I'll update with my solution.
Thanks rjrussel
40
MP Server / Re: OD SSO - issue calling websphere java class WSCallbackHandlerImpl
« on: November 22, 2021, 02:54:11 AM »
Thanks for your reply! 
As you can see, I've loaded some of the OnDemand api's.
As you can see, I've loaded some of the OnDemand api's.
Code: [Select]
Classpath = /opt/IBM/WebSphere/AppServer/profiles/icn/properties:/opt/IBM/WebSphere/AppServer/properties:/opt/IBM/WebSphere/AppServer/lib/startup.jar:/opt/IBM/WebSphere/AppServer/lib/bootstrap.jar:/opt/IBM/WebSphere/AppServer/lib/lmproxy.jar:/opt/IBM/WebSphere/AppServer/lib/urlprotocols.jar:/opt/IBM/WebSphere/AppServer/deploytool/itp/batchboot.jar:/opt/IBM/WebSphere/AppServer/deploytool/itp/batch2.jar:/opt/IBM/WebSphere/AppServer/java/lib/tools.jar:/opt/IBM/ondemand/V10.1/www/api/ODApi.jar:/opt/IBM/ondemand/V10.1/jars/gson-2.8.1.jarCode: [Select]
Java Library path = /opt/IBM/WebSphere/AppServer/lib/native/aix/ppc_64/:/opt/IBM/WebSphere/AppServer/java/jre/lib/ppc64/compressedrefs:/opt/IBM/WebSphere/AppServer/java/jre/lib/ppc64:/opt/IBM/WebSphere/AppServer/java/jre/lib/ppc64/j9vm:/opt/IBM/WebSphere/AppServer/java/jre/lib/ppc64:/opt/IBM/WebSphere/AppServer/java/jre/../lib/ppc64:/opt/IBM/WebSphere/AppServer/java/jre/lib/icc:/opt/IBM/WebSphere/AppServer/bin:/opt/IBM/ondemand/V10.1:/opt/IBM/ondemand/V10.1/www:/usr/lib64:/usr/lib:
41
MP Server / OD SSO - issue calling websphere java class WSCallbackHandlerImpl
« on: November 17, 2021, 05:40:06 PM »
Hi,
Not sure if this topic is suitable for this forum or not..since it is related to OD authentication, I'll give it a shot.
System information:
OnDemand: 10.1.0.5
WebSphere 8.5.5 fixpack 20
Content Navigator 3.0.7
OnDemand configuration:
WebSphere configuration:
Content Navigator configuration:
When an AD user(i.e wasadmin) access the SSO Navigator Desktop, I receive the following error in WebSphere application server
The exception says class com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl is not found. I have verified that the jar file where com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl is located is loaded in WebSphere(sas.jar). Would it be beneficial if I included this jar file in the navigator war file, though I would expect navigator to be able to reach the jar file when its available on the same node as navigator.
Anyone can guide me somewhere? I have kind of hit the end of the tunnel right now
thanks in advance
Not sure if this topic is suitable for this forum or not..since it is related to OD authentication, I'll give it a shot.
System information:
OnDemand: 10.1.0.5
WebSphere 8.5.5 fixpack 20
Content Navigator 3.0.7
OnDemand configuration:
- SSO enabled
- AD users synchronised
WebSphere configuration:
- SSO enabled
- AD integration(SPNEGO/Kerberos)
Content Navigator configuration:
- Deployed to WebSphere with Application Authentication enabled
- Desktop, SSO enabled
When an AD user(i.e wasadmin) access the SSO Navigator Desktop, I receive the following error in WebSphere application server
Code: [Select]
SystemOut O CIWEB Error: [wasadmin @ adserver] com.ibm.ecm.struts.actions.od.ODLogonAction.createODConnection()
java.lang.NoClassDefFoundError: com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl
at com.ibm.edms.od.ODServer.logonICN(ODServer.java:484)
at com.ibm.ecm.struts.actions.od.ODLogonAction.createODConnection(ODLogonAction.java:307)
at com.ibm.ecm.struts.actions.GetDesktopAction.desktopConnect(GetDesktopAction.java:431)
at com.ibm.ecm.struts.actions.GetDesktopAction.executeBaseAction(GetDesktopAction.java:148)
at com.ibm.ecm.struts.actions.BaseActionHandlerImpl.executeAction(BaseActionHandlerImpl.java:472)
at com.ibm.ecm.struts.actions.BaseAction.execute(BaseAction.java:76)
at com.ibm.ecm.jaxrs.Actions.loadAndExecuteAction(Actions.java:719)
at com.ibm.ecm.jaxrs.Actions.handleAction(Actions.java:111)
at com.ibm.ecm.jaxrs.Actions.handlePostActions(Actions.java:148)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
at java.lang.reflect.Method.invoke(Method.java:508)
at org.apache.wink.server.internal.handlers.InvokeMethodHandler.handleRequest(InvokeMethodHandler.java:63)
at org.apache.wink.server.handlers.AbstractHandler.handleRequest(AbstractHandler.java:33)
at org.apache.wink.server.handlers.RequestHandlersChain.handle(RequestHandlersChain.java:26)
at org.apache.wink.server.handlers.RequestHandlersChain.handle(RequestHandlersChain.java:22)
at org.apache.wink.server.handlers.AbstractHandlersChain.doChain(AbstractHandlersChain.java:75)
at org.apache.wink.server.internal.handlers.CreateInvocationParametersHandler.handleRequest(CreateInvocationParametersHandler.java:54)
at org.apache.wink.server.handlers.RequestHandlersChain.handle(RequestHandlersChain.java:26)
at org.apache.wink.server.handlers.RequestHandlersChain.handle(RequestHandlersChain.java:22)
at org.apache.wink.server.handlers.AbstractHandlersChain.doChain(AbstractHandlersChain.java:75)
at org.apache.wink.server.handlers.AbstractHandler.handleRequest(AbstractHandler.java:34)
at org.apache.wink.server.handlers.RequestHandlersChain.handle(RequestHandlersChain.java:26)
at org.apache.wink.server.handlers.RequestHandlersChain.handle(RequestHandlersChain.java:22)
at org.apache.wink.server.handlers.AbstractHandlersChain.doChain(AbstractHandlersChain.java:75)
at org.apache.wink.server.internal.handlers.FindResourceMethodHandler.handleSubResourceMethod(FindResourceMethodHandler.java:188)
at org.apache.wink.server.internal.handlers.FindResourceMethodHandler.handleRequest(FindResourceMethodHandler.java:110)
at org.apache.wink.server.handlers.RequestHandlersChain.handle(RequestHandlersChain.java:26)
at org.apache.wink.server.handlers.RequestHandlersChain.handle(RequestHandlersChain.java:22)
at org.apache.wink.server.handlers.AbstractHandlersChain.doChain(AbstractHandlersChain.java:75)
at org.apache.wink.server.internal.handlers.FindRootResourceHandler.handleRequest(FindRootResourceHandler.java:95)
at org.apache.wink.server.handlers.RequestHandlersChain.handle(RequestHandlersChain.java:26)
at org.apache.wink.server.handlers.RequestHandlersChain.handle(RequestHandlersChain.java:22)
at org.apache.wink.server.handlers.AbstractHandlersChain.doChain(AbstractHandlersChain.java:75)
at org.apache.wink.server.internal.handlers.HeadMethodHandler.handleRequest(HeadMethodHandler.java:53)
at org.apache.wink.server.handlers.RequestHandlersChain.handle(RequestHandlersChain.java:26)
at org.apache.wink.server.handlers.RequestHandlersChain.handle(RequestHandlersChain.java:22)
at org.apache.wink.server.handlers.AbstractHandlersChain.doChain(AbstractHandlersChain.java:75)
at org.apache.wink.server.internal.handlers.OptionsMethodWADLHandler.handleRequest(OptionsMethodWADLHandler.java:51)
at org.apache.wink.server.handlers.RequestHandlersChain.handle(RequestHandlersChain.java:26)
at org.apache.wink.server.handlers.RequestHandlersChain.handle(RequestHandlersChain.java:22)
at org.apache.wink.server.handlers.AbstractHandlersChain.doChain(AbstractHandlersChain.java:75)
at org.apache.wink.server.internal.handlers.SearchResultHandler.handleRequest(SearchResultHandler.java:33)
at org.apache.wink.server.handlers.RequestHandlersChain.handle(RequestHandlersChain.java:26)
at org.apache.wink.server.handlers.RequestHandlersChain.handle(RequestHandlersChain.java:22)
at org.apache.wink.server.handlers.AbstractHandlersChain.doChain(AbstractHandlersChain.java:75)
at org.apache.wink.server.internal.log.ResourceInvocation.handleRequest(ResourceInvocation.java:92)
at org.apache.wink.server.handlers.RequestHandlersChain.handle(RequestHandlersChain.java:26)
at org.apache.wink.server.handlers.RequestHandlersChain.handle(RequestHandlersChain.java:22)
at org.apache.wink.server.handlers.AbstractHandlersChain.doChain(AbstractHandlersChain.java:75)
at org.apache.wink.server.internal.log.Requests.handleRequest(Requests.java:76)
at org.apache.wink.server.handlers.RequestHandlersChain.handle(RequestHandlersChain.java:26)
at org.apache.wink.server.handlers.RequestHandlersChain.handle(RequestHandlersChain.java:22)
at org.apache.wink.server.handlers.AbstractHandlersChain.doChain(AbstractHandlersChain.java:75)
at org.apache.wink.server.handlers.AbstractHandlersChain.run(AbstractHandlersChain.java:60)
at org.apache.wink.server.internal.RequestProcessor.handleRequestWithoutFaultBarrier(RequestProcessor.java:207)
at org.apache.wink.server.internal.RequestProcessor.handleRequest(RequestProcessor.java:154)
at org.apache.wink.server.internal.servlet.RestServlet.service(RestServlet.java:124)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:668)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1233)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:782)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:481)
at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.handleRequest(ServletWrapperImpl.java:178)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.invokeTarget(WebAppFilterChain.java:136)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:97)
at com.ibm.ecm.filters.ESAPIWafFilter.doFilter(ESAPIWafFilter.java:267)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91)
at com.ibm.ecm.filters.CORSFilter.doFilter(CORSFilter.java:96)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:195)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:91)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:967)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.invokeFilters(WebAppFilterManager.java:1107)
at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:4075)
at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:304)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:1019)
at com.ibm.ws.webcontainer.WSWebContainer.handleRequest(WSWebContainer.java:1817)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:213)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:463)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:530)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:316)
at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:88)
at com.ibm.ws.ssl.channel.impl.SSLReadServiceContext$SSLReadCompletedCallback.complete(SSLReadServiceContext.java:1833)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.requestComplete(WorkQueueManager.java:558)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.attemptIO(WorkQueueManager.java:608)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager.workerRun(WorkQueueManager.java:985)
at com.ibm.ws.tcp.channel.impl.WorkQueueManager$Worker.run(WorkQueueManager.java:1074)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1892)
Caused by: java.lang.ClassNotFoundException: com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl
at java.net.URLClassLoader.findClass(URLClassLoader.java:610)
at java.lang.ClassLoader.loadClassHelper(ClassLoader.java:942)
at java.lang.ClassLoader.loadClass(ClassLoader.java:887)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349)
at java.lang.ClassLoader.loadClass(ClassLoader.java:870)The exception says class com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl is not found. I have verified that the jar file where com.ibm.websphere.security.auth.callback.WSCallbackHandlerImpl is located is loaded in WebSphere(sas.jar). Would it be beneficial if I included this jar file in the navigator war file, though I would expect navigator to be able to reach the jar file when its available on the same node as navigator.
Anyone can guide me somewhere? I have kind of hit the end of the tunnel right now
thanks in advance
42
MP Server / Reference multiple users with wildcard for ARS_LDAP_IGN_USERIDS in ars.cfg
« on: October 28, 2021, 04:30:43 AM »
Configuration file: /ondemand/installation/path/config/ars.cfg
OnDemand version: 10.1.0.5
Is there a way to reference multiple users in ARS_LDAP_IGN_USERIDS, without specifying the exact username?
example:
I have the following users in OD:
I would rather like to add a wildcard
Thanks in advance
OnDemand version: 10.1.0.5
Is there a way to reference multiple users in ARS_LDAP_IGN_USERIDS, without specifying the exact username?
example:
I have the following users in OD:
- F001
- F002
Code: [Select]
ARS_LDAP_IGN_USERIDS=F001,F002I would rather like to add a wildcard
Code: [Select]
ARS_LDAP_IGN_USERIDS=F*Thanks in advance
43
MP Server / Re: LDAP SSL configuration, OnDemand wont start
« on: October 26, 2021, 10:54:17 AM »
Solution:
Start /opt/IBM/ondemand/V10.1/bin/arssockd with sudo
Question is, is that the "correct" way of solving this?
Start /opt/IBM/ondemand/V10.1/bin/arssockd with sudo
Code: [Select]
sudo /opt/IBM/ondemand/V10.1/bin/arssockd -I ARCHIVE -SQuestion is, is that the "correct" way of solving this?
44
MP Server / LDAP SSL configuration, OnDemand wont start
« on: October 26, 2021, 10:50:43 AM »
I am configuring OnDemand with LDAP over SSL between OnDemand on AIX and Windows AD. I am having trouble getting the LDAP SSL configuration to work.
What has been done so far:
configured /opt/IBM/ondemand/config/ars.cfg, configuration parameters can be seen further down
restarted ondemand
made sure I can reach LDAP server on port 636
credentials for bind user is ok
When starting OnDemand after SSL has been enabled in ars.cfg, it seems OnDemand dont start
ARS1106E Connection cannot be established for the >ARCHIVE< server
Error received in OnDemand System Log:
LDAP Error: The SSL library cannot be loaded. -- ldap_rc=118, -- extended_rc=-1, Unknown error -- ldap_errno=-1, extra_rc=118, File=arsldap.c, Line=1198
LDAP has been enabled through OnDemand Administrator Client
Environment Variable (I am not sure about this GSK_KEYRING_STASH. I see it mentioned for z/OS only)
GSK_KEYRING_STASH=/opt/IBM/ondemand/V10.1/config/ldap.sth
ars.cfg configuration:
###########################################
# LDAP Parameters (Library Server Only) #
###########################################
ARS_LDAP_SERVER=hostname
ARS_LDAP_PORT=636
ARS_LDAP_USE_SSL=TRUE
ARS_LDAP_BASE_DN=OU=Service Accounts
ARS_LDAP_BIND_ATTRIBUTE=sAMAccountName
ARS_LDAP_MAPPED_ATTRIBUTE=sAMAccountName
ARS_LDAP_ALLOW_ANONYMOUS=FALSE
ARS_LDAP_OD_AUTHORITY_FALLBACK=TRUE
ARS_LDAP_KEYRING_FILE=/opt/IBM/ondemand/V10.1/config/ldap.kdb
ARS_LDAP_KEYRING_LABEL=CERTLABEL
####################################################
# LDAP SYNC Parameters (requires CMOD v10.1.0.2+) #
####################################################
ARS_LDAP_SERVER_TYPE=AD
ARS_LDAP_USER_FILTER=(ObjectClass=USER)
ARS_LDAP_GROUP_FILTER=(ObjectClass=GROUP)
ARS_LDAP_GROUP_MAPPED_ATTRIBUTE=cn
ARS_LDAP_IGN_USERIDS=ADMIN
ARS_LDAP_IGN_GROUPS=ADMINS
System information:
Aix: v7200-05-02-2114
OnDemand: 10.1.0.5
DB2: 11.1.1.1
TSM 7.1.6.5
Thanks in advance
What has been done so far:
configured /opt/IBM/ondemand/config/ars.cfg, configuration parameters can be seen further down
restarted ondemand
made sure I can reach LDAP server on port 636
credentials for bind user is ok
When starting OnDemand after SSL has been enabled in ars.cfg, it seems OnDemand dont start
ARS1106E Connection cannot be established for the >ARCHIVE< server
Error received in OnDemand System Log:
LDAP Error: The SSL library cannot be loaded. -- ldap_rc=118, -- extended_rc=-1, Unknown error -- ldap_errno=-1, extra_rc=118, File=arsldap.c, Line=1198
LDAP has been enabled through OnDemand Administrator Client
Environment Variable (I am not sure about this GSK_KEYRING_STASH. I see it mentioned for z/OS only)
GSK_KEYRING_STASH=/opt/IBM/ondemand/V10.1/config/ldap.sth
ars.cfg configuration:
###########################################
# LDAP Parameters (Library Server Only) #
###########################################
ARS_LDAP_SERVER=hostname
ARS_LDAP_PORT=636
ARS_LDAP_USE_SSL=TRUE
ARS_LDAP_BASE_DN=OU=Service Accounts
ARS_LDAP_BIND_ATTRIBUTE=sAMAccountName
ARS_LDAP_MAPPED_ATTRIBUTE=sAMAccountName
ARS_LDAP_ALLOW_ANONYMOUS=FALSE
ARS_LDAP_OD_AUTHORITY_FALLBACK=TRUE
ARS_LDAP_KEYRING_FILE=/opt/IBM/ondemand/V10.1/config/ldap.kdb
ARS_LDAP_KEYRING_LABEL=CERTLABEL
####################################################
# LDAP SYNC Parameters (requires CMOD v10.1.0.2+) #
####################################################
ARS_LDAP_SERVER_TYPE=AD
ARS_LDAP_USER_FILTER=(ObjectClass=USER)
ARS_LDAP_GROUP_FILTER=(ObjectClass=GROUP)
ARS_LDAP_GROUP_MAPPED_ATTRIBUTE=cn
ARS_LDAP_IGN_USERIDS=ADMIN
ARS_LDAP_IGN_GROUPS=ADMINS
System information:
Aix: v7200-05-02-2114
OnDemand: 10.1.0.5
DB2: 11.1.1.1
TSM 7.1.6.5
Thanks in advance
45
MP Server / Re: Unable to contact LDAP server through arslsync
« on: October 25, 2021, 03:58:12 PM »
Thank you for your replies, @rjrussel!
Main issue here was that I "forgot" to tick on "Enable LDAP" in the Ondemand Administrator Client.
After that, including the changes you came up with in regards of the ars.cfg, things started happening with LDAP connectivity.
Now struggling with LDAP SSL, I'll create a new post for that
Again, thank you a ton, rjrussel
Main issue here was that I "forgot" to tick on "Enable LDAP" in the Ondemand Administrator Client.
After that, including the changes you came up with in regards of the ars.cfg, things started happening with LDAP connectivity.
Now struggling with LDAP SSL, I'll create a new post for that
Again, thank you a ton, rjrussel