IBM Support

Collecting Data for DB2 LDAP Authentication

Technote (troubleshooting)


This document will help you learn more about the methods used to collect data to help solve DB2 LDAP authentication problems.

Resolving the problem


  • Are you using Transparent LDAP or LDAP Security Plug-ins to do authentication?
  • Are you able to authenticate to the LDAP server outside of DB2?
  • Are you able to query the groups within LDAP for the user outside of DB2?
  • Is the performance accessing the LDAP outside of DB2 similar to within DB2?
  • Can the problem be reproduced on demand? If so, can a test case or a sequence of steps can be provided?
  • Is this a production, development or test environment?
  • What is the business impact of this problem?
  • Are there other repercussions to the problem occurring?
Diagnostics data to collect for Transparent LDAP
  • Run "db2set -all". If Transparent LDAP is enabled, DB2AUTH=OSAUTHDB should be set
  • Collect the PAM configuration files (/etc/pam.d/db2)
  • Linux: Collect /etc/nsswitch.conf, /var/log/messages
  • AIX: Collect methods.cfg (for lsuser & lsgroups), /etc/security/user, id <user>, groups <user>
  • A db2trc of the behavior:

    Issue the following commands:
    db2trc on -f trace.dmp
    <reproduce the problem>
    db2trc off
    db2trc fmt trace.dmp trace.fmt
    db2trc flw trace.dmp trace.flw
    db2trc fmt trace.dmp trace.fmtc -c
  • A file:

    Issue the following command which will generate a file in the current directory
    db2support . -s

Diagnostics data to collect for LDAP security plug-ins
  • Verify if the server, client, and/or group security plug-in values are set in the DBM CFG. Run the command "db2 get dbm cfg" and look for the following variables:

    Client Userid-Password Plugin (CLNT_PW_PLUGIN) = IBMLDAPauthclient
    Group Plugin (GROUP_PLUGIN) = IBMLDAPgroups
    Server Userid-Password Plugin (SRVCON_PW_PLUGIN) = IBMLDAPauthserver

  • To enable debugging within the LDAP security plug-in, take the following steps:

    1) Edit the IBMLDAPSecurity.ini file and set DEBUG=TRUE and save.
    2) Run the command "db2 update dbm cfg using diaglevel 4". The additional LDAP debug information will be found in the db2diag.log. The diaglevel can be returned to it's original value once debugging is complete

  • To enable tracing of the Tivoli LDAP client library, run the following commands:

    export LDAP_DEBUG=65535
    export LDAP_DEBUG_FILE=<filename>

Submitting information to IBM Support
Once you have collected your information, you can begin Problem D etermination through the product Support web page, or simply submit the diagnostic information to IBM support. Use the document Submitting diagnostic information to IBM Technical Support for problem determination for submitting information to IBM Support.

Document information

More support for: DB2 for Linux, UNIX and Windows
Security / Plug-Ins - LDAP

Software version: 9.5, 9.7, 10.1, 10.5

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Reference #: 1447085

Modified date: 20 August 2014

Translate this page: