This document will help you learn more about the methods used to collect data to help solve DB2 LDAP authentication problems.
Resolving the problem
- Are you using Transparent LDAP or LDAP Security Plug-ins to do authentication?
- Are you able to authenticate to the LDAP server outside of DB2?
- Are you able to query the groups within LDAP for the user outside of DB2?
- Is the performance accessing the LDAP outside of DB2 similar to within DB2?
- Can the problem be reproduced on demand? If so, can a test case or a sequence of steps can be provided?
- Is this a production, development or test environment?
- What is the business impact of this problem?
- Are there other repercussions to the problem occurring?
- Run "db2set -all". If Transparent LDAP is enabled, DB2AUTH=OSAUTHDB should be set
- Collect the PAM configuration files (/etc/pam.d/db2)
- Linux: Collect /etc/nsswitch.conf, /var/log/messages
- AIX: Collect methods.cfg (for lsuser & lsgroups), /etc/security/user, id <user>, groups <user>
- A db2trc of the behavior:
Issue the following commands:
db2trc on -f trace.dmp
<reproduce the problem>
db2trc fmt trace.dmp trace.fmt
db2trc flw trace.dmp trace.flw
db2trc fmt trace.dmp trace.fmtc -c
- A db2support.zip file:
Issue the following command which will generate a db2support.zip file in the current directory
db2support . -g -s
Diagnostics data to collect for LDAP security plug-ins
- Verify if the server, client, and/or group security plug-in values are set in the DBM CFG. Run the command "db2 get dbm cfg" and look for the following variables:
Client Userid-Password Plugin (CLNT_PW_PLUGIN) = IBMLDAPauthclient
Group Plugin (GROUP_PLUGIN) = IBMLDAPgroups
Server Userid-Password Plugin (SRVCON_PW_PLUGIN) = IBMLDAPauthserver
- To enable debugging within the LDAP security plug-in, take the following steps:
1) Edit the IBMLDAPSecurity.ini file and set DEBUG=TRUE and save.
2) Run the command "db2 update dbm cfg using diaglevel 4". The additional LDAP debug information will be found in the db2diag.log. The diaglevel can be returned to it's original value once debugging is complete
- To enable tracing of the Tivoli LDAP client library, run the following commands:
db2set DB2ENVLIST="LDAP_DEBUG LDAP_DEBUG_FILE"
Submitting information to IBM Support
Once you have collected your information, you can begin Problem D etermination through the product Support web page, or simply submit the diagnostic information to IBM support. Use the document Submitting diagnostic information to IBM Technical Support for problem determination for submitting information to IBM Support.