IBM Support

IY90440: PDACLD_CONFIG FAILS IF LDAP DOES NOT ALLOW ANONYMOUS BINDING.

Direct links to fixes

5.1.0-TIV-TAM-IF0043-WIN
5.1.0-TIV-TAM-IF0043-LIN
5.1.0-TIV-TAM-IF0043-PPC
5.1.0-TIV-TAM-IF0043-SOL
5.1.0-TIV-TAM-IF0043-S390
5.1.0-TIV-TAM-IF0043-HP
5.1.0-TIV-TAM-IF0043-AIX
Tivoli Access Manager for e-business Base 5.1, Patch 5.1.0-TIV-TAM-FP0041
Tivoli Access Manager for e-business Base 5.1, Patch 5.1.0-TIV-TAM-FP0042
Tivoli Access Manager for e-business Base 5.1, Patch 5.1.0-TIV-TAM-FP0039

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • There is a function in PDAcld_config named,

################################################################
#####
# ldapSSLSearch() - performs an ${LDAPSEARCH} using ssl
# arg1: ssl port
# arg2: keyfile (full path)
# arg3: keyfile password
# arg4: keyfile dn (label) or leave blank if not specified.
# returns 0 on success or non-zero on failure (returns
${LDAPSEARCH} $?)
################################################################
#####
ldapSSLSearch() {
   port="$1"
   keyfile="$2"
   keyfilepwd="$3"
   keyfiledn="$4"

   ${LDAPSEARCH} -h ${LDAPHOST} -p ${port} -K "${keyfile}" -N
"${keyfiledn}" -P "${keyfilepwd}" -b "" -s
base objectclass=* >/dev/null 2>&1
   return $?
}


This function is used to check the validity of a specified
keyfile, labelm and password.  If the LDAP server does not allow
anonymous binding,

dn: cn=Connection Management, cn=Front End, cn=Configuration
cn: Connection Management
ibm-slapdAllowAnon: TRUE

then this call will fail.  This will cause the config to fail.

Local fix

  • The current work arounds are,

1. Enable anonymous binding during the config phase.  This is a
   security issue.

2. Edit the script and add a bind DN and password to the call.

Problem summary

  • When anonymous binding is disabled in the LDAP
server configuration, the validity check for a specified keyfile
, label and password fails during PDACLD configuration with the
following error: HPDBG0109W Invalid LDAP authentication.

Problem conclusion

  • The fix for this APAR is expected to be cont
ained in the following maintenance delivery vehicle:
| LA interim fix | 5.1.0-TIV-TAM-LA0028

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IY90440
    • 

  • Reported component name
    ACCESS MGR E-BU
    • 

  • Reported component ID
    5724C0800
    • 

  • Reported release
    510
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2006-10-09
    • 

  • Closed date
    2006-12-19
    • 

  • Last modified date
    2007-12-17
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
IZ11265
    

    • 



Fix information


    

  • Fixed component name
    ACCESS MGR E-BU
    • 

  • Fixed component ID
    5724C0800
    • 



Applicable component levels


    

  • R510  PSN
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSPREK","label":"IBM Security Access Manager for Web"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"510","Line of Business":{"code":"LOB24","label":"Security Software"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            13 November 2021
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback