IBM Support

MustGather: LDAP problems using AAA policy or custom xslt on IBM DataPower Gateway Appliance.

Troubleshooting


Problem

The following data is required for IBM Support to troubleshoot LDAP problems using AAA policy or custom xslt on the IBM DataPower Gateway Appliance.

If you are having problems with LDAP as RBM Authentication, then follow this link for data collection -

Visit the WebSphere DataPower SOA Appliances Product support page for more support content. 

Need Help Opening a Case? See Contacting IBM DataPower Gateway Appliance Support for assistance.

Diagnosing The Problem

Part I: Describe the Issue

  • Provide some details regarding your LDAP configuration with use of AAA policy, custom xslt, etc
  • Are you using simple LDAP (default port 389) or LDAP over TLS (default port 636)?
  • What's the name of the DataPower service (e.g name of the MPGW, AAA policy) in use?
  • Provide detailed problem description which includes error messages or unexpected results. Also, let us know whether this is a new or existing configuration.

Part II: Re-create the issue and collect the following data

  • Set log level to debug.
  • Enable packet capture from default domain.
  • Enable probe on the service where LDAP is used.
  • Re-create the issue.
  • Download error report, Probe export, packet capture file and sslkeyfile.

Detail steps on how to collect data above:

Step1: Setting up Debug Log Level

Go to: WebGUI -> Control Panel - > Troubleshooting -> Logging section -> Set Log Level to "debug"

Step2: Start Packet Capture across all interfaces to capture the issue

*enable packet capture from default domain: 

Go to: WebGUI- > Control Panel -> Troubleshooting -> Packet Capture section
   Interface Type: All Interfaces
   Mode: Continuous
   Max Size: 20000
   Max Packet Size: 9000
   Filter Expression= host x.x.x.x  (where x.x.x.x is the IP address of the LDAP server)
   Log TLS Key = ON  (if using SSL to the LDAP server)
  Click Start Packet Capture

VideoHow do I generate a Packet Capture

Step3: Enable the probe from the application domain

WebGUI -> Control Panel -> Troubleshooting
  •     Select the "Probe" tab near the top of the troubleshooting panel.
  •     Look for the type of service you are using (i.e. MPGW)
  •     From the pull-down select the name of the service you are using.
  •     Click the Add Probe button.

Video: How do I capture a probe export on an IBM DataPower Gateway appliance?

Step4: Re-create the problem

Send a transaction to re-create the issue.

Step5: Stop the Packet Capture and Probe and generate an error-report

  Stop packet capture:  Control Panel -> Troubleshooting -> 'Stop packet capture' section
Interface Type= All Interfaces
click 'Stop Packet Capture'

  Export probe: Troubleshooting -> find the service where the probe was just enabled -> select the magnifying glass under 'Probe' ->. select Export Capture and click Download to save to your PC.

Generate error-report: Troubleshooting -> Reporting section -> click 'Generate Error Report'

 

Step6: Download the packet capture, error-report and sslkeyfile

      temporary:///error-report
      temporary:///capture.pcap
      logtemp:///sslkeyfile.log

Step7: Upload all files above (including the probe export from step5) to the IBM Support Case using the link below -

https://www.secure.ecurep.ibm.com/app/upload_sf

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Component":"Security","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
31 August 2023

UID

ibm10883452

Page Feedback