Troubleshooting
Problem
MustGather documents aid in problem determination and save time resolving Problem Management Records (PMRs), specifically IBM Security/Tivoli Directory Server problems related to password policies and the LDAP server.
Resolving The Problem
Must Gather Password Policy information based on IBM Security/Tivoli Directory Server version:
For all versions of Directory Server the basic items we need to begin diagnosing any Password Policy issues are as follows:
- A clear description of how you wish to define the Directory Server based password policy in your environment.
- A description of the behavior or problem currently observed.
- Details of the configuration and Directory Server password policy in use.
- Necessary logs and traces.
Must Gather information based on Directory Server version: |
Versions 6.4, 6.3.1, 6.3, 6.2 or 6.1 | |
Version 6.0 | |
Version 5.2 |
Directory Server 6.4, 6.3.1, 6.3, 6.2 or 6.1 Must Gather Information |
- Collecting Version Information
- Log and Configuration Files
- Note that the group and user based password policy is effective only for V6.4, V6.3.1, V6.3, V6.2 or V6.1
- Collect the output from the following commands:
- Global password policy:
idsldapsearch -D <adminDN> -w <adminPW> -s base -b "cn=pwdpolicy,cn=ibmpolicies" objectclass=* - Collect group / user based password policies:
idsldapsearch -D <adminDN> -w <adminPW> -s sub -b " " objectclass=ibm-pwd* - Evaluate the effective password policy on a given user:
idsldapexop -D <adminDN> -w <adminPW> -op effectpwdpolicy -d "<UserEntryDN>" - Collect password policy operational attributes on a given user:
idsldapsearch -D <adminDN> -w <adminPW> -s base -b "<UserEntryDN>" objectclass=* +ibmpwdpolicy - Collect additional password policy operational attributes on a given user:
idsldapsearch -D <adminDN> -w <adminPW> -s base -b "<UserEntryDN>" objectclass=* ++ibmpwdpolicy - If ibm-pwdGroupAndIndividualEnabled is set to true from above search results, then collect the following also:
- Collect the group based password policy dn value from the group entry:
idsldapsearch -D <adminDN> -w <adminPW> -s base -b <GroupEntryDN> objectclass=* ibm-pwdGroupPolicyDN - Collect the user based password policy dn value from the user entry:
idsldapsearch -D <adminDN> -w <adminPW> -s base -b <UserEntryDN> objectclass=* ibm-pwdIndividualPolicyDN - Dynamic ASCII and Binary Tracing
a) If Group based password policies are in use:
where
<adminDN> is ldap administrator dn such as cn=root
<adminPW> is ldap administrator password
<UserEntryDN> is DN value of the User
<GroupEntryDN> is DN value of the Group
Note: Collect ibmslapd traces during a recreate of the problem.
Return to top of page
Directory Server 6.0 Must Gather Information |
- Collecting Version Information
- Log and Configuration Files
- Collect the output from the following commands:
- Collect the global password policy:
idsldapsearch -D <adminDN> -w <adminPW> -s base -b "cn=pwdpolicy" objectclass=* - Collect password policy operational attributes on a given user:
idsldapsearch -D <adminDN> -w <adminPW> -s base -b "<UserEntryDN>" objectclass=* pwdChangedTime pwdAccountLockedTime pwdExpirationWarned pwdFailureTime pwdGraceUseTime pwdReset ibm-pwdAccountLocked - Dynamic Ascii and Binary Tracing
where
<adminDN> is ldap administrator dn such as cn=root
<adminPW> is ldap administrator password
<UserEntryDN> is DN value of the User
Note: Collect ibmslapd traces during a recreate of the problem.
Return to top of page
Directory Server 5.2 Must Gather Information |
- Collecting Version information
- Log and Configuration Files
- Collect the output from the following commands:
- Collect the global password policy:
ldapsearch -D <adminDN> -w <adminPW> -s base -b "cn=pwdpolicy" objectclass=* - Collect password policy operational attributes on a given user:
ldapsearch -D <adminDN> -w <adminPW> -s base -b "<UserEntryDN>" objectclass=* pwdChangedTime pwdAccountLockedTime pwdExpirationWarned pwdFailureTime pwdGraceUseTime pwdReset ibm-pwdAccountLocked - Dynamic ASCII and Binary Tracing
where
<adminDN> is ldap administrator DN such as cn=root
<adminPW> is ldap administrator password
<UserEntryDN> is DN value of the User
Note: Collect ibmslapd traces during a recreate of the problem.
Return to top of page
Related Information
[{"Product":{"code":"SSVJJU","label":"IBM Security Directory Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"5.2;6.0;6.1;6.2;6.3;6.3.1;6.4","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21286008