LDAP SSL configuration, OnDemand wont start

Previous topic - Next topic
Print
Go Down Pages1
User actions

Andreas Baaserud Hauge

October 26, 2021, 05:50:43 PM
I am configuring OnDemand with LDAP over SSL between OnDemand on AIX and Windows AD. I am having trouble getting the LDAP SSL configuration to work.

What has been done so far:
configured /opt/IBM/ondemand/config/ars.cfg, configuration parameters can be seen further down
restarted ondemand
made sure I can reach LDAP server on port 636
credentials for bind user is ok

When starting OnDemand after SSL has been enabled in ars.cfg, it seems OnDemand dont start
ARS1106E Connection cannot be established for the >ARCHIVE< server

Error received in OnDemand System Log:
LDAP Error: The SSL library cannot be loaded. -- ldap_rc=118, -- extended_rc=-1, Unknown error -- ldap_errno=-1, extra_rc=118, File=arsldap.c, Line=1198

LDAP has been enabled through OnDemand Administrator Client

Environment Variable (I am not sure about this GSK_KEYRING_STASH. I see it mentioned for z/OS only)
GSK_KEYRING_STASH=/opt/IBM/ondemand/V10.1/config/ldap.sth

ars.cfg configuration:
###########################################
# LDAP Parameters (Library Server Only)   #
###########################################
ARS_LDAP_SERVER=hostname
ARS_LDAP_PORT=636
ARS_LDAP_USE_SSL=TRUE
ARS_LDAP_BASE_DN=OU=Service Accounts
ARS_LDAP_BIND_ATTRIBUTE=sAMAccountName
ARS_LDAP_MAPPED_ATTRIBUTE=sAMAccountName
ARS_LDAP_ALLOW_ANONYMOUS=FALSE
ARS_LDAP_OD_AUTHORITY_FALLBACK=TRUE
ARS_LDAP_KEYRING_FILE=/opt/IBM/ondemand/V10.1/config/ldap.kdb
ARS_LDAP_KEYRING_LABEL=CERTLABEL

####################################################
# LDAP SYNC Parameters (requires CMOD v10.1.0.2+)  #
####################################################
ARS_LDAP_SERVER_TYPE=AD
ARS_LDAP_USER_FILTER=(ObjectClass=USER)
ARS_LDAP_GROUP_FILTER=(ObjectClass=GROUP)
ARS_LDAP_GROUP_MAPPED_ATTRIBUTE=cn
ARS_LDAP_IGN_USERIDS=ADMIN
ARS_LDAP_IGN_GROUPS=ADMINS

System information:
Aix: v7200-05-02-2114
OnDemand: 10.1.0.5
DB2: 11.1.1.1
TSM 7.1.6.5

Thanks in advance  :)
ABH

Andreas Baaserud Hauge

#1
October 26, 2021, 05:54:17 PM
Solution:
Start /opt/IBM/ondemand/V10.1/bin/arssockd with sudo
Code Select
sudo /opt/IBM/ondemand/V10.1/bin/arssockd -I ARCHIVE -S

Question is, is that the "correct" way of solving this?
ABH

Justin Derrick

#2
October 27, 2021, 05:39:46 PM
Hi Andreas.

Not really - you want CMOD to run as a 'non-privileged' user (like archive or odadmin) instead of root.  However, it DOES indicate that your problem is likely related to permissions, since running as root provides the highest level of authorization.  Double check file and directory permissions and your path environment variables like PATH, LIBPATH, and LD_LIBRARY_PATH to ensure they're correct.

-JD.
Call:  +1-866-533-7742  or  eMail:  jd@justinderrick.com
IBM CMOD Wiki:  https://CMOD.wiki/
FREE IBM CMOD Webinars:  https://CMOD.Training/
IBM CMOD Professional Services: https://CMOD.cloud

Interests: #AIX #Linux #Multiplatforms #DB2 #TSM #SP #Performance #Security #Audits #Customizing #Availability #HA #DR
Print
Go Up Pages1
User actions
SMF 2.1.4 © 2023, Simple Machines
ProCurve Theme Made By : TwitchisMental