Difference between revisions of "Manually disabling LDAP authentication"
m (Re-worded.) |
(Reformatting IBM CMOD LDAP examples, expanded warnings, reformatted links to IBM) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{TOCright}} | |||
=== What happened? === | === What happened? === | ||
| Line 9: | Line 10: | ||
Of course, without being able to start Content Manager OnDemand or being able to log in, you can't turn LDAP off. If you check the OnDemand Library Server's console output, you might find errors like these: | Of course, without being able to start Content Manager OnDemand or being able to log in, you can't turn LDAP off. If you check the OnDemand Library Server's console output, you might find errors like these: | ||
arssockd (ARCHIVE): ARSSOCKD 2 437 ARS0437E The OnDemand stash file >< either does not exist or is not valid. Return Code=4. | |||
arssockd (ARCHIVE): ARSSOCKD 2 437 ARS0437E The OnDemand stash file >< either does not exist or is not valid. Return Code=4. | |||
If your server does start up, but you can't log in, you'll need to follow these instructions to turn off LDAP authentication, so you can try to figure out what went wrong. | If your server does start up, but you can't log in, you'll need to follow these instructions to turn off LDAP authentication, so you can try to figure out what went wrong. | ||
These instructions will manipulate the contents of the CMOD database directly to disable LDAP. | [[File:Attention.png|80px|left]] WARNING: These instructions will manipulate the contents of the CMOD database directly to disable LDAP. You could damage your OnDemand server if you're not careful. ALWAYS ensure you have a backup of your database to restore from. Alternately, you can use <code> arsdb -xlvf </code> to export a copy of the IBM CMOD database tables, which can be imported again to revert any changes you may have made with the <code> arsdb -ilvf </code> command. | ||
=== Directions === | === Directions === | ||
First, check your | First, check your database: | ||
$ db2 connect to archive | $ db2 connect to archive | ||
| Line 32: | Line 27: | ||
SQL authorization ID = ODADMIN | SQL authorization ID = ODADMIN | ||
Local database alias = ARCHIVE | Local database alias = ARCHIVE | ||
Then check the system to see what the current value of the SYS_MASK field is: | |||
$ db2 "select SYS_MASK from arssys" | |||
SYS_MASK | SYS_MASK | ||
---------- | ---------- | ||
| Line 41: | Line 37: | ||
1 record(s) selected. | 1 record(s) selected. | ||
Even if the value returned on your system is different, you can still use the following SQL to turn off the LDAP option: | |||
$ db2 "update arssys set sys_mask=bitandnot(sys_mask, 4)" | |||
$ db2 "update arssys set sys_mask= | |||
DB20000I The SQL command completed successfully. | DB20000I The SQL command completed successfully. | ||
To double check that the change was made, simply repeat the query to see that the value has changed. | |||
$ db2 "select SYS_MASK from arssys" | $ db2 "select SYS_MASK from arssys" | ||
| Line 73: | Line 49: | ||
SYS_MASK | SYS_MASK | ||
---------- | ---------- | ||
0 | |||
1 record(s) selected. | 1 record(s) selected. | ||
If your starting value was a different number -- for example, 20, then your result should be "16". | |||
If the value hasn't changed, then LDAP wasn't enabled, and your problem is elsewhere. | |||
As always, don't forget to wrap up your session by closing your connection to the database: | |||
$ db2 terminate | $ db2 terminate | ||
DB20000I The TERMINATE command completed successfully. | DB20000I The TERMINATE command completed successfully. | ||
If your CMOD server wasn't able to start, try starting it at this point. | |||
If your CMOD server was able to start (and is still running) but you weren't able to log in, stop and start the Library server so the change can take effect. | |||
=== Additional Resources === | === Additional CMOD LDAP Resources === | ||
The root cause of this issue is that you likely do not have a stash file configured for LDAP on CMOD. | The root cause of this issue is that you likely do not have a stash file configured for LDAP on CMOD. | ||
Here are some IBM Knowledgebase Articles about Content Manager OnDemand stash files and LDAP: | |||
[http://www-01.ibm.com/support/docview.wss?uid=swg21597246 IBM CMOD LDAP authentication on V9.0/9.5] | |||
http://www-01.ibm.com/support/docview.wss?uid=swg21597246 | |||
http://www-01.ibm.com/support/docview.wss?uid=swg21610510 | [http://www-01.ibm.com/support/docview.wss?uid=swg21610510 IBM CM OnDemand V8.5 and later LDAP authentication to active directory server fails] | ||
[http://www-01.ibm.com/support/docview.wss?uid=swg21608635 Using OnDemand arsstash files for authenticating to DB2, Oracle, or LDAP] | |||
http://www-01.ibm.com/support/docview.wss?uid=swg21608635 | |||
Latest revision as of 18:15, 14 December 2017
What happened?
You were likely trying to configure Content Manager OnDemand for LDAP, and now OnDemand won't start after enabling the LDAP Authentication checkbox in the OnDemand Administrator Client.
Symptoms and error messages
The documentation for enabling LDAP isn't perfect, and in CMOD version 9.0 and higher, enabling LDAP can cause OnDemand to not start up after issuing the "arssockd -S" command, or refusing to allow logins.
Of course, without being able to start Content Manager OnDemand or being able to log in, you can't turn LDAP off. If you check the OnDemand Library Server's console output, you might find errors like these:
arssockd (ARCHIVE): ARSSOCKD 2 437 ARS0437E The OnDemand stash file >< either does not exist or is not valid. Return Code=4.
If your server does start up, but you can't log in, you'll need to follow these instructions to turn off LDAP authentication, so you can try to figure out what went wrong.
WARNING: These instructions will manipulate the contents of the CMOD database directly to disable LDAP. You could damage your OnDemand server if you're not careful. ALWAYS ensure you have a backup of your database to restore from. Alternately, you can use arsdb -xlvf to export a copy of the IBM CMOD database tables, which can be imported again to revert any changes you may have made with the arsdb -ilvf command.
Directions
First, check your database:
$ db2 connect to archive Database Connection Information Database server = DB2/AIX64 10.1.4 SQL authorization ID = ODADMIN Local database alias = ARCHIVE
Then check the system to see what the current value of the SYS_MASK field is:
$ db2 "select SYS_MASK from arssys"
SYS_MASK
----------
4
1 record(s) selected.
Even if the value returned on your system is different, you can still use the following SQL to turn off the LDAP option:
$ db2 "update arssys set sys_mask=bitandnot(sys_mask, 4)" DB20000I The SQL command completed successfully.
To double check that the change was made, simply repeat the query to see that the value has changed.
$ db2 "select SYS_MASK from arssys"
SYS_MASK
----------
0
1 record(s) selected.
If your starting value was a different number -- for example, 20, then your result should be "16".
If the value hasn't changed, then LDAP wasn't enabled, and your problem is elsewhere.
As always, don't forget to wrap up your session by closing your connection to the database:
$ db2 terminate DB20000I The TERMINATE command completed successfully.
If your CMOD server wasn't able to start, try starting it at this point.
If your CMOD server was able to start (and is still running) but you weren't able to log in, stop and start the Library server so the change can take effect.
Additional CMOD LDAP Resources
The root cause of this issue is that you likely do not have a stash file configured for LDAP on CMOD.
Here are some IBM Knowledgebase Articles about Content Manager OnDemand stash files and LDAP:
IBM CMOD LDAP authentication on V9.0/9.5
IBM CM OnDemand V8.5 and later LDAP authentication to active directory server fails
Using OnDemand arsstash files for authenticating to DB2, Oracle, or LDAP