Difference between revisions of "Manually disabling LDAP authentication"
m (Re-worded.) |
(Added bit-and-not code to simplify instructions. Credit to Alessandro Perucchi.) |
||
| Line 21: | Line 21: | ||
=== Directions === | === Directions === | ||
First, check your | First, check your database: | ||
<code> | <code> | ||
$ db2 connect to archive | $ db2 connect to archive | ||
| Line 32: | Line 31: | ||
SQL authorization ID = ODADMIN | SQL authorization ID = ODADMIN | ||
Local database alias = ARCHIVE | Local database alias = ARCHIVE | ||
</code> | |||
Then check the system to see what the current value of the SYS_MASK field is: | |||
<code> | |||
$ db2 "select SYS_MASK from arssys" | $ db2 "select SYS_MASK from arssys" | ||
| Line 41: | Line 43: | ||
1 record(s) selected. | 1 record(s) selected. | ||
</code> | </code> | ||
Even if the value returned on your system is different, you can still use the following SQL to turn off the LDAP option: | |||
<code> | <code> | ||
$ db2 "update arssys set sys_mask=bitandnot(sys_mask, 4)" | |||
$ db2 "update arssys set sys_mask= | |||
DB20000I The SQL command completed successfully. | DB20000I The SQL command completed successfully. | ||
</code> | </code> | ||
To double check that the change was made, simply repeat the query to see that the value has changed. | |||
<code> | <code> | ||
$ db2 "select SYS_MASK from arssys" | $ db2 "select SYS_MASK from arssys" | ||
SYS_MASK | SYS_MASK | ||
---------- | ---------- | ||
0 | |||
1 record(s) selected. | 1 record(s) selected. | ||
</code> | </code> | ||
If your starting value was a different number -- for example, 20, then your result should be "16". | |||
If the value hasn't changed, then LDAP wasn't enabled, and your problem is elsewhere. | |||
As always, don't forget to wrap up your session by closing your connection to the database: | |||
<code> | |||
$ db2 terminate | |||
DB20000I The TERMINATE command completed successfully. | |||
</code> | </code> | ||
Revision as of 14:28, 3 August 2015
What happened?
You were likely trying to configure Content Manager OnDemand for LDAP, and now OnDemand won't start after enabling the LDAP Authentication checkbox in the OnDemand Administrator Client.
Symptoms and error messages
The documentation for enabling LDAP isn't perfect, and in CMOD version 9.0 and higher, enabling LDAP can cause OnDemand to not start up after issuing the "arssockd -S" command, or refusing to allow logins.
Of course, without being able to start Content Manager OnDemand or being able to log in, you can't turn LDAP off. If you check the OnDemand Library Server's console output, you might find errors like these:
arssockd (ARCHIVE): ARSSOCKD 2 437 ARS0437E The OnDemand stash file >< either does not exist or is not valid. Return Code=4.
If your server does start up, but you can't log in, you'll need to follow these instructions to turn off LDAP authentication, so you can try to figure out what went wrong.
These instructions will manipulate the contents of the CMOD database directly to disable LDAP. USE THESE INSTRUCTIONS WITH CAUTION.
Directions
First, check your database:
$ db2 connect to archive
Database Connection Information
Database server = DB2/AIX64 10.1.4
SQL authorization ID = ODADMIN
Local database alias = ARCHIVE
Then check the system to see what the current value of the SYS_MASK field is:
$ db2 "select SYS_MASK from arssys"
SYS_MASK
----------
4
1 record(s) selected.
Even if the value returned on your system is different, you can still use the following SQL to turn off the LDAP option:
$ db2 "update arssys set sys_mask=bitandnot(sys_mask, 4)"
DB20000I The SQL command completed successfully.
To double check that the change was made, simply repeat the query to see that the value has changed.
$ db2 "select SYS_MASK from arssys"
SYS_MASK
----------
0
1 record(s) selected.
If your starting value was a different number -- for example, 20, then your result should be "16".
If the value hasn't changed, then LDAP wasn't enabled, and your problem is elsewhere.
As always, don't forget to wrap up your session by closing your connection to the database:
$ db2 terminate
DB20000I The TERMINATE command completed successfully.
If your CMOD server wasn't able to start, try starting it at this point. If your CMOD server was able to start, but you weren't able to log in, stop and start the Library server so the change can take effect.
Additional Resources
The root cause of this issue is that you likely do not have a stash file configured for LDAP on CMOD. Here are some IBM Knowledgebase Articles about Content Manager OnDemand stash files and LDAP:
Content Manager OnDemand V9.0/9.5 LDAP authentication process:
http://www-01.ibm.com/support/docview.wss?uid=swg21597246
Content Manager OnDemand V8.5 and later LDAP authentication to active directory server fails with an error:
http://www-01.ibm.com/support/docview.wss?uid=swg21610510
Using arsstash files for authenticating to DB2, Oracle, or LDAP: