Monday, December 5, 2022

LDAP user authentication issue on AIX LDAP client

Login issue for multiple LDAP users on AIX client server.

Hello all, 

Today I am going to discuss one incident where User on AIX server unable to switch to his home directory and when AIX admin tried to list user properties using lsuser command that command also not showing any details.


 #lsuser -R LDAP username 

Error message: 
3004-687 user abcd does not exist.

When did primary check found that this issue is on all LDAP client server.
 
Steps which AIX admin must perform to do troubleshooting are
  • Check whether NFS mounted LDAP mount point is mounted and healthy state . From this nfs mount point user home directory is accessible.
  • Make sure that slapd -server daemon and secldapclntd - Client Daemon active on LDAP server and LDAP client.
  • Also make sure that there is no CPU and memory bottleneck on this server.
✓checked and verify LDAP demon working on AIX LDAP server and client.using following command
.
#ps -eaf |grep -i slapd
#ps -eaf |grep -i secldapclntd
#ps -eaf |grep -i LDAP 

AIX LDAP  Server Daemon : slapd
 runs in LDAP server, processes the requests from LDAP client server

 #lsuser -R LDAP username // to disply LDAP user information 
secldapclntd - Client Daemon 

In case restart of client LDAP daemon need that achieved by using command:
# /usr/sbin/restart-secldapclntd

Below command will display ldapsever which is currently active.
#ls-secldapclntd
#ps -eaf |grep -i LDAP this will show running daemon process on AIX LDAP client and server.

Second thing which tried to verify is log file of LDAP on AIX LDAP server, here is the main breakthrough/clue we got.also we engaged database team and they saying that authentication denied error they getting when they tried to login, this information was sufficient to move towards solution. Also from AIX side IBM software support suggested to reset ldapdb2 user password.

Problem is ldapdb2 password was expired and that causing LDAP client requests are rejected.
Log file path for LDAP server where found ldapdb2 password expired 
----------------------------------
"db2cli.log" had following error message
"Sql30082N security processing failed with reason 1 password expired sqlstate=08001"


Also for this we got software support and they suggested to run command to reset password of ldapdb2 user.
Command for password reset on AIX ldap server
----------------------------------
#idscfgdb -l ldapdb2 -w <new password>

Here make sure that ibm slapd must be stopped when AIX admin execute this command.


✓Executed following command and took reboot of AIX LDAP server.
idscfgdb -l ldapdb2 -w <new password>

Also here forgot one thing that when thus issue occurred during that time our AIX patching team did pathcing and our first doubt was this caused because of this pathching, but main culprit was ldapdb2 password was expired. After password reset and AIX LDAP server reboot all AIX LDAP client able to access their home directory and switch to their account 


At the end we can conclude that there are following possible reasons for error "3004-687 user does not exist on LDAP client
1 check secldapclntd is active and running on AIX client.
2 Check whether NFS mounted LDAP mount point is mounted and healthy state
slapd
 runs in LDAP server, processes the requests from LDAP client server. Make sure it's active
4.Last important is ldapdb2 user password is not expired

Useful command while troubleshooting LDAP issue on AIX

#lsuser -R LDAP username 

#idscfgdb -l ldapdb2 -w <new password>.      Reset ldapdb2 password 

#ps -eaf |grep -i LDAP.       Display running LDAP process

# /usr/sbin/restart-secldapclntd.       Restart LDAP client demon

# /usr/sbin/start-secldapclntd    start LDAP client demon

# /usr/sbin/stop-secldapclntd          stop LDAP client demon


Thanks  :)
Happy Reading !!!!

No comments:

Post a Comment