Resetting an incorrect LDAP setting

If there is an incorrect LDAP setting on the metadata server, all administrative functions will be denied.

Context

If there is an incorrect LDAP setting defined on the metadata server, the administrative agent will not be able to authenticate with the LDAP server, thereby rendering the system unusable. The cause of the fault is listed in the cimom.log file.

If an incorrect LDAP configuration renders the administrative agent unusable, you can reset the configuration using this procedure:

Steps

  1. Log into the engine hosting the master metadata server.
  2. Stop the CIMOM using the stopCimom command.
  3. Open the recovery.properties file located in /usr/tank/admin/config. Create the file if it does not exist.
  4. Enter the appropriate overrides, each on its own line with no spaces before or after the entry. The overrides are listed in LDAP configuration overrides.
  5. Restart the CIMOM using the startCimom command.
  6. Use the chldapconfig command to reset the internal LDAP settings. sfscli> chldapconfig -user cn=manager, o=sanfs. Administrative interfaces will not be usable until the LDAP server is modified to match. [y/n]: y.
    CMMNP5406I The LDAP configuration was modified successfully.
  7. Remove the recovery.properties override file and restart the CIMOM using stopCimom and startCimom commands.

Example

Table 1. LDAP configuration overrides
Parameters Description Example
LDAP_SERVER LDAP server IP address LDAP_SERVER=192.168.1.1
LDAP_USER Distinguished name of an authorized LDAP user LDAP_USER=cn=manager or o=sanfs
LDAP_PASSWD Password of the authorized LDAP user. LDAP_PASSWD=PASSWORD
LDAP_SECURED_CONNECTION Does the LDAP server require SSL connections? LDAP_SECURED_CONNECTION =false
LDAP_BASEDN_ROLES Base distinguished name to search for roles. LDAP_BASEDN_ROLES=ou=sfsroles, o=sanfs
LDAP_ROLEMEM_ID_ATTR The attribute that holds the members of a role. LDAP_ROLEMEM_ID_ATTR= roleOccupant
LDAP_USER_ID_ATTR The attribute that holds the user ID. LDAP_USER_ID_ATTR=uid
LDAP_ROLE_ID_ATTR The attribute that holds the name of the role. LDAP_ROLE_ID_ATTR=cn

Parent topic: Troubleshooting an administrative server

Terms of use | Feedback
(C) Copyright IBM Corporation 2003, 2004. All Rights Reserved.