Always have a look at the LDAP

Last Update:

Author: Christoph Stoettner
Read in about 3 min · 583 words

Fountain pen and a notebook

Photo by Aaron Burden | Unsplash

Today I learned a new lesson during troubleshooting a IBM Connections System. I updated to 6.0 CR2, updated WebSphere to FP13, last fixpack for Docs and so on. You will ask if I added IFP88438 to the list, be sure that I installed this fix which reanables the root element in Federated Repositories. Have a look at WAS 8.5.5 FP12 breaks Domino “root” base entry setting for more details.

Then one of the two deployments showed strange behavior with Activities. On the Activitystream I only got an orange error symbol instead of the Todo list and when I opened Activities directly I got an empty page.

The error log just said CLFRA0123E: Profile Provider Error and

EJPVJ9367E: Unable to associate the login ID cnxadmin to the user ID 0C000000-EC0B-0E00-ADMI-N,OU=SVC,O=EXAMPLE,C=DE doGet The current user is not valid.

All other applications worked, they showed similar errors in the log, but everything worked. TDI Synchronisation worked perfectly. I checked the databases and found that new admin profiles got created with this DN/UUID syntax. Normally I would expect a UUID here.

A third system worked in that environment, but with different LDAP servers. All other applications (Sametime, Printer, Quickr) which used that server worked perfectly.

Several restarts later, I checked everything.

  • Rollback Fixpack Install on WebSphere

  • Enabled and disabled the administrator user.

  • Redeployed Activities and so on.

Nothing helped!

I could logon and only Activities had issues, so I decided to go back to a snapshot with CR1.

What shall I say? Same error appeared…​

So I started a LDAP Browser and tried a search on the directory server (Domino LDAP System).

ldap error

Ok, so the LDAP server has a problem, when I tried the directory search. Sorry about the german error message, it says:

Directory Search - [servername:port]

An error occurred when the schema was received. The schema entry from …​ does not seem to be valid, since the required attributes attributeType and objectClass with non-empty value sets do not exist. Try changing your credentials or the list of server-side access controls (ACL).

A short view on the Domino LDAP server showed that the database index for names.nsf was missing, but that couldn’t be the root cause, because the LDAP server was used several months for authenticating WebSphere, Connections and Sametime.

A short restart later and a new try …​

After the restart the ldap browser was able to search and gets results. Restarting Connections server and Activities showed up.

What have I learned?

A lot …​

First of all it was a little surprise that the different applications of Connections do direct LDAP calls. I knew that Blogs do this, because the blogs ldap table never used the peopledb content, it collects the user informations directly. The Activities lookups seems very long, because in my experience only longer queries have problems with missing indexes on directory databases. Failover LDAP servers are useful for outages, but when a LDAP server provides wrong or short returns, these are valid and do not force a switch to other LDAP server.

As best practise I learned that I could save a lot of time, when WebSphere fixpacks and interim fixes are deployed seperatly, not in one big step. For example you can install WebSphere with some IFP in one step, just with adding the repositories in Installation Manager. When you want to do a rollback, this is not possible. So installing first 8.5.5, then Fixpack 13 and in a third step the IFP creates 2 possible rollback positions.

Add a comment
There was an error sending your comment, please try again.
Thank you!
Your comment has been submitted and will be published once it has been approved.

Your email address will not be published. Required fields are marked with *

Suggested Reading
Aaron Burden: Fountain pen and a notebook
Today i made a new assembly line in Tivoli Directory Integrator. I iterate Shortname and Filename (with path) of a jpeg-photo in a csv-file. A java class converts this pic to an jpeg binary (class returns this binary array) and then tdi write this value to domino ldap in jpegphoto attribute. Works great, only the csv-file is a little bit of work, but it is a great way to add lots of pictures to sametime profiles. Next step is to include an connector to Lotus Connections profiles.
Last Update:
Read in about 1 min
Card image cap

I showed, in several slides and sessions, how you can use the search-admin role in the search application of HCL Connections for troubleshooting and reviewing some key configurations.

In several environments, my user or other administrative users have this role, just to access the link to /search/serverStatus for example.

Created: Read in about 3 min
Card image cap

Last week I played around with the HCL Connections documentation to backup Elasticsearch in the article Backup Elasticsearch Indices in Component Pack .

In the end I found that I couldn’t get the snapshot restored and that I have to run a command outside of my Kubernetes cluster to get a snapshot on a daily basis. That’s not what I want.

Created: Read in about 4 min