Oh fellow AIXers,

A while back I reported on the success I had configuring a rather
simple LDAP server on AIX. All it needs to do is spoon out passwords
to everybody who asks. And for weeks on end it ran without fail,
whereupon it shat itself afer a reboot. My Test/Dev domain has been
without LDAP since.

Now I do have one NON-NEGOTIABLE requirement: LDAP must keep its
filthy mitts out of /home, because that is reserved, surprisingly, for
users' home directories. It lives on an NFS server, and is accessed
using the automounter. Putting a symlink there is Not Possible. I have
also tried, and failed, to mount a local directory using the
Automounter, so /home is a no-go area for authentication servers.
Period.

This rules out using mksecldap for the whole of the operation, because
that piece of shi^H^Hoftware actually assumes not only that I want to
put DB2 databases in ldapdb2's home directory, but also that that home
directory is /home/ldapdb2. It is actually HARD-CODED in the script.
After a week of installing, reinstalling, browsing the Usenet groups,
perusing IBM-style documentation in dozens of PDFs, I want to meet the
maker of that program. In a dark alley. With no witnesses.

I am now turning to the Community At Large, asking what I'm doing
wrong. This is the procedure, more or less in script form, though I
type in the commands as you see them:

#----------------------------------------------------------------------
# STARTING POINT: Freshly installed AIX 5.3 system. TL5, SP5.
#----------------------------------------------------------------------

#----------------------------------------------------------------------
# STAGE ONE: INSTALLING AND STARTING THE SERVER
#----------------------------------------------------------------------

# Make the users and groups
mkgroup id=30006 ldap
mkgroup id=30007 users=root dbsysadm
mkuser id=30002 pgrp=ldap groups=ldap umask=002 home=/local/data/ldap/
ldap \
gecos="Lightweight Directory Access Protocol administrative
user" ldap
mkuser id=30003 pgrp=dbsysadm groups=ldap umask=002 \
home=/local/data/ldap/ldapdb2 \
gecos="LDAP DB2 database administrator" ldapdb2

# Set passwords on non-personal accounts to p@ssw0rd
# - security is overrated anyway.
passwd ldap;pwdadm -c ldap
passwd ldapdb2;pwdadm -c ldapdb2

# Found this in a post somewhere...
chmod 775 /local/data/ldap/ldapdb2

# DB2 likes async I/O.
chdev -l aio0 -a autoconfig=available
mkdev -l aio0

# Install the requisite software
installp -acgXYd /data/sw/AIX/aix53/latest \
db2_08_01.ca db2_08_01.cc db2_08_01.cj \
db2_08_01.client db2_08_01.cnvucs db2_08_01.conn
db2_08_01.conv \
db2_08_01.cs.rte db2_08_01.das db2_08_01.db2.engn
db2_08_01.db2.rte \
db2_08_01.db2.samples db2_08_01.essg db2_08_01.icuc
db2_08_01.icut \
db2_08_01.jdbc db2_08_01.ldap \
db2_08_01.msg.en_US.iso88591 db2_08_01.pext db2_08_01.repl \
db2_08_01.sqlproc ldap.client.adt ldap.client.rte
ldap.server.cfg \
ldap.server.com ldap.server.java ldap.server.rte \
X11.apps.config
# X11.apps.config is just so I can ssh -X to the box, and run ldapxcfg

# Reboot the server here...
reboot
#----------------------------------------------------------------------

# License the DB2 server for LDAP
/usr/opt/db2_08_01/adm/db2licm -a /usr/ldap/etc/ldap-custom-db2ese.lic

# Pre-configure the LDAP server
export LDAP_DBG=1
cd /tmp

ldapcfg \
-u 'cn=root,dc=utopia,dc=johnguest,dc=com' \
-p 'p@ssw0rd' \
-n

# Build an empty LDAP server
ldapcfg \
-a ldapdb2 \
-w 'p@ssw0rd' \
-c \
-i \
-o \
-l /local/data/ldap/ldapdb2 \
-d ldapdb2 \
-t ldapdb2 \
-n

# Found this in another post and it can't hurt...
chmod 775 /local/data/ldap/ldapdb2/ldap32kcont_ldapdb2

# Start the empty LDAP server
ibmslapd

....and hey presto, the ibmslapd starts. As far as I can tell, I now
have a very clean, empty LDAP server. So now I need to create the
directory tree where the users' login information goes. According to
Yantian Tom Lu, Ph.D, in his document "Configuring an IBM Directory
Server for User Authentication and Management in AIX"

> There are cases when an IBM Directory server has
> been setup and running and one wants to configure
> the server for user authentication purpose. Still,
> mksecldap is your friend. The mksecldap command
> will not create new database in this case, rather, it will
> use the existing database.

With friends like that... I run the following command:

mksecldap \
-s \
-a 'cn=root,dc=utopia,dc=johnguest,dc=com' \
-p 'p@ssw0rd' \
-d 'dc=utopia,dc=johnguest,dc=com' \
-u NONE \
-S rfc2307aix

And this mumbles something about chmod: /home/ldapdb2 being out of
bounds, then buggers up the LDAP server, so that it fails to connect
to the database with the following error messages:

==========
Plugin of type EXTENDEDOP is successfully loaded from libevent.a.
Plugin of type DATABASE is successfully loaded from /lib/libback-
config.a.
Error code -1 from odbc string:" SQLAllocEnv " .
Failed to initialize be_config.
Error encountered. Server starting in configuration only mode.
==========

At which point I restore a system backup and can try again. I am sure
I'm leaving out something essential, but I cannot figure out what it
is... HELP!!1!

Now I have had the advice to try ITDS 6.0 instead (Hi Alex!), but I
can't find the documentation I need and anyway it's a payable extra.
So I'm stuck with AIX 5.3 and everything that comes with it or can be
downloaded for free.

And I haven't even started yet to try and make this thing play nice
with Samba... I'm still hoping to build my AIX-based PDC so I can
support all known operating systems from my AIX-based management
server.

Yours in hope,
Menno Willemse

On 15 Feb., 17:56, "Menno Willemse" <fle...@wanadoo.nl> wrote:
> Oh fellow AIXers,
>
> A while back I reported on the success I had configuring a rather
> simple LDAP server on AIX. All it needs to do is spoon out passwords
> to everybody who asks. And for weeks on end it ran without fail,
> whereupon it shat itself afer a reboot. My Test/Dev domain has been
> without LDAP since.
>
> Now I do have one NON-NEGOTIABLE requirement: LDAP must keep its
> filthy mitts out of /home, because that is reserved, surprisingly, for
> users' home directories. It lives on an NFS server, and is accessed
> using the automounter. Putting a symlink there is Not Possible. I have
> also tried, and failed, to mount a local directory using the
> Automounter, so /home is a no-go area for authentication servers.
> Period.
>
> This rules out using mksecldap for the whole of the operation, because
> that piece of shi^H^Hoftware actually assumes not only that I want to
> put DB2 databases in ldapdb2's home directory, but also that that home
> directory is /home/ldapdb2. It is actually HARD-CODED in the script.
> After a week of installing, reinstalling, browsing the Usenet groups,
> perusing IBM-style documentation in dozens of PDFs, I want to meet the
> maker of that program. In a dark alley. With no witnesses.
>
> I am now turning to the Community At Large, asking what I'm doing
> wrong. This is the procedure, more or less in script form, though I
> type in the commands as you see them:
>
> #----------------------------------------------------------------------
> # STARTING POINT: Freshly installed AIX 5.3 system. TL5, SP5.
> #----------------------------------------------------------------------
>
> #----------------------------------------------------------------------
> # STAGE ONE: INSTALLING AND STARTING THE SERVER
> #----------------------------------------------------------------------
>
> # Make the users and groups
> mkgroup id=30006 ldap
> mkgroup id=30007 users=root dbsysadm
> mkuser id=30002 pgrp=ldap groups=ldap umask=002 home=/local/data/ldap/
> ldap \
> gecos="Lightweight Directory Access Protocol administrative
> user" ldap
> mkuser id=30003 pgrp=dbsysadm groups=ldap umask=002 \
> home=/local/data/ldap/ldapdb2 \
> gecos="LDAP DB2 database administrator" ldapdb2
>
> # Set passwords on non-personal accounts to p@ssw0rd
> # - security is overrated anyway.
> passwd ldap;pwdadm -c ldap
> passwd ldapdb2;pwdadm -c ldapdb2
>
> # Found this in a post somewhere...
> chmod 775 /local/data/ldap/ldapdb2
>
> # DB2 likes async I/O.
> chdev -l aio0 -a autoconfig=available
> mkdev -l aio0
>
> # Install the requisite software
> installp -acgXYd /data/sw/AIX/aix53/latest \
> db2_08_01.ca db2_08_01.cc db2_08_01.cj \
> db2_08_01.client db2_08_01.cnvucs db2_08_01.conn
> db2_08_01.conv \
> db2_08_01.cs.rte db2_08_01.das db2_08_01.db2.engn
> db2_08_01.db2.rte \
> db2_08_01.db2.samples db2_08_01.essg db2_08_01.icuc
> db2_08_01.icut \
> db2_08_01.jdbc db2_08_01.ldap \
> db2_08_01.msg.en_US.iso88591 db2_08_01.pext db2_08_01.repl \
> db2_08_01.sqlproc ldap.client.adt ldap.client.rte
> ldap.server.cfg \
> ldap.server.com ldap.server.java ldap.server.rte \
> X11.apps.config
> # X11.apps.config is just so I can ssh -X to the box, and run ldapxcfg
>
> # Reboot the server here...
> reboot
> #----------------------------------------------------------------------
>
> # License the DB2 server for LDAP
> /usr/opt/db2_08_01/adm/db2licm -a /usr/ldap/etc/ldap-custom-db2ese.lic
>
> # Pre-configure the LDAP server
> export LDAP_DBG=1
> cd /tmp
>
> ldapcfg \
> -u 'cn=root,dc=utopia,dc=johnguest,dc=com' \
> -p 'p@ssw0rd' \
> -n
>
> # Build an empty LDAP server
> ldapcfg \
> -a ldapdb2 \
> -w 'p@ssw0rd' \
> -c \
> -i \
> -o \
> -l /local/data/ldap/ldapdb2 \
> -d ldapdb2 \
> -t ldapdb2 \
> -n
>
> # Found this in another post and it can't hurt...
> chmod 775 /local/data/ldap/ldapdb2/ldap32kcont_ldapdb2
>
> # Start the empty LDAP server
> ibmslapd
>
> ...and hey presto, the ibmslapd starts. As far as I can tell, I now
> have a very clean, empty LDAP server. So now I need to create the
> directory tree where the users' login information goes. According to
> Yantian Tom Lu, Ph.D, in his document "Configuring an IBM Directory
> Server for User Authentication and Management in AIX"
>
> > There are cases when an IBM Directory server has
> > been setup and running and one wants to configure
> > the server for user authentication purpose. Still,
> > mksecldap is your friend. The mksecldap command
> > will not create new database in this case, rather, it will
> > use the existing database.
>
> With friends like that... I run the following command:
>
> mksecldap \
> -s \
> -a 'cn=root,dc=utopia,dc=johnguest,dc=com' \
> -p 'p@ssw0rd' \
> -d 'dc=utopia,dc=johnguest,dc=com' \
> -u NONE \
> -S rfc2307aix
>
> And this mumbles something about chmod: /home/ldapdb2 being out of
> bounds, then buggers up the LDAP server, so that it fails to connect
> to the database with the following error messages:
>
> ==========
> Plugin of type EXTENDEDOP is successfully loaded from libevent.a.
> Plugin of type DATABASE is successfully loaded from /lib/libback-
> config.a.
> Error code -1 from odbc string:" SQLAllocEnv " .
> Failed to initialize be_config.
> Error encountered. Server starting in configuration only mode.
> ==========
>
> At which point I restore a system backup and can try again. I am sure
> I'm leaving out something essential, but I cannot figure out what it
> is... HELP!!1!
>
> Now I have had the advice to try ITDS 6.0 instead (Hi Alex!), but I
> can't find the documentation I need and anyway it's a payable extra.
> So I'm stuck with AIX 5.3 and everything that comes with it or can be
> downloaded for free.
>
> And I haven't even started yet to try and make this thing play nice
> with Samba... I'm still hoping to build my AIX-based PDC so I can
> support all known operating systems from my AIX-based management
> server.
>
> Yours in hope,
> Menno Willemse


Have you read tech note:
Technote (FAQ)
On UNIX systems you cannot configure the database in a location other
than /home when /home is an NFS mount

Problem
Steps to manually configure the database in a location other than /
home, when /home is an NFS mount.

http://www-1.ibm.com/support/docview...&cc=us&lang=en

hth
Hajo

On Feb 15, 10:44 pm, "Hajo Ehlers" <serv...@metamodul.com> wrote:
> Have you read tech note:
> Technote (FAQ)
> On UNIX systems you cannot configure the database in a location other
> than /home when /home is an NFS mount
>
> Problem
> Steps to manually configure the database in a location other than /
> home, when /home is an NFS mount.

http://www-1.ibm.com/support/docview...&cc=us&lang=en

Well, I just tried doing it their way:

#----------------------------------------------------------------------
# STAGE THREE-A: PRE-CONFIGURING THE DATABASE - THE WAY OF THE BARE
HAND
#----------------------------------------------------------------------

/usr/ldap/db2/instance/db2icrt -u ldapdb2 ldapdb2
cp /etc/services /etc/services.PRE-LDAP
echo "ldapdb2svc 3700/tcp" >> /etc/services
echo "ldapdb2svci 3701/tcp" >> /etc/services

# SWITCH TO THE LDAPDB2 ACCOUNT HERE
su - ldapdb2

# Create the database and set its tuning parameters
db2 create db ldapdb2 on ~ldapdb2 using codeset UTF-8
db2empfa ldapdb2
db2 update db cfg for ldapdb2 using applheapsz 4096
db2 update db cfg for ldapdb2 using pckcachesz 720

# Update the database for local loopback connections
db2 update dbm cfg using SVCENAME ldapdb2svc
db2 catalog tcpip node ldapdb2n remote localhost server ldapdb2svc
db2 catalog db ldapdb2 as ldapdb2b at node ldapdb2n authentication
server
db2set DB2COMM=TCPIP

# Restart the DB2 server to enable happiness
db2stop
db2start

# Add the following to the /usr/ldap/etc/ibmslapd.conf
# At the end of the stanza that starts:
# dn: cn=Directory,cn=RDBM Backends

# mrw added these
ibm-slapdDbInstance: ldapdb2
ibm-slapdDbAlias: ldapdb2b
ibm-slapdDbUserId: ldapdb2
ibm-slapdDbName: ldapdb2
ibm-slapdDbUserPw: p@ssw0rd
ibm-slapdDbLocation: /local/data/ldap/ldapdb2
ibm-slapdSetEnv: DB2CP=1208
# End of mrw additions

Now that last line it told me to uncomment rather than add, but I
couldn't find it. I then added the administrator account to the LDAP
config as shown here:

ldapcfg \
-u 'cn=root,dc=utopia,dc=johnguest,dc=com' \
-p 'Z@rqu0n' \
-n

And tried to start ibmslapd, which failed in a slightly different way
this time:

Plugin of type DATABASE is successfully loaded from /lib/libback-
config.a.
Error code -2 from odbc string:" SQLTransact " .
Failed to initialize be_config.
Error encountered. Server starting in configuration only mode.

Mind you, previously I hadn't added ldap to the dbsysadm group, so
maybe that's worth trying. Will report on any progress.

Cheers,
Menno

Well, that went up like a lead balloon.

- Standard install of AIX 5.3.

- mksecldap -s \
-a 'cn=root,dc=utopia,dc=johnguest,dc=com' \
-p 'p@ssw0rd' \
-S RFC2307AIX \
-d 'dc=utopia,dc=johnguest,dc=com' \
-u NONE

Forget about putting the database somewhere sensible. Forget about pre-
configuring databases. The *only* thing I did was pre-create the users
WITH the correct group memberships.

End result:

Plugin of type EXTENDEDOP is successfully loaded from libevent.a.
Plugin of type DATABASE is successfully loaded from /lib/libback-
config.a.
Error code -1 from odbc string:" SQLAllocEnv " .
Failed to initialize be_config.
Error encountered. Server starting in configuration only mode.
Plugin of type EXTENDEDOP is successfully loaded from libloga.a.
Non-SSL port initialized to 389.

And no working LDAP server. My opinion on this is not fit for polite
company.

On 16 Feb., 17:45, "Menno Willemse" <fle...@wanadoo.nl> wrote:
> Well, that went up like a lead balloon.
>
> - Standard install of AIX 5.3.
>
> - mksecldap -s \
> -a 'cn=root,dc=utopia,dc=johnguest,dc=com' \
> -p 'p@ssw0rd' \
> -S RFC2307AIX \
> -d 'dc=utopia,dc=johnguest,dc=com' \
> -u NONE
>
> Forget about putting the database somewhere sensible. Forget about pre-
> configuring databases. The *only* thing I did was pre-create the users
> WITH the correct group memberships.
>
> End result:
>
> Plugin of type EXTENDEDOP is successfully loaded from libevent.a.
> Plugin of type DATABASE is successfully loaded from /lib/libback-
> config.a.
> Error code -1 from odbc string:" SQLAllocEnv " .
> Failed to initialize be_config.
> Error encountered. Server starting in configuration only mode.
> Plugin of type EXTENDEDOP is successfully loaded from libloga.a.
> Non-SSL port initialized to 389.
>
> And no working LDAP server. My opinion on this is not fit for polite
> company.

IBM say about this error:

http://www-1.ibm.com/support/docview...id=swg21172734

meaning more or less you are using the wrong db2 version . Have you
update any db2 version ?

regards
Hajo

On Feb 17, 3:56 pm, "Hajo Ehlers" <serv...@metamodul.com> wrote:
> On 16 Feb., 17:45, "Menno Willemse" <fle...@wanadoo.nl> wrote:
>
> > Well, that went up like a lead balloon.
>
> > - Standard install of AIX 5.3.
>
> > - mksecldap -s \
> > -a 'cn=root,dc=utopia,dc=johnguest,dc=com' \
> > -p 'p@ssw0rd' \
> > -S RFC2307AIX \
> > -d 'dc=utopia,dc=johnguest,dc=com' \
> > -u NONE
>
> > Forget about putting the database somewhere sensible. Forget about pre-
> > configuring databases. The *only* thing I did was pre-create the users
> > WITH the correct group memberships.
>
> > End result:
>
> > Plugin of type EXTENDEDOP is successfully loaded from libevent.a.
> > Plugin of type DATABASE is successfully loaded from /lib/libback-
> > config.a.
> > Error code -1 from odbc string:" SQLAllocEnv " .
> > Failed to initialize be_config.
> > Error encountered. Server starting in configuration only mode.
> > Plugin of type EXTENDEDOP is successfully loaded from libloga.a.
> > Non-SSL port initialized to 389.
>
> > And no working LDAP server. My opinion on this is not fit for polite
> > company.
>
> IBM say about this error:
>
> http://www-1.ibm.com/support/docview...id=swg21172734
>
> meaning more or less you are using the wrong db2 version . Have you
> update any db2 version ?
>
> regards
> Hajo

apparently this is useful too
http://www-128.ibm.com/developerwork...ndex.html#main

Hi Hajo and Henry,

Help is much appreciated. (Especially since IBM has seen fit to move
my TCP/IP course to July. It never rains, but it pours).

On Feb 18, 8:02 pm, "Henry" <snogfest_hosebe...@yahoo.com> wrote:
> On Feb 17, 3:56 pm, "Hajo Ehlers" <serv...@metamodul.com> wrote:
> > On 16 Feb., 17:45, "Menno Willemse" <fle...@wanadoo.nl> wrote:
>
> > > Well, that went up like a lead balloon.
>
> > > - Standard install of AIX 5.3.
>
> > > - mksecldap -s \
> > > -a 'cn=root,dc=utopia,dc=johnguest,dc=com' \
> > > -p 'p@ssw0rd' \
> > > -S RFC2307AIX \
> > > -d 'dc=utopia,dc=johnguest,dc=com' \
> > > -u NONE
>
> > > Forget about putting the database somewhere sensible. Forget about pre-
> > > configuring databases. The *only* thing I did was pre-create the users
> > > WITH the correct group memberships.
>
> > > End result:
>
> > > Plugin of type EXTENDEDOP is successfully loaded from libevent.a.
> > > Plugin of type DATABASE is successfully loaded from /lib/libback-
> > > config.a.
> > > Error code -1 from odbc string:" SQLAllocEnv " .
> > > Failed to initialize be_config.
> > > Error encountered. Server starting in configuration only mode.
> > > Plugin of type EXTENDEDOP is successfully loaded from libloga.a.
> > > Non-SSL port initialized to 389.
>
> > > And no working LDAP server. My opinion on this is not fit for polite
> > > company.
>
> > IBM say about this error:
>
> >http://www-1.ibm.com/support/docview...id=swg21172734
>
> > meaning more or less you are using the wrong db2 version . Have you
> > update any db2 version ?
>
> > regards
> > Hajo
>
> apparently this is useful toohttp://www-128.ibm.com/developerworks/db2/library/techarticle/dm-0407...

Responding to both:

ldapsearch -h ldap.acme.com "objectClass=*"
# lslpp -L |grep db2
db2_08_01.ca 8.1.1.16 C F Configuration
Assistant
db2_08_01.cc 8.1.1.16 C F Control Center
db2_08_01.ch.en_US.iso88591
db2_08_01.cj 8.1.1.16 C F Java Common files
db2_08_01.client 8.1.1.16 C F Base Client
Support
db2_08_01.cnvucs 8.1.1.16 C F Code Page
Conversion Tables -
db2_08_01.conn 8.1.1.16 C F Connect Support
db2_08_01.conv 8.1.1.16 C F Code Page
Conversion Tables
db2_08_01.cs.rte 8.1.1.16 C F Communication
Support - TCP/IP
db2_08_01.das 8.1.1.16 C F Administration
Server
db2_08_01.db2.engn 8.1.1.16 C F Base DB2 UDB
Support
db2_08_01.db2.rte 8.1.1.16 C F Run-time
Environment
db2_08_01.db2.samples 8.1.1.16 C F Sample Database
Source
db2_08_01.essg 8.1.1.16 C F Product Signature
for DB2 UDB
db2_08_01.icuc 8.1.1.16 C F ICU Collation
db2_08_01.icut 8.1.1.16 C F ICU Utilities
db2_08_01.jdbc 8.1.1.16 C F Java Support
db2_08_01.jhlp.en_US.iso88591
db2_08_01.ldap 8.1.1.16 C F DB2 LDAP Support
db2_08_01.msg.en_US.iso88591
db2_08_01.pext 8.1.1.16 C F Parallel Extension
db2_08_01.repl 8.1.1.16 C F Replication
db2_08_01.sqlproc 8.1.1.16 C F SQL Procedures

This is what came with AIX 5.3, TL5, SP5. I could try to find a more
recent one, but this one is pretty high up already. The move database
utility could be useful, but only if I can't create the database in
the right place in the first place.

As far as I can tell with ldapsearch, I do get a functional LDAP
server, all that needs doing is to populate it with my domain
information. But when I try doing that with mksecldap the database
ceases to function. I could try upgrading my DB2 to a more recent
version if there is one. Will tell you if this has any good results.

Cheers,
Menno.

Hello World,

Right. Did a fresh install again - this time with DB2 8.1.1.80. Same
result. I get a running empty ldap server, then mksecldap buggers it
up and it won't start anymore. Same messages as above.

Theoretically, It might be something to do with my installation, so I
could try a reinstall from BOS rather than from my standard mksysb.
But I don't believe that is it.

This should just work, dammit!

Cheers,
Menno

Hello World,

Okay... I've just found an efix that could solve the problem because
one of the APARs in it describes the problem accurately enough:

http://www-1.ibm.com/support/docview...=utf-8&lang=en

Unfortunately the install script that comes with it... doesn't work
properly. So now I'll reinstall the machine yet again, install the
requisite software, then BEFORE configuring it any further or even
rebooting, apply the efix. This should keep the file free. Will report
on progress.

So where would one normally download ldap.server PTFs? They aren't in
the Quick Links for AIX Fixes page.

Cheers,
Menno "Seriously considering NIS" Willemse

On Feb 19, 5:05 pm, "Menno Willemse" <fle...@wanadoo.nl> wrote:
> Hello World,
>
> Okay... I've just found an efix that could solve the problem because
> one of the APARs in it describes the problem accurately enough:

Aaaand...

Error code -1 from odbc string:" SQLAllocEnv " .

Bugger this for a lark. LDAP was never meant to work on AIX. Does
anyone have an idea on how to add the aix bit in rfc2307aix to
OpenLDAP?