LDAP Troubleshooting in IBM Netezza
Troubleshooting 1:-
LDAP User Timeout Error or slow connection time or bad performance of LDAP User from remote machine. From Netezza database.
Error from client when doing SQL:-
ExecuteReader requires an open and available Connection. The connection's current state is closed.
With Active directory setups you may need to add the following to/etc/pam_ldap,conf
tls_request never - For self signed certificate
referrals no - fix for LDAP time out issues
Troubleshooting continued ….
If the users are able to login into the database without error then the next step is to finish the setup. Run the below command.
cp /etc/pam_ldap,conf /nz/data/config/pam_ldap,conf
Note: The ownership of /nz/data/config/pam_ldap,conf must be nz:nz. If you copied file by root user then issue this command
chown nz:nz /nz/data/config/pam_ldap,conf
Troubleshooting 2:-
To do a proper troubleshoot ldap issues some information which you used to setup LDAP in Netezza.
As root user issue the following commands to Check connectivity to with below command and make sure this should work.
#ldap server nc -vz ldapservername.or.ip 389
If the command does not succeed then there is a connectivity issue or ldap is not running on the port indicated.
Information that needs to be collected
cat /etc/redhat-release
rpm -qa | grep openldap
egrep -v '^(#|$)' /etc/pam_ldap,conf
Put the output of all three commands into a service request. openldap-clientswill need to be installed for further PD of the issue.
With ldapsearch installed you can check the binddn access using the information collected earlier..
1. Server : adserver.company.com
2. Port : 389
3. BaseDN: dc=users,dc=company,dc=com
4. BindDN: cn=Manager,dc=Accounts,dc=company,dc=com
5. BindPassword: password
6. attrname: sAMAccountName
Example
ldapsearch -h 10.192.83.13 -b "DC=domestic,DC=guitarcenter,DC=com" "(&(memberOf=CN=GCEDW-NETEZZA-GRP,OU=Netezza, OU=Security Groups - Global, OU=Corporate, DC=domestic, DC=guitarcenter,DC=com))" -D "CN=svcNTZ-LDAPS-prod,OU=LDAPRefAccounts ,OU=Service Accounts, OU=Special,DC=domestic,DC=guitarcenter,DC=com" -w ‘password’ |grep -i samaccountname
Any errors returned will need to be fixed.
Issues normally encountered are
Password locked (AD code 532 PASSWORD_EXPIRED) Have AD / LDAP team unlock the password
User not found (AD code 525 USER NOT FOUND) binddn name incorrect
Troubleshooting 3:-
Database connection Test Failed or refused from Netezza Database
LDAP authentication is configured on Netezza server any user is having any issue like.
error=LDAP authentication failed for user 'MANISH.JAISWAL'
You can check log file for error and troubleshooting:-
[nz@edw-ntz-0a1-lq ~]$ cat /nz/kit/log/postgres/pg.log|grep MANISH.JAISWAL
2016-03-29 15:40:01.052431 PDT [31921] DEBUG: connection failed: host=127.0.0.1 user=MANISH.JAISWAL database=QMFISTAGE error=LAP authentication failed for user 'MANISH.JAISWAL'
User can do the below mistake:-
Please ask them to use him username is upper case (MANIHS.JAISWAL)
1. Not using LDAP id still using old account. You may check his account is exist or not.
Nzsql > \du user_name
2. They may be not using LDAP password (desktop password)
3. May be they don’t have access to those database, Please check access using below command.
$nz_ddl_user MANISH.JAISWAL
Above command will which database they are having which kind of access, if they want more access or account creation then
No comments:
Post a Comment