LDAP Troubleshooting in IBM Netezza Pure Data

LDAP Troubleshooting in IBM Netezza 

Troubleshooting 1:-

LDAP User Timeout Error or slow connection time or bad performance of LDAP User from remote machine. From Netezza database.

Error from client when doing SQL:-

ExecuteReader requires an open and available Connection. The connection's current state is closed.

With Active directory setups you may need to add the following to /etc/pam_ldap.conf

tls_request never         - For  self signed certificate

referrals no                   - fix for LDAP time out issues

Troubleshooting continued ….

 If the users are able to login into the database without error then the next step is to finish the setup.   Run the below command.

cp /etc/pam_ldap.conf /nz/data/config/pam_ldap.conf

Note: The ownership of /nz/data/config/pam_ldap,conf must be nz:nz. If you copied file by root user then issue this command

chown nz:nz /nz/data/config/pam_ldap.conf

Troubleshooting 2:-

To do a proper troubleshoot ldap issues some information which you used to setup LDAP in Netezza.

As root user issue the following commands to Check connectivity to with below command and make sure this should work.

#ldap server nc -vz ldapservername.or.ip 389

If the command does not succeed then there is a connectivity issue or ldap is not running on the port indicated.

Information that needs to be collected

cat /etc/redhat-release

rpm -qa | grep openldap

egrep -v '^(#|$)' /etc/pam_ldap.conf

Put the output of all three commands into a service request.  openldap-clients will need to be installed for further PD of the issue.

With ldapsearch installed you can check the binddn access using the information collected earlier..

1. Server : adserver.company.com

2. Port : 389

3. BaseDN: dc=users,dc=company,dc=com

4. BindDN: cn=Manager,dc=Accounts,dc=company,dc=com

5. BindPassword: password

6. attrname: sAMAccountName

Example

ldapsearch -h 10.192.83.13 -b "DC=domestic,DC=guitarcenter,DC=com" "(&(memberOf=CN=GCEDW-NETEZZA-GRP,OU=Netezza, OU=Security Groups - Global, OU=Corporate, DC=domestic, DC=guitarcenter,DC=com))" -D "CN=svcNTZ-LDAPS-prod,OU=LDAPRefAccounts ,OU=Service Accounts, OU=Special,DC=domestic,DC=guitarcenter,DC=com" -w ‘password’ |grep -i samaccountname

Any errors returned will need to be fixed.

Issues normally encountered are

Password locked (AD code 532 PASSWORD_EXPIRED) Have AD / LDAP team unlock the password

User not found (AD code 525 USER NOT FOUND)    binddn name incorrect

Troubleshooting 3:-

Database connection Test Failed or refused from Netezza Database

LDAP authentication is configured on Netezza server any user is having any issue like.

error=LDAP  authentication failed for user 'MANISH.JAISWAL'

You can check log file for error and troubleshooting:-

[nz@edw-ntz-0a1-lq ~]$ cat /nz/kit/log/postgres/pg.log|grep  MANISH.JAISWAL

2016-03-29 15:40:01.052431 PDT [31921]  DEBUG:  connection failed: host=127.0.0.1 user=MANISH.JAISWAL database=QMFISTAGE error=LAP  authentication failed for user 'MANISH.JAISWAL'

User can do the below mistake:-

Please ask them to use him username is upper case (MANIHS.JAISWAL)

1.       Not using LDAP id still using old account. You may check his account is exist or not.

Nzsql > \du user_name

2.       They may be not using LDAP password (desktop password)

3.       May be they don’t have access to those database, Please check access using below command.

$nz_ddl_user MANISH.JAISWAL

Above command will which database they are having which kind of access, if they want more access or account creation then