"Get Suffixes" button does not retrieve values into the combo list on IM provisioning Manager CA ACF2 or CA TSS endpoint properties. "Searching the mainframe LDAP Server failed, rc=0". Message is received.

Document ID : KB000050376
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

When opening the Mainframe Security endpoint property tabs (of CA-ACF2 or CA-Top Secret), and then clicking on "Get Suffixes" button the system does not retrieve values into the combo list, but returns the following message box:

"Searching the mainframe LDAP Server failed, rc=0. Please verify that the IP and port information is correct. Also ensure you have the latest LDAP server and maintenance installed and re-try."

Explanation:

With CA LDAP Server for z/OS R14 installed , to get suffixes, IM Mainframe connector performs an anonymous one level search against the LDAP server. It is searching using "cn=config" as Base DN with "objectClass=olcDatabaseConfig" search filter, it then loops through attributes to find the "olcSuffix" value when the naming mode is "im".

Here, the request has not failed (rc=0) but no object, with a suffix value and a naming mode set to "im", has been found.

Troubleshooting:

Try running this LDAP request against IMPS from command line as shown on the example below:: (ACF2 e.g.)

CA\Identity Manager\Provisioning Server\bin>ldapsearch -LLL -h <HOST> -p <PORT>
-D cn=<USER> -w <PASWORD> -b cn=config -s one
(objectClass=olcDatabaseConfig) olcSuffix acfHostNamingMode

Note: (For TSS: change acfHostNamingMode to tssHostNamingMode)

Check if you have one resulting record with acfHostNamingMode set to im (ACF2 e.g.)

Note: the second entry deals with the "im" naming mode.

If this entry is missing you will receive the error previously described.

The search request should return lines as following:

dn: olcDatabase={1} caacf2_utf,cn=config
olcSuffix: host=xxxxxxxx,o=yyyyyyyy,c=zzzzzzzz
dn: olcDatabase={2} caacf2_utf,cn=config
olcSuffix: host= xxxxxxxx _im,o=yyyyyyyy,c=zzzzzzzz
acfHostNamingMode: im

Note: Running slapd in debug mode (e.g. : slapd -d 5 -f ./slapd.conf) will not provide pertinent info since there is no failure(slapd returns code 0).

Solution:

Configure the database statement for the CA LDAP Server to run as CA Web Administrator mode.

To do that please follow this 2 steps procedure below:

(Documentation references here come from CA LDAP Server for z/OS Product Guide r14)

  1. On Main Frame side manually edit the slapd.conf file in USS using oedit or vi. (Chapter 4: Configuration)

    You need to uncomment and change the Web Admin definition in this file to have at least the 3 following lines (based on caacf2_utf database suffix):

    database caacf2_utf
    suffix "host= xxxxxxxx _im,o=yyyyyyyy,c=zzzzzzzz"
    naming_mode im

    Note: CA Web Administrator naming_mode is explained in Chapter 5: CAACF2_UTF Back-end / Page 65.

  2. Stop and restart the CA LDAP Server. This can be done via operator commands at the console interface. (See Chapter 2: Startup Options)

    Note: This is the same procedure for TSS.