Manually disabling LDAP authentication

Jump to: navigation, search

What happened?

You were likely trying to configure Content Manager OnDemand for LDAP, and now OnDemand won't start after enabling the LDAP Authentication checkbox in the OnDemand Administrator Client.

Symptoms and error messages

The documentation for enabling LDAP isn't perfect, and in CMOD version 9.0 and higher, enabling LDAP can cause OnDemand to not start up after issuing the "arssockd -S" command, or refusing to allow logins.

Of course, without being able to start Content Manager OnDemand or being able to log in, you can't turn LDAP off. If you check the OnDemand Library Server's console output, you might find errors like these:

  arssockd (ARCHIVE): ARSSOCKD  2 437 ARS0437E The OnDemand stash file >< either does not exist or is not valid.  Return Code=4.

If your server does start up, but you can't log in, you'll need to follow these instructions to turn off LDAP authentication, so you can try to figure out what went wrong.

WARNING: These instructions will manipulate the contents of the CMOD database directly to disable LDAP. You could damage your OnDemand server if you're not careful. ALWAYS ensure you have a backup of your database to restore from. Alternately, you can use arsdb -xlvf to export a copy of the IBM CMOD database tables, which can be imported again to revert any changes you may have made with the arsdb -ilvf command.


First, check your database:

 $ db2 connect to archive

  Database Connection Information

 Database server        = DB2/AIX64 10.1.4
 SQL authorization ID   = ODADMIN
 Local database alias   = ARCHIVE

Then check the system to see what the current value of the SYS_MASK field is:

 $ db2 "select SYS_MASK from arssys"
 1 record(s) selected.

Even if the value returned on your system is different, you can still use the following SQL to turn off the LDAP option:

 $ db2 "update arssys set sys_mask=bitandnot(sys_mask, 4)"
 DB20000I  The SQL command completed successfully.

To double check that the change was made, simply repeat the query to see that the value has changed.

   $ db2 "select SYS_MASK from arssys"

   1 record(s) selected.

If your starting value was a different number -- for example, 20, then your result should be "16".

If the value hasn't changed, then LDAP wasn't enabled, and your problem is elsewhere.

As always, don't forget to wrap up your session by closing your connection to the database:

 $ db2 terminate
 DB20000I  The TERMINATE command completed successfully.

If your CMOD server wasn't able to start, try starting it at this point.

If your CMOD server was able to start (and is still running) but you weren't able to log in, stop and start the Library server so the change can take effect.

Additional CMOD LDAP Resources

The root cause of this issue is that you likely do not have a stash file configured for LDAP on CMOD.

Here are some IBM Knowledgebase Articles about Content Manager OnDemand stash files and LDAP:

IBM CMOD LDAP authentication on V9.0/9.5

IBM CM OnDemand V8.5 and later LDAP authentication to active directory server fails

Using OnDemand arsstash files for authenticating to DB2, Oracle, or LDAP