While attempting to pull back user information using LDAP from RACF, get the following error in the debug log:

DSI: SI_pvt_execute_tso_command(30BA7680): __spawnp2: error code=139, reason code=0B1B0423           
DSI: SI_pvt_execute_tso_command(30BA7680): __spawnp2: EDC5139I Operation not permitted.              
(30F357EC)ra_Run_Tso_Command: conn=1000 op=14 rc=76 user=OSS36 command=SEARCH CLASS(USER) MASK(9)    

There are no violation messages in the started task, what is the resolution to this error?

Release : 15.1

The userid running the LDAP server (SLAPD) needs a TSO segment to perform SEARCH CLASS(USER) function.

If TSO segment is defined, then spawnp2 EDC5139I error indicates towards Rights problem with RACF account as described below: 

1. The ID need the following CONSOLE Right/setting to spawn commands according to the IBM doc:

CONNECT ATTRIBUTES=SPECIAL AUDITOR
                      
2. For RACF, if the facility BPX.DAEMON is defined, it is not enough to have 'UID=0', BPX.DAEMON authority is needed

3. If 'UID != 0', then the User spawning Tasks for the logged on User must have BPX.SRV.userid authority, permit the BPX.SRV.* (if it can be masked) to the LDAP Server STC Userid and retest. If it can't be masked, then there are two options:
- Permit BPX.SRV.user for each Userid that will issue commands through IDM to RACF
- Set the STC Userid to 'UID=0'

4. The spawn permission must be granted to the LDAP Server STC Userid, not the Userid used to log on to LDAP.

Here is more information on BPX.SRV resource.