While attempting to pull back user information using LDAP from RACF, get the following error in the debug log:
DSI: SI_pvt_execute_tso_command(30BA7680): __spawnp2: error code=139, reason code=0B1B0423
DSI: SI_pvt_execute_tso_command(30BA7680): __spawnp2: EDC5139I Operation not permitted.
(30F357EC)ra_Run_Tso_Command: conn=1000 op=14 rc=76 user=OSS36 command=SEARCH CLASS(USER) MASK(9)
There are no violation messages in the started task, what is the resolution to this error?
Release : 15.1
The userid running the LDAP server (SLAPD) needs a TSO segment to perform SEARCH CLASS(USER) function.
If TSO segment is defined, then spawnp2 EDC5139I error indicates towards Rights problem with RACF account as described below:
1. The ID need the following CONSOLE Right/setting to spawn commands according to the IBM doc:
CONNECT ATTRIBUTES=SPECIAL AUDITOR
2. For RACF, if the facility BPX.DAEMON is defined, it is not enough to have 'UID=0', BPX.DAEMON authority is needed
3. If 'UID != 0', then the User spawning Tasks for the logged on User must have BPX.SRV.userid authority, permit the BPX.SRV.* (if it can be masked) to the LDAP Server STC Userid and retest. If it can't be masked, then there are two options:
- Permit BPX.SRV.user for each Userid that will issue commands through IDM to RACF
- Set the STC Userid to 'UID=0'
4. The spawn permission must be granted to the LDAP Server STC Userid, not the Userid used to log on to LDAP.
Here is more information on BPX.SRV resource.