LDAP-UX Client Services B.04.10 Administrator's Guide (edition 7)

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

121

122

123

124

125

126

127

128

129

130

kill -HUP 'cat /var/run/syslog.pid'

4. Once logging is enabled, run the HP-UX commands or applications that exhibit the problem.

5. Restore the file /etc/syslog.conf to its previous state; otherwise, you may unintentionally

enable logging in other applications.

6. Restart the syslog daemon with the following command. (See syslogd(1M) for details.)

kill -HUP 'cat /var/run/syslog.pid'

7. Remove the "debug" options from /etc/pam.conf.

8. Examine the log file at /var/adm/syslog/debug.log to see what actions were performed and

if any are unexpected. Look for lines containing "PAM_LDAP."

TIP: Enable PAM logging only long enough to collect the data you need because logging can

significantly reduce performance and generate large log files.

You may want to move the existing log file and start with an empty file: mv

/var/adm/syslog/debug.log /var/adm/syslog/debug.log.save. Then restore the file when finished.

Directory Server Log Files

You can view log files to see if any unusual events have occurred with your directory. The

Directory Server for HP-UX logs information to files under

/var/opt/Netscape/server4/slapd-<serverID>/logs

where slapd-<serverID> is the name of your directory server.

The error logs contain start-up, shut-down, and unusual events. The access logs contain all

requests. See the Netscape Directory Server Administrator's Guide for details.

User Cannot Log on to Client System

If a user cannot log in to a client system, perform the following checks.

• Use a command like pwget(1) with -n, or nsquery(1)

to verify that NSS is working:

pwget -n username

nsquery passwd username

If the output shows ldap is not being searched, check /etc/nsswitch.conf to make sure ldap

is specified. If username is not found, make sure that user is in the directory and, if using

a proxy user, make sure the proxy user is properly configured.

If nsquery(1) displays the user's information, make sure /etc/pam.conf is configured correctly

for ldap. If /etc/pam.conf is configured correctly, check the directory's policy management

status. It could be the directory's policy management is preventing the bind because, for

example the user's password has expired or the login retry limit has been exceeded. To check

this try an ldapsearch command and bind as the user, for example:

cd /opt/ldapux/bin

./ldapsearch -h servername -b "basdDN" uid=username (get user's DN)

./ldapsearch -h servername -b "baseDN" -D "userDN" -w passwd \ uid=username

where userDN is the DN of the user who cannot log in and username is the login of the

user. If you cannot bind as the user, check if any directory policies are preventing access.

2. nsquery(1) is a contributed tool included with the ONC/NFS product.

124 Administering LDAP-UX Client Services