LDAP-UX Client Services B.04.15 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

131

132

133

134

135

136

137

138

139

140

kill -HUP 'cat /var/run/syslog.pid'

7. Remove the "debug" options from /etc/pam.conf.

8. Examine the log file at /var/adm/syslog/debug.log to see what actions were performed and

if any are unexpected. Look for lines containing "PAM_LDAP."

TIP: Enable PAM logging only long enough to collect the data you need because logging can

significantly reduce performance and generate large log files.

You may want to move the existing log file and start with an empty file: mv

/var/adm/syslog/debug.log /var/adm/syslog/debug.log.save. Then restore the file when finished.

5.18.3 Directory Server Log Files

You can view log files to see if any unusual events have occurred with your directory. The

Directory Server for HP-UX logs information to files under

/var/opt/Netscape/server4/slapd-<serverID>/logs

where slapd-<serverID> is the name of your directory server.

The error logs contain start-up, shut-down, and unusual events. The access logs contain all

requests. See the Netscape Directory Server Administrator's Guide for details.

5.18.4 User Cannot Log on to Client System

If a user cannot log in to a client system, perform the following checks.

• Use a command like pwget(1) with -n, or nsquery(1)

to verify that NSS is working:

pwget -n username nsquery passwd username

If the output shows ldap is not being searched, check /etc/nsswitch.conf to make sure ldap

is specified. If username is not found, make sure that user is in the directory and, if using

a proxy user, make sure the proxy user is properly configured.

If nsquery(1) displays the user's information, make sure /etc/pam.conf is configured correctly

for ldap. If /etc/pam.conf is configured correctly, check the directory's policy management

status. It could be the directory's policy management is preventing the bind because, for

example the user's password has expired or the login retry limit has been exceeded. To check

this try an ldapsearch command and bind as the user, for example:

cd /opt/ldapux/bin

./ldapsearch -h servername -b "basdDN" uid=username (get user's DN) ./ldapsearch -h servername -b "baseDN"

-D "userDN" -w passwd \ uid=username

where userDN is the DN of the user who cannot log in and username is the login of the

user. If you cannot bind as the user, check if any directory policies are preventing access.

See below for an example of determining the user's bind DN.

• Display the current configuration profile and check all the values to make sure they are as

you expect:

cd /opt/ldapux/config ./display_profile_cache

In particular, check the values for the directory server host and port, the default search base

DN, and the credential level. Also, if you have remapped any standard attributes to alternate

attributes, or defined any custom search descriptors, make sure these are correct and exist

in your database. If any of these are incorrect, correct them as described in Modifying a

Profile (page 127).

• If you are using a proxy user, make sure the configuration is correct as described under

Verifying the Proxy User (page 126).

2. nsquery(1) is a contributed tool included with the ONC/NFS product.

5.18 Troubleshooting 133