LDAP-UX Client Services B.04.15 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

131

132

133

134

135

136

137

138

139

140

• Make sure the client system can authenticate to the directory and find a user in the directory

by searching for one of your user's information in the directory. Use the ldapsearch command

and information from the current profile.

If you are using a proxy user (determined by the credentialLevel attribute in the configuration

profile), try searching for one of your user's information in the directory as the proxy user

with a command like the following:

cd /opt/ldapux/bin ./ldapsearch -h servername -b "baseDN" -D "proxyuser" -w \ passwd uid=username

using the name of your directory server (from display_profile_cache), search base DN (from

display_profile_cache), proxy user (from ldap_proxy_config -p), proxy user password, and

a user name from the directory.

For example:

cd /opt/ldapux/bin ./ldapsearch -h sys001.hp.com -b "ou=people, o=hp.com"

\ -D "uid=proxyuser,ou=special users,o=hp.com" -w passwd \ uid=steves

You should get output like the following:

dn: uid=steves,ou=people o=hp.com uid: steves cn:

Steve Sy objectclass: top objectclass: account objectclass: posixAccount

loginshell: /bin/ksh uidnumber: 2875 gidnumber: 191 homedirectory:

/home/steves gecos: Steve Sy, building 5, x50

If you don't, your proxy user may not be configured properly. Make sure you have access

permissions set correctly for the proxy user. See the steps "Create a proxy user" and "Set

access permissions for the proxy user" under the procedure Configure Your Directory

(page 27) for details on configuring the proxy user.

You can also try binding to the directory as the directory administrator and reading the

user's information.

If you are using anonymous access, (determined by the value of the credentialLevel attribute

in the configuration profile), try searching for one of your user's information in the directory

with a command like the following:

./ldapsearch -h servername -b "o=hp.com"

uid=username

using the name of your directory server (from display_profile_cache), search base DN (from

display_profile_cache), and a user name from the directory.

You should get output similar to the previous example. If you don't, anonymous access may

not be configured properly. Make sure you have access permissions set correctly for

anonymous access. See the steps "Configure anonymous access" and "Set access permissions

for anonymous access" under Configure Your Directory (page 27) for details on configuring

anonymous access.

• Enable PAM logging as described under Enabling and Disabling PAM Logging (page 132)

then try logging in again. Check the PAM logs for any unexpected events.

• Enable LDAP-UX logging as described under Enabling and Disabling LDAP-UX Logging

(page 132), then try logging in again. Check the log file for any unexpected events.

• If you are using Netscape/Red Hat Directory Server, use the Netscape/Red Hat Directory

Console to authenticate to the directory as the directory administrator. Check the ACIs for

the proxy user. Make sure the proxy user or anonymous can view the attributes listed below.

If not, change the ACI to allow this. Make sure all users can read their own information. If

they cannot, change the ACI to allow this.

Make sure all users have the following attributes and can read them:

— cn

— loginshell

— uid

— uidnumber

— gidnumber

134 Administering LDAP-UX Client Services