LDAP-UX Client Services B.04.15 Administrator's Guide
• logging in as a user that is a member of a -@netgroup to be sure that the user will not
be allowed to login.
If the pam_authz is configured with the pam_authz.policy file, verify the followings:
• logging into the client system with a user name that is covered by an allow access rule
in the policy file. Make sure the user will be allowed to log in.
• logging in as a user that is covered by adeny access rule in the policy file. Make sure
the user can not login to the client system.
6. Open a new hpterm(1X) window and log in to the client system as a user whose account
information is in the directory. It is important you open a new hpterm window or log in
from another system because if login doesn't work, you could be locked out of the system
and would have to reboot to single-user mode. This tests the Pluggable Authentication
Module (PAM) configuration in /etc/pam.conf. If you cannot log in, check /etc/pam.conf for
proper configuration. Also check your directory to make sure the user's account information
is accessible by the proxy user or anonymously, as appropriate. Check your profile to make
sure it looks correct. See also Troubleshooting in this chapter for more information.
7. Use the ls(1) or ll(1) command to examine files belonging to a user whose account information
is in the directory. Make sure the owner and group of each file are accurate:
ll /tmp ls -l
If any owner or group shows up as a number instead of a user or group name, the name
service switch is not functioning properly. Check the file /etc/nsswitch.conf, your directory,
and your profile.
If you want to verify that you set up X.500 group membership correctly, follow these steps:
1. Create a valid posix user and group. Add this user as a member of this group using the
attribute "member" instead of "memberuid". Here is an example ldif file specifying xuser2
as a member of the group xgrpup1:
#cat example_ids.ldif dn: cn=xgroup1,ou=Groups,o=hp.com] objectClass:
posixGroup objectClass: groupofnames objectClass: top cn: xgroup1
userPassword: {crypt}* gidNumber: 999 member: uid=xuser2,ou=People,o=hp.com
dn: uid=xuser2,ou=People,o=hp.com uid: xuser2 cn: xuser2 objectClass:
top objectClass: account objectClass: posixAccount userPassword:
{crypt}xxxxxxxxxxxxx loginShell: /bin/ksh uidNumber: 9998 gidNumber:
999 homeDirectory: /home/xuser2
2. Make sure that the file /etc/nsswitch.conf specifies ldap for group service:
cat /etc/nsswitch.conf
: : group: files
ldap : :
3. Verify:
# grget -n xgroup1
xgroup1:*:999: xuser2
If xuser2 shows up as a member of xgroup1, then your setup is correct.
62 Installing And Configuring LDAP-UX Client Services