LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

181

182

183

184

185

186

187

188

189

190

WARNING! Enabling the debug option in pam.conf might allow hackers to gain additional

information that would enable them to crack password security. For example, they could

attempt to log in as a super user (su) and discover that a password has expired (observing

the super user's behavior, the hackers could determine when he or she is likely to log in

next).

2. Edit the file /etc/syslog.conf and add a new line at the bottom like the following:

*.debug <tab> /var/adm/syslog/debug.log

3. Restart the syslog daemon with the following command (for more information about this

command, see the syslogd(1M) manpage):

kill -HUP 'cat /var/run/syslog.pid'

4. Once logging is enabled, run the HP-UX commands or applications that exhibit the problem.

5. Restore the file /etc/syslog.conf to its previous state; otherwise, you may unintentionally

enable logging in other applications.

6. Restart the syslog daemon with the following command (for more information about this

command, see the syslogd(1M) manpage):

kill -HUP 'cat /var/run/syslog.pid'

7. Remove the debug options from /etc/pam.conf.

8. Examine the log file at /var/adm/syslog/debug.log to see what actions were performed

and if any are unexpected. Look for lines containing "PAM_LDAP."

TIP: Enable PAM logging only long enough to collect the data you need because logging can

significantly reduce performance and generate large log files.

You may want to move the existing log file and start with an empty file: mv

/var/adm/syslog/debug.log /var/adm/syslog/debug.log.save. Then restore the file when finished.

5.18.3 Directory server log files

You can view log files to see if any unusual events have occurred with your directory. The HP-UX

Directory Server logs information to files under

/var/opt/dirsrv/slapd-<serverID>/log

where slapd-<serverID> is the name of your directory server.

The error logs contain start-up, shut-down, and unusual events. The access logs contain all

requests. For more information, see the HP-UX Directory Server administrator guide for details.

5.18.4 User cannot log on to client system

If a user cannot log in to a client system, perform the following checks.

• To verify that NSS is working, you can use the pwget -n command (for more information,

see the pwget(1) manpage) or the nsquery

command, as in the following examples:

pwget -n username

nsquery passwd username

If the output shows LDAP is not being searched, check /etc/nsswitch.conf to make

sure LDAP is specified. If username is not found, make sure that the user is in the directory

and, if using a proxy user, make sure the proxy user is properly configured.

If nsquery displays the user's information, make sure /etc/pam.conf is configured

correctly for LDAP. If /etc/pam.conf is configured correctly, check the directory's policy

management status. It could be the directory's policy management is preventing the bind

2. nsquery is a contributed tool included with the ONC/NFS product. For more information, see the nsquery(1) manpage.

190 Administering LDAP-UX Client Services