LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

191

192

193

194

195

196

197

198

199

200

because, for example the user's password has expired or the login retry limit has been

exceeded. To check this try an ldapsearch command and bind as the user, for example:

cd /opt/ldapux/bin

./ldapsearch -h servername -b "basdDN" uid=username (get user's DN)

./ldapsearch -h servername -b "baseDN" -D "userDN" -w passwd \ uid=username

where userDN is the DN of the user who cannot log in and username is the login of the

user. If you cannot bind as the user, check if any directory policies are preventing access.

See below for an example of determining the user's bind DN.

• Display the current configuration profile and check all the values to make sure they are as

you expect:

cd /opt/ldapux/config

./display_profile_cache

In particular, check the values for the directory server host and port, the default search base

DN, and the credential level. Also, if you have remapped any standard attributes to alternate

attributes, or defined any custom search descriptors, make sure these are correct and exist

in your database. If any of these are incorrect, correct them as described in Section 5.12

(page 183).

• If you are using a proxy user, make sure the configuration is correct as described in Section 5.8

(page 182).

• Make sure the client system can authenticate to the directory and find a user in the directory

by searching for one of your user's information in the directory. Use the ldapsearch command

and information from the current profile.

If you are using a proxy user (determined by the credentialLevel attribute in the configuration

profile), try searching for one of your user's information in the directory as the proxy user

with a command like the following:

cd /opt/ldapux/bin

./ldapsearch -h servername -b "baseDN" -D "proxyuser" -w \ passwd uid=username

using the name of your directory server (from display_profile_cache), search base

DN (from display_profile_cache), proxy user (from ldap_proxy_config -p),

proxy user password, and a user name from the directory.

For example:

cd /opt/ldapux/bin

./ldapsearch -h sys001.hp.com -b "ou=people, o=hp.com" \

-D "uid=proxyuser,ou=special users,o=hp.com" -w passwd \ uid=steves

You should get output like the following:

dn: uid=steves,ou=people o=hp.com

uid: steves

cn: Steve Sy

objectclass: top

objectclass: account

objectclass: posixAccount

loginshell: /bin/ksh

uidnumber: 2875

gidnumber: 191

homedirectory: /home/steves

gecos: Steve Sy, building 5, x50

If you don't, your proxy user may not be configured properly. Make sure you have access

permissions set correctly for the proxy user. See the steps "Create a proxy user" and "Set

access permissions for the proxy user" in Section 2.4.4 (page 65) for details on configuring

the proxy user.

You can also try binding to the directory as the directory administrator and reading the

user's information.

5.18 Troubleshooting 191