Manualshelf

LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software
251252253254255256257258259260
TIP: Enable LDAP logging only long enough to collect the data you need because logging can
significantly reduce performance and generate large log files.
You could move the existing log file and start with an empty file:
mv /var/adm/syslog/local0.log /var/adm/syslog/local0.log.save
Restart the syslogdaemon with the following command (for more information about this command,
see the see the syslogd(1M) manpage):
kill -HUP 'cat /var/run/syslog.pid'
7.13.2 Enabling and disabling PAM logging
When something is behaving incorrectly, enabling logging is one way to examine the events that
occur to determine where the problem is. Enable PAM logging on a particular client as follows.
For more information about PAM, see the pam(3) and pam.conf(4) manpages. In addition, see
the document Managing Systems and Workgroups: A Guide for HP-UX System Administrators at
the following location:
www.hp.com/go/hpux-core-docs (click HP-UX 11i v2)
1. To each line in /etc/pam.conf that contains the libpam_ldap.so.1 library, add the
debug option as in the following example:
login account sufficient /usr/lib/security/libpam_unix.so.1
login account required /usr/lib/security/libpam_ldap.so.1 debug
su account sufficient /usr/lib/security/libpam_unix.so.1
su account required /usr/lib/security/libpam_ldap.so.1 debug
...
WARNING! Enabling the debug option in pam.conf might enable hackers to gain additional
information that would enable them to crack password security. For example, they could
attempt to log in as a super user (su) and discover that a password has expired (observing
the super user's behavior, the hackers could determine when he or she is likely to log in next).
2. Edit the /etc/syslog.conf file and add a new line at the bottom, such as the following:
*.debug <tab> /var/adm/syslog/debug.log
3. Restart the syslog daemon with the following command (for more information about this
command, see the syslogd(1M) manpage):
kill -HUP 'cat /var/run/syslog.pid'
4. Once logging is enabled, run the HP-UX commands or applications that exhibit the problem.
5. Restore the /etc/syslog.conf file to its previous state; otherwise, you might unintentionally
enable logging in other applications.
6. Restart the syslog daemon with the following command:
kill -HUP 'cat /var/run/syslog.pid'
7. Remove the debug options from /etc/pam.conf.
8. Examine the /var/adm/syslog/debug.log log file to see what actions were performed
and if any are unexpected. Look for lines containing "PAM_LDAP".
252 Administering LDAP-UX Client Services