LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
TIP: Because logging can significantly reduce performance and generate large log files, enable
PAM logging only long enough to collect the data you need.
You could move the existing log file and start with an empty file:
mv /var/adm/syslog/debug.log /var/adm/syslog/debug.log.save
Then restore the file when finished.
Restart the syslog daemon with the following command:
kill -HUP 'cat /var/run/syslog.pid'
7.13.3 Viewing log files for errors and unexpected events
You can view log files to see if any unusual events have occurred with your directory.
HP-UX Directory Server log files
The HP-UX Directory Server logs information to files under
/var/opt/dirsrv/slapd-<serverID>/log, where slapd-<serverID> is the name of your
directory server.
The error logs contain startup, shutdown, and unusual events. The access logs contain all requests.
For more information, see the HP-UX Directory Server administrator guide.
Windows ADS service log files
You can view Active Directory event log files using the Windows 2003 R2 or 2008 Event Viewer.
To start the viewer, select Start→Programs→Administrative Tools→EventViewer.
7.13.4 Troubleshooting user problem with client system logins
If a user cannot log in to a client system, perform the following tests:
• To verify that NSS is working, you can use the pwget -n command (for more information,
see the pwget(1) manpage) or the nsquery
3
command, as in the following examples:
pwget -n username
nsquery passwd username
If the output shows LDAP is not being searched, verify that LDAP is specified in the /etc/
nsswitch.conf file. If username is not found, make sure that the user is in the directory
and, if using a proxy user, make sure the proxy user is properly configured.
If nsquery displays the user's information, make sure /etc/pam.conf is configured correctly
for LDAP (for more information about configuring the /etc/pam.conf, see “Sample PAM
configuration (pam.conf) files ” (page 420)). If /etc/pam.conf is configured correctly,
examine the directory's policy management status. It could be the directory's policy
management is preventing the bind because, for example, the user's password has expired
or the login retry limit has been exceeded. Use the commands suggested in the following
examples.
If you cannot bind as the user, determine whether any directory policies are preventing access.
Determining the policy management status for an HP directory server user
Use an ldapsearch command and bind as the user. For example, the second command
line in the following example obtains the DN of the user, while the third line verifies the policy
management status of that user:
cd /opt/ldapux/bin
./ldapsearch -h servername -b "baseDN" uid=username
./ldapsearch -h servername -b "baseDN" -D "userDN" -w passwd uid=username
3. nsquery is a contributed tool included with the ONC/NFS product. For more information, see the nsquery(1) manpage.
7.13 Troubleshooting 253