LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
loginShell: /bin/ksh
unixHomeDirectory: /tblv006/home/biljonz
unixName: biljonz
syncNisDomain: cup
uidNumber: 467
If you do not get similar output, your proxy user might not be configured properly. For more
information about configuring the proxy user for a Windows ADS, see Section 3.4.5 (page 135).
What to do when the proxy user cannot read POSIX information
There could be several reasons why the proxy user is not able to read user and group information
using the previously-described troubleshooting steps. If the previously-described steps fail, try these
steps:
• Try the ldapsearch command described previously (to search as the proxy user for HP
directory server or Windows ADS user information), replacing the proxy credential with an
administrator's credential. If you are able to discover user information using an administrator's
credential, then check the following:
◦ Verify that you have the correct password for the proxy user. The ldapsearch command
reports an error if you have an invalid password.
◦ Verify whether the proxy account has an expired password or expired account. The
ldapsearch command also reports an error if the account has expired or has an expired
password. If the account is expired or has an expired password, you might need to alter
the security policy for this account. Use your directory server management utilities to set
the proxy user account.
◦ If ldapsearch succeeds but returns no data, use the proxy account to search the rootDSE
using the following commands to search the rootDSE to verify that you are binding to the
correct directory server and to determine whether any information can be returned. The
hostname is the name of the host, proxyuser is the name of the proxy user account,
and password is the proxy user's password.
cd /opt/ldapux/bin ./ldapsearch -h hostname -b "" -s base "(objectclass=*)" \
-D "proxyuser" -w password namingcontexts
If this command does not return a namingcontexts attribute, or the value of the
namingcontexts attribute does not contain the expected base DN, verify you are
connecting to the proper directory server.
◦ Verify the proxy user has sufficient privilege to read these POSIX attributes:
cn
loginshell
uid
uidnumber
gidnumber
homedirectory (nonWindows only)
gecos
unixHomedirectory (Windows ADS only)
msSFU30Aliases (Windows only)
◦ Determining access control rights for the proxy user account requires understanding the
security policy of the directory server and the access control instructions used to protect
that information. To determine how to adjust your access control settings to give sufficient
rights to access POSIX account information, consult your vendor-specific directory server
administrator guide . For a full list of attributes that must be accessible to the proxy user,
use the /opt/ldapux/config/display_profile_cache command and review
the "is mapped to:" attributes.
256 Administering LDAP-UX Client Services