LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
• Log in as a user to the directory as a member of a-@netgroup to be sure that the system
will not authorize you to log in.
If the PAM_AUTHZ module is configured with the pam_authz.policy file, verify the following:
• Log in the client system with a user name that is covered by an allow access rule in the
policy file. Make sure the user will be allowed to log in.
• Log in as a user that is covered by adeny access rule in the policy file. Make sure the
user can not log in to the client system.
7. Open a new hpterm window and log in to the client system as a user whose account
information is in the directory. (For more information about the hpterm command, see the
hpterm(1X) manpage.) It is important you open a new hpterm window or log in from another
system, because if login doesn't work, you could be locked out of the system and would have
to reboot to single-user mode. Logging in to the client system in this way tests the PAM
configuration in /etc/pam.conf. If you cannot log in, verify that /etc/pam.conf is
configured properly. In addition, examine your directory to make sure the user's account
information is accessible by the proxy user or anonymously, as appropriate. Examine your
profile to make sure it is correct. For troubleshooting information, see Section 7.13 (page 251).
8. To examine files belonging to a user whose account information is in the directory, use the
ls or ll command. Make sure the owner and group of each file are accurate:
ll /tmp
ls -l
If any owner or group shows up as a number instead of a user or group name, the name
service switch is not functioning properly. Examine the /etc/nsswitch.conf file, your
directory, and your profile.
9. If you want to verify that you set up X.500 group membership correctly, follow these steps:
a. Create a valid POSIX user and group. Add this user as a member of this group using the
attribute "member" instead of "memberuid". Here is an example ldif file specifying
xuser2 as a member of the group xgrpup1:
#cat example_ids.ldif
dn: cn=xgroup1,ou=Groups,o=hp.com]
objectClass: posixGroup
objectClass: groupofnames
objectClass: top
cn: xgroup1
userPassword: {crypt}*
gidNumber: 999
member: uid=xuser2,ou=People,o=hp.com
dn: uid=xuser2,ou=People,o=hp.com
uid: xuser2
cn: xuser2
objectClass: top
objectClass: account
objectClass: posixAccount
userPassword: {crypt}xxxxxxxxxxxxx
loginShell: /bin/ksh
uidNumber: 9998
gidNumber: 999
homeDirectory: /home/xuser2
b. Make sure that the file /etc/nsswitch.conf specifies ldap for group service:
cat /etc/nsswitch.conf
:
:
group: files ldap
:
:
2.5 Postinstallation configuration tasks 93