Administering
Troubleshooting
TIP | Enable LDAP logging only long enough to collect the data you need |
| because logging can significantly reduce performance and generate large |
| log files. |
| You may want to move the existing log file and start with an empty file: |
| mv /var/adm/syslog/local0.log /var/adm/syslog/local0.log.save |
|
|
Enabling and Disabling PAM Logging
When something is behaving incorrectly, enabling logging is one way to examine the events that occur to determine where the problem is. Enable PAM logging on a particular client as follows. See pam(1), pam.conf(4), and Managing Systems and Workgroups for more information on PAM.
Step | 1. | Add the “debug” option to each line in /etc/pam.conf that contains | ||
|
| libpam_ldap, for example: |
| |
|
| login account sufficient /usr/lib/security/libpam_unix.1 | ||
|
| login account required | /usr/lib/security/libpam_ldap.1 debug | |
|
| su | account sufficient /usr/lib/security/libpam_unix.1 | |
|
| su | account required | /usr/lib/security/libpam_ldap.1 debug |
|
| ... |
|
|
Step | 2. | Edit the file /etc/syslog.conf and add a new line at the bottom like the | ||
|
| following: |
| |
|
| *.debug <tab> /var/adm/syslog/debug.log | ||
Step | 3. | Restart the syslog daemon with the following command. (See | ||
|
| syslogd(1M) for details.) |
| |
|
| kill | ||
Step | 4. | Once logging is enabled, run the | ||
|
| exhibit the problem. |
| |
Step | 5. | Restore the file /etc/syslog.conf to its previous state; otherwise, you may | ||
|
| unintentionally enable logging in other applications. | ||
Step | 6. | Restart the syslog daemon with the following command. (See | ||
|
| syslogd(1M) for details.) |
| |
|
| kill | ||
Step | 7. | Remove the “debug” options from /etc/pam.conf. | ||
132 | Chapter 4 |