Environment
Novell Identity Manager 3.5.1
Novell Identity Manager - Password Synchronization
Novell Identity Manager Driver - Core Fan Out
Novell Identity Manager Driver - Linux and UNIX - Fan
Out
Situation
What information can be gathered to determine causes of problems
with Pam on Solaris and how it is interacting with the Fan-out
driver.
Resolution
To gather information, please do the following the steps
listed below:
1. To turn debugging on for Pam, please do the
following:
First make a copy of the pam.conf file located in the /etc directory. This will be a backup.
Then edit the /etc/pam.conf file by finding the lines you added into the file and adding the word 'debug' to the end of the line. Make sure there is a space before the word debug. The word debug should also be lowercase. Adding the word debug causes the PAM module to write debugging records to syslog.
First make a copy of the pam.conf file located in the /etc directory. This will be a backup.
Then edit the /etc/pam.conf file by finding the lines you added into the file and adding the word 'debug' to the end of the line. Make sure there is a space before the word debug. The word debug should also be lowercase. Adding the word debug causes the PAM module to write debugging records to syslog.
The lines you added into the file for the fanout driver should
look something like the following fragment from the sample pam.conf
file that is provided with Platform Services for Solaris.
login auth sufficient /usr/lib/security/pam_ascauth.so.1
stats
login auth required /usr/lib/security/pam_unix.so.1 try_first_pass
login auth required /usr/lib/security/pam_unix.so.1 try_first_pass
other auth sufficient /usr/lib/security/pam_ascauth.so.1
stats
other auth required pam_unix_auth.so.1 try_first_pass
other auth required pam_unix_auth.so.1 try_first_pass
The syslog should now record entries from the pam.conf
file. Normally this file is in the /var/adm/messages
directory. The file is normally set up for log rotate so the
file will be called syslog with an extension of a number.
There is a syslog.conf file in the /etc directory can be
edited to set the level of debugging.
2. To determine the version of Solaris that you are
running, please do the following at a command prompt: uname -
a
3. To turn on tracing in the asamplat.conf file, first make a
backup copy of the file located at the following location:
ASAM/data/asamplat.conf
Then add the following line to the file.
Then add the following line to the file.
TRACEFILE FilePath
FilePath specifies the location in the file system where debugging output is written.
For information about troubleshooting, see the applicable administration guide.
Example:
TRACEFILE \asam\debug.txt
FilePath specifies the location in the file system where debugging output is written.
For information about troubleshooting, see the applicable administration guide.
Example:
TRACEFILE \asam\debug.txt
4. Get a copy of the audit and operational files
from the date that the problem happened. These files are
located in the asam\data\coredriver\logs on the server running the
core driver. They have a format of audit
2007-06-27.txt. There will also be a smaller file of the same
name with a .ndx extension. This file does not need to be
sent in with the txt file.
If you are getting a copy of the log from the current day, please wait 15-20 minutes after the problem happens before copying off the files in order to give the system time to write all the information to the file.
If you are getting a copy of the log from the current day, please wait 15-20 minutes after the problem happens before copying off the files in order to give the system time to write all the information to the file.
5. Provide version information by going into iManager,
Fanout Utilities, component status and getting the build versions
from the Core Driver, Platforms and Provisioning Status.
So in summary, to gather the information for your own
troubleshooting or for Novell Support, please obtain the following
information.
- A copy of the pam.conf file
- debug output from the pam.conf file from the syslog
- version of Solaris from the uname -a command
- A copy of the asamplat.conf file
- Tracing output from the file specified in the asamplat.conf file
- copies of the audit and operational log from the day the problem happened.
- Names of the users who are having the problem. Both the eDirectory name and the Solaris user name (if different).
- A copy of the pam.conf file
- debug output from the pam.conf file from the syslog
- version of Solaris from the uname -a command
- A copy of the asamplat.conf file
- Tracing output from the file specified in the asamplat.conf file
- copies of the audit and operational log from the day the problem happened.
- Names of the users who are having the problem. Both the eDirectory name and the Solaris user name (if different).
- Versions of the Core Driver and Platform receiver.