Chris Breneman wrote:
Is there a way to use nssov PAM LDAP for authorization (the PAM "account"), without using it for authentication?
No.
I suspect this is because I'm not using nssov for the PAM authentication. At the beginning of pam_authz() in nssov, I saw: /* We don't do authorization if they weren't authenticated by us */ if (BER_BVISEMPTY(&dn)) { rc = NSLCD_PAM_USER_UNKNOWN; goto finish; } Which leads me to believe that this is what is causing the problem.
It's not a "problem" - it's working as designed.
Indeed, when I change NSLCD_PAM_USER_UNKNOWN to NSLCD_PAM_SUCCESS there, logins succeed (but authorization is not performed). If I just comment out that block, logins still don't work, but I get the "service not permitted" message.
Is there some way to make authorization work without first performing authentication through nssov?
No. The authorization checks can only be performed if we know the LDAP DN of the user. We only get that DN during authentication.