i'm hoping a bump might get this on someone's radar it previously missed.
On Oct 19, 2013, at 20.10, BTB@bitrate.net wrote:
i'm experimenting with the authz2dn setting for olcnsspam:
dn: olcOverlay={7}nssov,olcDatabase={2}mdb,cn=config objectClass: olcConfig objectClass: olcNssOvConfig objectClass: olcOverlayConfig olcOverlay: {7}nssov olcNssMap: group uniquemember member olcNssPam: authz2dn hostservice olcNssPamSession: login olcNssPamSession: sshd
it seems to work, but only if i have no olcauthzregexp attributes, and i see no references to cn=<service>+uid=<user>,cn=<hostname>,cn=pam,cn=auth in the slapd log [using -d -1]. if i add an olcauthzregexp [for example: uid=([^,]*),cn=plain,cn=auth uid=$1,ou=people,ou=accounts,dc=example,dc=com, this seems to break nssov, and i'm unable to login [ssh], with pam denying me:
Oct 19 19:55:23 dsa1 sshd[30458]: pam_ldap(sshd:account): nslcd authorisation; user=jdoe Oct 19 19:55:23 dsa1 sshd[30458]: pam_ldap(sshd:account): Access denied for this service; user=jdoe Oct 19 19:55:23 dsa1 sshd[30458]: fatal: Access denied for user jdoe by PAM account configuration [preauth]
i don't understand why a seemingly unrelated olcauthzregexp is breaking this, but i'm also not confident i'm using authz2dn properly. man 5 slapo-nssov says "If no mapping is found for this authentication DN, then this mapping will be ignored.", but i don't think i understand that clearly. is that saying that failure to find a match via an olcauthzregexp mapping is not considered a failure to find a dn?
if i remove authz2dn [and thus use uid2dn] then presence of the above olcauthzregexp value doesn't break nssov.
when using -d -1, should i see references to cn=<service>+uid=<user>,cn=<hostname>,cn=pam,cn=auth? what am i doing wrong?
thanks -ben