Is there a way to use nssov PAM LDAP for authorization (the PAM "account"), without using it for authentication? In my setup, I'm authenticating users with pam_krb5 separately, and I just want to use LDAP for authorization and nss. I got nssov working fine with nss, but not authorization. I want to use the authorizedService attribute of the user entry for authorization. My nssov configuration is:
dn: olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config objectClass: olcOverlayConfig objectClass: olcNssOvConfig olcOverlay: {0}nssov olcNssSsd: passwd ldap:///ou=people,dc=cluenet,dc=org??one olcNssPam: userservice olcNssPamMinUid: 25000
After adding the required entry to the PAM configuration (the account section only), logins stop working - SSH just disconnects immediately after the password is entered.
I suspect this is because I'm not using nssov for the PAM authentication. At the beginning of pam_authz() in nssov, I saw: /* We don't do authorization if they weren't authenticated by us */ if (BER_BVISEMPTY(&dn)) { rc = NSLCD_PAM_USER_UNKNOWN; goto finish; } Which leads me to believe that this is what is causing the problem. Indeed, when I change NSLCD_PAM_USER_UNKNOWN to NSLCD_PAM_SUCCESS there, logins succeed (but authorization is not performed). If I just comment out that block, logins still don't work, but I get the "service not permitted" message.
Is there some way to make authorization work without first performing authentication through nssov?
Thanks, Chris Breneman