hi

i'm experimenting with the nssov overlay, and am trying to get the hostservice approach working as described in man 5 slapo-nssov. i'm using slapd 2.4.18 and the 0.6.11 nss-pam-ldapd stub libraries, both via ubuntu packages.

the nss side of things appears to be working as desired, but in my testing with sshd and pam, authentication succeeds even when the user is in a group that's denied the compare operation for the authorizedservice attribute. testing a bit with ldapcompare seems to indicate my acls are working as expected, and i see compare references in slapd's log when running ldapcompare, but not during ssh authentication.

i'm relatively confident the authentication is not occurring via another mechanism (like nss/shadow) - if i remove the auth line that references pam_ldap from the pam config for sshd, authentication fails.

i've included a few snippits below that will hopefully help illustrate things.

overlay config:

ldapsearch -xLLLWH 'ldaps://ldap.groundnoise.net' -D 'cn=admin,cn=config' -b 'olcOverlay={6}nssov,olcDatabase={2}bdb,cn=config' -s base

Enter LDAP Password: dn: olcOverlay={6}nssov,olcDatabase={2}bdb,cn=config objectClass: olcNssOvConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {6}nssov olcNssMap: group uniquemember member olcNssPam: authz2dn hostservice olcNssPamSession: sshd olcNssPamSession: login

acls:

ldapsearch -xLLLWH 'ldaps://ldap.groundnoise.net' -D 'cn=admin,cn=config' -b 'olcDatabase={2}bdb,cn=config' -s base olcaccess

Enter LDAP Password: dn: olcDatabase={2}bdb,cn=config olcAccess: {0}to dn.base="" by * read olcAccess: {1}to attrs=userPassword by self =dxw by anonymous auth by * none olcAccess: {2}to dn.base=cn=under.groundnoise.net,ou=hosts,dc=groundnoise,dc=net attrs=authorizedservice by set="[cn=directory_administrators,ou=general,ou=users,ou=groups,dc=groundnoise,dc=net]/member* & user" manage by set="[cn=ssh,ou=all_servers,ou=servers,ou=users,ou=groups,dc=groundnoise,dc=net]/member* & user" compare by set="[cn=ssh,ou=under,ou=servers,ou=users,ou=groups,dc=groundnoise,dc=net]/member* & user" compare by * =dxrs olcAccess: {3}to * by self write by set="[cn=directory_administrators,ou=general,ou=users,ou=groups,dc=groundnoise,dc=net]/member* & user" manage by users read by * none

related group membership:

ldapsearch -xLLLWH 'ldaps://ldap.groundnoise.net' -D 'cn=admin,dc=groundnoise,dc=net' -b 'dc=groundnoise,dc=net' '(cn=ssh)' member

Enter LDAP Password: dn: cn=ssh,ou=under,ou=servers,ou=users,ou=groups,dc=groundnoise,dc=net member: uid=alien,ou=people,ou=users,ou=accounts,dc=groundnoise,dc=net member: uid=lisa,ou=people,ou=users,ou=accounts,dc=groundnoise,dc=net

dn: cn=ssh,ou=all_servers,ou=servers,ou=users,ou=groups,dc=groundnoise,dc=net member: uid=rwetzel,ou=people,ou=users,ou=accounts,dc=groundnoise,dc=net

entry for the host running sshd:

ldapsearch -xLLLWH 'ldaps://ldap.groundnoise.net' -D 'cn=admin,dc=groundnoise,dc=net' -b 'cn=under.groundnoise.net,ou=hosts,dc=groundnoise,dc=net' -s base

Enter LDAP Password: dn: cn=under.groundnoise.net,ou=hosts,dc=groundnoise,dc=net objectClass: device objectClass: top objectClass: ipHost objectClass: authorizedServiceObject cn: under.groundnoise.net ipHostNumber: 192.168.1.1 authorizedService: sshd authorizedService: login

getent for the host entry:

getent hosts under.groundnoise.net

192.168.1.1 under.groundnoise.net

nsswitch config:

egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' /etc/nsswitch.conf

passwd: compat ldap group: compat ldap shadow: compat ldap hosts: files dns ldap networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis

ldapcompare test:

ldapcompare -vxWH 'ldaps://ldap.groundnoise.net' -D 'uid=luna,ou=people,ou=users,ou=accounts,dc=groundnoise,dc=net' 'cn=under.groundnoise.net,ou=hosts,dc=groundnoise,dc=net' 'authorizedservice:login'

ldap_initialize( ldaps://ldap.groundnoise.net:636/??base ) Enter LDAP Password: DN:cn=under.groundnoise.net,ou=hosts,dc=groundnoise,dc=net, attr:authorizedservice, value:login Compare Result: Insufficient access (50) UNDEFINED

pam config for sshd:

egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' /etc/pam.d/sshd

auth required pam_env.so # [1] auth required pam_env.so envfile=/etc/default/locale auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_ldap.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so account required pam_nologin.so account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 default=ignore] pam_ldap.so account requisite pam_deny.so account required pam_permit.so session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_unix.so session optional pam_ldap.so no_warn session optional pam_motd.so # [1] session optional pam_mail.so standard noenv # [1] session required pam_limits.so password required pam_passwdqc.so min=disabled,16,12,7,6 max=256 password [success=2 default=ignore] pam_unix.so obscure md5 password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass password requisite pam_deny.so password required pam_permit.so

ssh test:

ssh luna@under.groundnoise.net hostname --fqdn

luna@under.groundnoise.net's password: under.groundnoise.net

i'm hoping someone can point out what i'm missing or what i might be doing wrong.

thanks, -ben