On Feb 05, 2010, at 11.59, Kyle Robinson wrote:
On Thu, Feb 4, 2010 at 7:26 PM, ben thielsen btb@bitrate.net wrote:
hi
i'm experimenting with the nssov overlay, and am trying to get the hostservice approach working as described in man 5 slapo-nssov. i'm using slapd 2.4.18 and the 0.6.11 nss-pam-ldapd stub libraries, both via ubuntu packages.
...
ssh test:
ssh luna@under.groundnoise.net hostname --fqdn
luna@under.groundnoise.net's password: under.groundnoise.net
i'm hoping someone can point out what i'm missing or what i might be doing wrong.
thanks, -ben
Turn on debug for pam_unix and pam_ldap in the auth section and check syslog to make sure it isn't actually pam_unix doing the auth via nss passwd hash.
i'm fairly confident that auth isn't happening via pam_unix / nss passwd hash. if i remove the auth line for pam_ldap from the pam config (leaving only pam_unix), authentication fails (other users in local passwd/shadow flat files still work). i also see, in the logs, a pam_unix failure "sshd[10978]: pam_unix(sshd:auth): authentication failure;" prior to success by the ldap module each time authentication occurs.
the debug option for the pam_ldap stub library from nss-pam-ldapd is ignored, according to the man page, and adding either debug or audit to pam_unix didn't seem to generate any additional log data. there is plenty of activity in the slap log file, just not the compare operations that i was expecting to see, based on my interpretation of the man page for slapo-nssov.
openldap-technical@openldap.org