i'm experimenting with the authz2dn setting for olcnsspam:
dn: olcOverlay={7}nssov,olcDatabase={2}mdb,cn=config
objectClass: olcConfig
objectClass: olcNssOvConfig
objectClass: olcOverlayConfig
olcOverlay: {7}nssov
olcNssMap: group uniquemember member
olcNssPam: authz2dn hostservice
olcNssPamSession: login
olcNssPamSession: sshd
it seems to work, but only if i have no olcauthzregexp attributes, and i see no
references to cn=<service>+uid=<user>,cn=<hostname>,cn=pam,cn=auth in the slapd
log [using -d -1]. if i add an olcauthzregexp [for example:
uid=([^,]*),cn=plain,cn=auth uid=$1,ou=people,ou=accounts,dc=example,dc=com,
this seems to break nssov, and i'm unable to login [ssh], with pam denying me:
Oct 19 19:55:23 dsa1 sshd[30458]: pam_ldap(sshd:account): nslcd authorisation;
user=jdoe
Oct 19 19:55:23 dsa1 sshd[30458]: pam_ldap(sshd:account): Access denied for
this service; user=jdoe
Oct 19 19:55:23 dsa1 sshd[30458]: fatal: Access denied for user jdoe by PAM
account configuration [preauth]
i don't understand why a seemingly unrelated olcauthzregexp is breaking this,
but i'm also not confident i'm using authz2dn properly. man 5 slapo-nssov says
"If no mapping is found for this authentication DN, then this mapping will be
ignored.", but i don't think i understand that clearly. is that saying that
failure to find a match via an olcauthzregexp mapping is not considered a
failure to find a dn?
if i remove authz2dn [and thus use uid2dn] then presence of the above
olcauthzregexp value doesn't break nssov.
when using -d -1, should i see references to
cn=<service>+uid=<user>,cn=<hostname>,cn=pam,cn=auth? what am i doing wrong?
thanks
-ben
