i'm hoping a bump might get this on someone's radar it previously missed.
On Oct 19, 2013, at 20.10, [email protected] wrote:
> i'm experimenting with the authz2dn setting for olcnsspam:
>
> dn: olcOverlay={7}nssov,olcDatabase={2}mdb,cn=config
> objectClass: olcConfig
> objectClass: olcNssOvConfig
> objectClass: olcOverlayConfig
> olcOverlay: {7}nssov
> olcNssMap: group uniquemember member
> olcNssPam: authz2dn hostservice
> olcNssPamSession: login
> olcNssPamSession: sshd
>
> it seems to work, but only if i have no olcauthzregexp attributes, and i see
> no references to cn=<service>+uid=<user>,cn=<hostname>,cn=pam,cn=auth in the
> slapd log [using -d -1]. if i add an olcauthzregexp [for example:
> uid=([^,]*),cn=plain,cn=auth uid=$1,ou=people,ou=accounts,dc=example,dc=com,
> this seems to break nssov, and i'm unable to login [ssh], with pam denying me:
>
> Oct 19 19:55:23 dsa1 sshd[30458]: pam_ldap(sshd:account): nslcd
> authorisation; user=jdoe
> Oct 19 19:55:23 dsa1 sshd[30458]: pam_ldap(sshd:account): Access denied for
> this service; user=jdoe
> Oct 19 19:55:23 dsa1 sshd[30458]: fatal: Access denied for user jdoe by PAM
> account configuration [preauth]
>
> i don't understand why a seemingly unrelated olcauthzregexp is breaking this,
> but i'm also not confident i'm using authz2dn properly. man 5 slapo-nssov
> says "If no mapping is found for this authentication DN, then this mapping
> will be ignored.", but i don't think i understand that clearly. is that
> saying that failure to find a match via an olcauthzregexp mapping is not
> considered a failure to find a dn?
>
> if i remove authz2dn [and thus use uid2dn] then presence of the above
> olcauthzregexp value doesn't break nssov.
>
> when using -d -1, should i see references to
> cn=<service>+uid=<user>,cn=<hostname>,cn=pam,cn=auth? what am i doing wrong?
>
> thanks
> -ben
