[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Nssov Authorization without Authentication
Is there a way to use nssov PAM LDAP for authorization (the PAM
"account"), without using it for authentication? In my setup, I'm
authenticating users with pam_krb5 separately, and I just want to use
LDAP for authorization and nss. I got nssov working fine with nss, but
not authorization. I want to use the authorizedService attribute of the
user entry for authorization. My nssov configuration is:
dn: olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcNssOvConfig
olcOverlay: {0}nssov
olcNssSsd: passwd ldap:///ou=people,dc=cluenet,dc=org??one
olcNssPam: userservice
olcNssPamMinUid: 25000
After adding the required entry to the PAM configuration (the account
section only), logins stop working - SSH just disconnects immediately
after the password is entered.
I suspect this is because I'm not using nssov for the PAM
authentication. At the beginning of pam_authz() in nssov, I saw:
/* We don't do authorization if they weren't authenticated by us */
if (BER_BVISEMPTY(&dn)) {
rc = NSLCD_PAM_USER_UNKNOWN;
goto finish;
}
Which leads me to believe that this is what is causing the problem.
Indeed, when I change NSLCD_PAM_USER_UNKNOWN to NSLCD_PAM_SUCCESS there,
logins succeed (but authorization is not performed). If I just comment
out that block, logins still don't work, but I get the "service not
permitted" message.
Is there some way to make authorization work without first performing
authentication through nssov?
Thanks,
Chris Breneman