slapo-nssov and authz2dn

[btb@bitrate.net]

i'm experimenting with the authz2dn setting for olcnsspam:

dn: olcOverlay={7}nssov,olcDatabase={2}mdb,cn=config
objectClass: olcConfig
objectClass: olcNssOvConfig
objectClass: olcOverlayConfig
olcOverlay: {7}nssov
olcNssMap: group uniquemember member
olcNssPam: authz2dn hostservice
olcNssPamSession: login
olcNssPamSession: sshd

it seems to work, but only if i have no olcauthzregexp attributes, and i see no references to cn=<service>+uid=<user>,cn=<hostname>,cn=pam,cn=auth in the slapd log [using -d -1].  if i add an olcauthzregexp [for example: uid=([^,]*),cn=plain,cn=auth uid=$1,ou=people,ou=accounts,dc=example,dc=com, this seems to break nssov, and i'm unable to login [ssh], with pam denying me:

Oct 19 19:55:23 dsa1 sshd[30458]: pam_ldap(sshd:account): nslcd authorisation; user=jdoe
Oct 19 19:55:23 dsa1 sshd[30458]: pam_ldap(sshd:account): Access denied for this service; user=jdoe
Oct 19 19:55:23 dsa1 sshd[30458]: fatal: Access denied for user jdoe by PAM account configuration [preauth]

i don't understand why a seemingly unrelated olcauthzregexp is breaking this, but i'm also not confident i'm using authz2dn properly. man 5 slapo-nssov says "If no mapping is found for this authentication DN, then this mapping will be ignored.", but i don't think i understand that clearly.  is that saying that failure to find a match via an olcauthzregexp mapping is not considered a failure to find a dn?

if i remove authz2dn [and thus use uid2dn] then presence of the above olcauthzregexp value doesn't break nssov.

when using -d -1, should i see references to cn=<service>+uid=<user>,cn=<hostname>,cn=pam,cn=auth?  what am i doing wrong?

thanks
-ben