[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Nssov Authorization without Authentication

To: Chris Breneman <crispy@cluenet.org>
Subject: Re: Nssov Authorization without Authentication
From: Howard Chu <hyc@symas.com>
Date: Mon, 01 Mar 2010 10:59:36 -0800
Cc: openldap-technical@openldap.org
In-reply-to: <1267460202.17861.39.camel@octagon>
References: <1267460202.17861.39.camel@octagon>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.3a2pre) Gecko/20100212 Firefox 3.6

Chris Breneman wrote:

Is there a way to use nssov PAM LDAP for authorization (the PAM
"account"), without using it for authentication?

No.

I suspect this is because I'm not using nssov for the PAM
authentication.  At the beginning of pam_authz() in nssov, I saw:
/* We don't do authorization if they weren't authenticated by us */
if (BER_BVISEMPTY(&dn)) {
       rc = NSLCD_PAM_USER_UNKNOWN;
       goto finish;
}
Which leads me to believe that this is what is causing the problem.


It's not a "problem" - it's working as designed.

Indeed, when I change NSLCD_PAM_USER_UNKNOWN to NSLCD_PAM_SUCCESS there,
logins succeed (but authorization is not performed).  If I just comment
out that block, logins still don't work, but I get the "service not
permitted" message.

Is there some way to make authorization work without first performing
authentication through nssov?

No. The authorization checks can only be performed if we know the LDAP DN ofthe user. We only get that DN during authentication.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- Nssov Authorization without Authentication
  - From: Chris Breneman <crispy@cluenet.org>

Prev by Date: Re: Check password module/ppolicy problem on Solaris 10 (2.4.21 OL sources)
Next by Date: back-sql/BDB question
Index(es):
- Chronological
- Thread