[Date Prev][Date Next] [Chronological] [Thread] [Top]

nssov overlay and hostservice


i'm experimenting with the nssov overlay, and am trying to get the hostservice approach working as described in man 5 slapo-nssov.  i'm using slapd 2.4.18 and the 0.6.11 nss-pam-ldapd stub libraries, both via ubuntu packages.

the nss side of things appears to be working as desired, but in my testing with sshd and pam, authentication succeeds even when the user is in a group that's denied the compare operation for the authorizedservice attribute.  testing a bit with ldapcompare seems to indicate my acls are working as expected, and i see compare references in slapd's log when running ldapcompare, but not during ssh authentication.

i'm relatively confident the authentication is not occurring via another mechanism (like nss/shadow) - if i remove the auth line that references pam_ldap from the pam config for sshd, authentication fails.

i've included a few snippits below that will hopefully help illustrate things.

overlay config:
>ldapsearch -xLLLWH 'ldaps://ldap.groundnoise.net' -D 'cn=admin,cn=config' -b 'olcOverlay={6}nssov,olcDatabase={2}bdb,cn=config' -s base
Enter LDAP Password: 
dn: olcOverlay={6}nssov,olcDatabase={2}bdb,cn=config
objectClass: olcNssOvConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {6}nssov
olcNssMap: group uniquemember member
olcNssPam: authz2dn hostservice
olcNssPamSession: sshd
olcNssPamSession: login

>ldapsearch -xLLLWH 'ldaps://ldap.groundnoise.net' -D 'cn=admin,cn=config' -b 'olcDatabase={2}bdb,cn=config' -s base olcaccess
Enter LDAP Password: 
dn: olcDatabase={2}bdb,cn=config
olcAccess: {0}to dn.base="" by * read
olcAccess: {1}to attrs=userPassword by self =dxw by anonymous auth by * none
olcAccess: {2}to dn.base=cn=under.groundnoise.net,ou=hosts,dc=groundnoise,dc=net attrs=authorizedservice
	by set="[cn=directory_administrators,ou=general,ou=users,ou=groups,dc=groundnoise,dc=net]/member* & user" manage
	by set="[cn=ssh,ou=all_servers,ou=servers,ou=users,ou=groups,dc=groundnoise,dc=net]/member* & user" compare
	by set="[cn=ssh,ou=under,ou=servers,ou=users,ou=groups,dc=groundnoise,dc=net]/member* & user" compare
	by * =dxrs
olcAccess: {3}to * by self write
	by set="[cn=directory_administrators,ou=general,ou=users,ou=groups,dc=groundnoise,dc=net]/member* & user" manage
	by users read
	by * none

related group membership:
>ldapsearch -xLLLWH 'ldaps://ldap.groundnoise.net' -D 'cn=admin,dc=groundnoise,dc=net' -b 'dc=groundnoise,dc=net' '(cn=ssh)' member
Enter LDAP Password: 
dn: cn=ssh,ou=under,ou=servers,ou=users,ou=groups,dc=groundnoise,dc=net
member: uid=alien,ou=people,ou=users,ou=accounts,dc=groundnoise,dc=net
member: uid=lisa,ou=people,ou=users,ou=accounts,dc=groundnoise,dc=net

dn: cn=ssh,ou=all_servers,ou=servers,ou=users,ou=groups,dc=groundnoise,dc=net
member: uid=rwetzel,ou=people,ou=users,ou=accounts,dc=groundnoise,dc=net

entry for the host running sshd:
>ldapsearch -xLLLWH 'ldaps://ldap.groundnoise.net' -D 'cn=admin,dc=groundnoise,dc=net' -b 'cn=under.groundnoise.net,ou=hosts,dc=groundnoise,dc=net' -s base
Enter LDAP Password: 
dn: cn=under.groundnoise.net,ou=hosts,dc=groundnoise,dc=net
objectClass: device
objectClass: top
objectClass: ipHost
objectClass: authorizedServiceObject
cn: under.groundnoise.net
authorizedService: sshd
authorizedService: login

getent for the host entry:
>getent hosts under.groundnoise.net     under.groundnoise.net

nsswitch config:
>egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' /etc/nsswitch.conf 
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
hosts:          files dns ldap
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

ldapcompare test:
>ldapcompare -vxWH 'ldaps://ldap.groundnoise.net' -D 'uid=luna,ou=people,ou=users,ou=accounts,dc=groundnoise,dc=net' 'cn=under.groundnoise.net,ou=hosts,dc=groundnoise,dc=net' 'authorizedservice:login'
ldap_initialize( ldaps://ldap.groundnoise.net:636/??base )
Enter LDAP Password: 
DN:cn=under.groundnoise.net,ou=hosts,dc=groundnoise,dc=net, attr:authorizedservice, value:login
Compare Result: Insufficient access (50)

pam config for sshd:
>egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' /etc/pam.d/sshd
auth		required			pam_env.so # [1]
auth		required			pam_env.so envfile=/etc/default/locale
auth		[success=2 default=ignore]      pam_unix.so nullok_secure
auth		[success=1 default=ignore]      pam_ldap.so use_first_pass
auth		requisite                       pam_deny.so
auth		required                        pam_permit.so
account		required			pam_nologin.so
account		[success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account		[success=1 default=ignore]      pam_ldap.so
account		requisite                       pam_deny.so
account		required                        pam_permit.so
session		[default=1]                     pam_permit.so
session		requisite                       pam_deny.so
session		required                        pam_permit.so
session		required                        pam_unix.so
session		optional                        pam_ldap.so no_warn
session		optional			pam_motd.so # [1]
session		optional			pam_mail.so standard noenv # [1]
session		required			pam_limits.so
password        required                        pam_passwdqc.so min=disabled,16,12,7,6 max=256
password        [success=2 default=ignore]      pam_unix.so obscure md5
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass
password        requisite                       pam_deny.so
password        required                        pam_permit.so

ssh test:
>ssh luna@under.groundnoise.net hostname --fqdn
luna@under.groundnoise.net's password: 

i'm hoping someone can point out what i'm missing or what i might be doing wrong.