[Date Prev][Date Next]
Re: nssov overlay and hostservice
On Feb 05, 2010, at 11.59, Kyle Robinson wrote:
> On Thu, Feb 4, 2010 at 7:26 PM, ben thielsen <firstname.lastname@example.org> wrote:
>> i'm experimenting with the nssov overlay, and am trying to get the
>> hostservice approach working as described in man 5 slapo-nssov. i'm using
>> slapd 2.4.18 and the 0.6.11 nss-pam-ldapd stub libraries, both via ubuntu
>> ssh test:
>>> ssh email@example.com hostname --fqdn
>> firstname.lastname@example.org's password:
>> i'm hoping someone can point out what i'm missing or what i might be doing
> Turn on debug for pam_unix and pam_ldap in the auth section and check syslog
> to make sure it isn't actually pam_unix doing the auth via nss passwd hash.
i'm fairly confident that auth isn't happening via pam_unix / nss passwd hash. if i remove the auth line for pam_ldap from the pam config (leaving only pam_unix), authentication fails (other users in local passwd/shadow flat files still work). i also see, in the logs, a pam_unix failure "sshd: pam_unix(sshd:auth): authentication failure;" prior to success by the ldap module each time authentication occurs.
the debug option for the pam_ldap stub library from nss-pam-ldapd is ignored, according to the man page, and adding either debug or audit to pam_unix didn't seem to generate any additional log data. there is plenty of activity in the slap log file, just not the compare operations that i was expecting to see, based on my interpretation of the man page for slapo-nssov.