[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: nssov overlay and hostservice

On Feb 05, 2010, at 11.59, Kyle Robinson wrote:

> On Thu, Feb 4, 2010 at 7:26 PM, ben thielsen <btb@bitrate.net> wrote:
>> hi
>> i'm experimenting with the nssov overlay, and am trying to get the
>> hostservice approach working as described in man 5 slapo-nssov.  i'm using
>> slapd 2.4.18 and the 0.6.11 nss-pam-ldapd stub libraries, both via ubuntu
>> packages.


>> ssh test:
>>> ssh luna@under.groundnoise.net hostname --fqdn
>> luna@under.groundnoise.net's password:
>> under.groundnoise.net
>> i'm hoping someone can point out what i'm missing or what i might be doing
>> wrong.
>> thanks,
>> -ben
> Turn on debug for pam_unix and pam_ldap in the auth section and check syslog
> to make sure it isn't actually pam_unix doing the auth via nss passwd hash.

i'm fairly confident that auth isn't happening via pam_unix / nss passwd hash.  if i remove the auth line for pam_ldap from the pam config (leaving only pam_unix), authentication fails (other users in local passwd/shadow flat files still work).  i also see, in the logs, a pam_unix failure "sshd[10978]: pam_unix(sshd:auth): authentication failure;" prior to success by the ldap module each time authentication occurs.

the debug option for the pam_ldap stub library from nss-pam-ldapd is ignored, according to the man page, and adding either debug or audit to pam_unix didn't seem to generate any additional log data.  there is plenty of activity in the slap log file, just not the compare operations that i was expecting to see, based on my interpretation of the man page for slapo-nssov.