[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Nssov Authorization without Authentication

Chris Breneman wrote:
Is there a way to use nssov PAM LDAP for authorization (the PAM
"account"), without using it for authentication?


I suspect this is because I'm not using nssov for the PAM
authentication.  At the beginning of pam_authz() in nssov, I saw:
/* We don't do authorization if they weren't authenticated by us */
if (BER_BVISEMPTY(&dn)) {
       goto finish;
Which leads me to believe that this is what is causing the problem.

It's not a "problem" - it's working as designed.

Indeed, when I change NSLCD_PAM_USER_UNKNOWN to NSLCD_PAM_SUCCESS there,
logins succeed (but authorization is not performed).  If I just comment
out that block, logins still don't work, but I get the "service not
permitted" message.

Is there some way to make authorization work without first performing
authentication through nssov?

No. The authorization checks can only be performed if we know the LDAP DN of the user. We only get that DN during authentication.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/