Nssov Authorization without Authentication

[Chris Breneman <crispy@cluenet.org>]

Is there a way to use nssov PAM LDAP for authorization (the PAM
"account"), without using it for authentication?  In my setup, I'm
authenticating users with pam_krb5 separately, and I just want to use
LDAP for authorization and nss.  I got nssov working fine with nss, but
not authorization.  I want to use the authorizedService attribute of the
user entry for authorization.  My nssov configuration is:

dn: olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcNssOvConfig
olcOverlay: {0}nssov
olcNssSsd: passwd ldap:///ou=people,dc=cluenet,dc=org??one
olcNssPam: userservice
olcNssPamMinUid: 25000

After adding the required entry to the PAM configuration (the account
section only), logins stop working - SSH just disconnects immediately
after the password is entered.

I suspect this is because I'm not using nssov for the PAM
authentication.  At the beginning of pam_authz() in nssov, I saw:
/* We don't do authorization if they weren't authenticated by us */
if (BER_BVISEMPTY(&dn)) {
      rc = NSLCD_PAM_USER_UNKNOWN;
      goto finish;
}
Which leads me to believe that this is what is causing the problem.
Indeed, when I change NSLCD_PAM_USER_UNKNOWN to NSLCD_PAM_SUCCESS there,
logins succeed (but authorization is not performed).  If I just comment
out that block, logins still don't work, but I get the "service not
permitted" message.

Is there some way to make authorization work without first performing
authentication through nssov?


Thanks,
Chris Breneman