Re: slapo-nssov and authz2dn

[btb@bitrate.net]

i'm hoping a bump might get this on someone's radar it previously missed.

On Oct 19, 2013, at 20.10, BTB@bitrate.net wrote:

> i'm experimenting with the authz2dn setting for olcnsspam:
> 
> dn: olcOverlay={7}nssov,olcDatabase={2}mdb,cn=config
> objectClass: olcConfig
> objectClass: olcNssOvConfig
> objectClass: olcOverlayConfig
> olcOverlay: {7}nssov
> olcNssMap: group uniquemember member
> olcNssPam: authz2dn hostservice
> olcNssPamSession: login
> olcNssPamSession: sshd
> 
> it seems to work, but only if i have no olcauthzregexp attributes, and i see no references to cn=<service>+uid=<user>,cn=<hostname>,cn=pam,cn=auth in the slapd log [using -d -1].  if i add an olcauthzregexp [for example: uid=([^,]*),cn=plain,cn=auth uid=$1,ou=people,ou=accounts,dc=example,dc=com, this seems to break nssov, and i'm unable to login [ssh], with pam denying me:
> 
> Oct 19 19:55:23 dsa1 sshd[30458]: pam_ldap(sshd:account): nslcd authorisation; user=jdoe
> Oct 19 19:55:23 dsa1 sshd[30458]: pam_ldap(sshd:account): Access denied for this service; user=jdoe
> Oct 19 19:55:23 dsa1 sshd[30458]: fatal: Access denied for user jdoe by PAM account configuration [preauth]
> 
> i don't understand why a seemingly unrelated olcauthzregexp is breaking this, but i'm also not confident i'm using authz2dn properly. man 5 slapo-nssov says "If no mapping is found for this authentication DN, then this mapping will be ignored.", but i don't think i understand that clearly.  is that saying that failure to find a match via an olcauthzregexp mapping is not considered a failure to find a dn?
> 
> if i remove authz2dn [and thus use uid2dn] then presence of the above olcauthzregexp value doesn't break nssov.
> 
> when using -d -1, should i see references to cn=<service>+uid=<user>,cn=<hostname>,cn=pam,cn=auth?  what am i doing wrong?
> 
> thanks
> -ben