On Feb 05, 2010, at 11.59, Kyle Robinson wrote: > On Thu, Feb 4, 2010 at 7:26 PM, ben thielsen <[email protected]> wrote: > >> hi >> >> i'm experimenting with the nssov overlay, and am trying to get the >> hostservice approach working as described in man 5 slapo-nssov. i'm using >> slapd 2.4.18 and the 0.6.11 nss-pam-ldapd stub libraries, both via ubuntu >> packages. >>
... >> >> ssh test: >>> ssh [email protected] hostname --fqdn >> [email protected]'s password: >> under.groundnoise.net >> >> i'm hoping someone can point out what i'm missing or what i might be doing >> wrong. >> >> thanks, >> -ben > > > Turn on debug for pam_unix and pam_ldap in the auth section and check syslog > to make sure it isn't actually pam_unix doing the auth via nss passwd hash. i'm fairly confident that auth isn't happening via pam_unix / nss passwd hash. if i remove the auth line for pam_ldap from the pam config (leaving only pam_unix), authentication fails (other users in local passwd/shadow flat files still work). i also see, in the logs, a pam_unix failure "sshd[10978]: pam_unix(sshd:auth): authentication failure;" prior to success by the ldap module each time authentication occurs. the debug option for the pam_ldap stub library from nss-pam-ldapd is ignored, according to the man page, and adding either debug or audit to pam_unix didn't seem to generate any additional log data. there is plenty of activity in the slap log file, just not the compare operations that i was expecting to see, based on my interpretation of the man page for slapo-nssov.
