The PAM user mapping plugin doesn't currently seem to log any information to /var/log/secure. It would probably be helpful if the plugin had some way to enable verbose logging during testing, so that it would be easier to debug configuration problems.

I expect the best way to implement this would be to create one or more module arguments for the plugin that controls logging. PAM module arguments are explained here:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/PAM_Configuration_Files.html#pam-mod-args

For example, maybe a configuration like this could enable very verbose debugging logging to /var/log/secure:

auth required pam_user_map.so debug

Or if we wanted the ability to specify a specific log, maybe we could do something like this:

auth required pam_user_map.so debug_log=/tmp/pam_user_map.log

But these are just suggestions.