# openssh-ldap schema for 389 # note, it's bit different then for openldap dn: cn=schema # attributetypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DESC 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) # objectclasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY DESC 'MANDATORY: OpenSSH LPK objectclass' MUST uid MAY sshPublicKey ) |
[root@389-ds schema]# chown ldapadmin:ldapadmin 98openssh-ldap.ldif ; chmod 440 98openssh-ldap.ldif |
[root@389-ds schema]# service dirsrv restart Shutting down dirsrv: ca-eval-389-1... [ OK ] Starting dirsrv: ca-eval-389-1... [ OK ] |
[root@389-ds schema]# systemctl restart dirsrv.target [root@389-ds schema]# systemctl status dirsrv.target dirsrv.target - 389 Directory Server Loaded: loaded (/usr/lib/systemd/system/dirsrv.target; enabled; vendor preset: disabled) Active: active since Fri 2016-05-13 11:47:22 PDT; 2s ago May 13 11:47:22 389-ds systemd[1]: Reached target 389 Directory Server. May 13 11:47:22 389-ds systemd[1]: Starting 389 Directory Server. |
dn: uid=zare,l=amer,dc=business,dc=com changeType: modify add: sshPublicKey sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwXSh2Ho6ujRA7vEL.......Tu1dKm0twFcj+bb611moU1Ynw== zare@server1 sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEA+iO5Ujd+uYhW9PBNy.........OrnhB+O6Ets59Ad/O8= rsa-key-20150217 |
[root@389-ds tmp]# ldapmodify -x -W -D "cn=Directory Manager" -f username-changesshkey.ldif Enter LDAP Password: modifying entry "uid=zare,l=amer,dc=business,dc=com" |
# yum install authconfig # authconfig --enableldap --enableldapauth --ldapserver=389-ds.business.com --ldapbasedn="dc=business,dc=com" --enablemkhomedir --update |
BASE dc=business,dc=com URI ldap://389-ds.business.com |
passwd: files ldap shadow: files ldap group: files ldap |
PubkeyAuthentication yes AuthorizedKeysCommand /usr/local/bin/get-sshkey-from-ldap.sh |
#!/bin/sh ldapsearch -x '(&(objectClass=ldapPublicKey)(uid='"$1"'))' 'sshPublicKey' | \ sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp' |
# /usr/local/bin/get-sshkey-from-ldap.sh zare ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwXSh2H...shortened...8ksoySiZCzomKuHgpehLDX27o3stqXSCTu1dKm0twFcj+bb611moU1Ynw== ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEA+iO5Ujd...shortened ...XyfdbXGoffRM238f/vpqGvYCWIk9ccbxt95etl4OrnhB+O6Ets59Ad/O8= |