Back to the main page

SSH Key in 389 Directory Server


Schema is defined in the file 98openssh-ldap.ldif and placed in directory /etc/dirsrv/slapd-389-ds/schema/
# openssh-ldap schema for 389
# note, it's bit different then for openldap
dn: cn=schema
attributetypes: (
        NAME 'sshPublicKey'
        DESC 'MANDATORY: OpenSSH Public key'
        EQUALITY octetStringMatch
objectclasses: (
        NAME 'ldapPublicKey' SUP top AUXILIARY
        DESC 'MANDATORY: OpenSSH LPK objectclass'
        MUST uid
        MAY sshPublicKey

Verify ownership and permissions.
[root@389-ds schema]# chown ldapadmin:ldapadmin 98openssh-ldap.ldif ; chmod 440 98openssh-ldap.ldif

Restart dirsrv service.
[root@389-ds schema]# service dirsrv restart
Shutting down dirsrv:
    ca-eval-389-1...                [  OK  ]
Starting dirsrv:
    ca-eval-389-1...                [  OK  ]

[root@389-ds schema]# systemctl restart
[root@389-ds schema]# systemctl status - 389 Directory Server
   Loaded: loaded (/usr/lib/systemd/system/; enabled; vendor preset: disabled)
   Active: active since Fri 2016-05-13 11:47:22 PDT; 2s ago
May 13 11:47:22 389-ds systemd[1]: Reached target 389 Directory Server.
May 13 11:47:22 389-ds systemd[1]: Starting 389 Directory Server.

Relogin to the Console is needed in order to see new ObjectClasses and Attributes.

User's keys can be added via the GUI, first add ObjectClass, then add Attribute.

A user's key can also be added via CLI, for example create file username-changesshkey.ldif that reads:
dn: uid=zare,l=amer,dc=business,dc=com
changeType: modify
add: sshPublicKey
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwXSh2Ho6ujRA7vEL.......Tu1dKm0twFcj+bb611moU1Ynw== zare@server1
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEA+iO5Ujd+uYhW9PBNy.........OrnhB+O6Ets59Ad/O8= rsa-key-20150217

And modify ldap entry by running the command:
[root@389-ds tmp]# ldapmodify -x -W -D "cn=Directory Manager" -f username-changesshkey.ldif
Enter LDAP Password:
modifying entry "uid=zare,l=amer,dc=business,dc=com"


RPMs needed for client: openldap-clients, pam_ldap, openldap, nss-pam-ldapd, arp-util-ldap, openldap-devel. Use comamnd "authconfig" to configure authentication resources.
# yum install authconfig
# authconfig --enableldap --enableldapauth --ldapbasedn="dc=business,dc=com" --enablemkhomedir --update

The /etc/openldap/ldap.conf needs:
BASE    dc=business,dc=com
URI     ldap://

The /etc/nsswitch.conf needs:
passwd:     files ldap
shadow:     files ldap
group:      files ldap

The /etc/ssh/sshd_config needs:
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/local/bin/

The script "" reads:
 ldapsearch -x '(&(objectClass=ldapPublicKey)(uid='"$1"'))' 'sshPublicKey' | \
    sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'

... and this is how SSHD query user's public key from Ldap. To test this script, run it with user account as argument, you should see user's key(s).
# /usr/local/bin/ zare
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwXSh2H...shortened...8ksoySiZCzomKuHgpehLDX27o3stqXSCTu1dKm0twFcj+bb611moU1Ynw==
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEA+iO5Ujd...shortened ...XyfdbXGoffRM238f/vpqGvYCWIk9ccbxt95etl4OrnhB+O6Ets59Ad/O8=

Back to the main page