SSH Integration

SSHLDAP implements it's functionality by first integrating PAM authentication with LDAP for login authentication for user accounts ids above ${SSHLDAP_POSIX_UID_UPPER}, then by using PAM account authorization to determine if a user has access to the specified hostId as configured in the /etc/${ziD}/sshldap/.netrc. After that the module setups sudo access (via /etc/sudoers.d/sshldap) which contains sudo directives for the group identified by the ${hostId}-sudo group. This is a mirror group that contains all user accounts allowed to sudo on the server (based on users in the group cn=${hostId}-sudo ,${SSHLDAP_SUDO_OPS_DN})

SSHLDAP runtime scripts log information to syslog. To enable debugging set the SSHLDAP_DEBUG parameter to true in the /etc/${ziD}/sshldap/sshldap-config.properties file.

LDAP Schema

SSHLDAP applies a schema to the Directory for the pubkey processing as well as data is requires to perform it's functions.

Code Block

language	text
theme	Emacs
title	sshldap-aci.ldif

...

collapse	true

dn: "${SSHLDAP_BASE_DN}"
changetype: modify
add: aci
aci: (target = "ldap:///${SSHLDAP_BASE_DN}")
    (targetattr = "isMemberOf || memberOf || sshPublicKey || inetUserStatus || pwdAccountLockedTime || ds-pwp-account-disabled")
    (version 3.0;acl "sshldap read attributes ${SSHLDAP_BASE_DN}";
        allow (search, read)(${SSHLDAP_ACI_DN_TYPE} ="ldap:///${SSHLDAP_ACI_DN}");)

dn: "${SSHLDAP_GROUPS_OPS_DN}"
changetype: modify
add: aci
aci:(target = "ldap:///${SSHLDAP_GROUPS_OPS_DN}") 
    (targetattr = "*" )
    (version 3.0; acl "sshldap administer ou=Groups"; 
        allow(all)(groupdn = "ldap:///cn=sshldap_admins,${SSHLDAP_GROUPS_OPS_DN}");)

dn: "${SSHLDAP_LAYERS_OPS_DN}"
changetype: modify
add: aci
aci:(target = "ldap:///${SSHLDAP_LAYERS_OPS_DN}") 
    (targetattr = "*" )
    (version 3.0; acl "sshldap administer ou=Layers"; 
        allow(all)(groupdn = "ldap:///cn=sshldap_admins,${SSHLDAP_GROUPS_OPS_DN}");)

dn: "${SSHLDAP_HOSTS_OPS_DN}"
changetype: modify
add: aci
aci:(target = "ldap:///${SSHLDAP_HOSTS_OPS_DN}") 
    (targetattr = "*" )
    (version 3.0; acl "sshldap administer ou=Hosts"; 
        allow(all)(groupdn = "ldap:///cn=sshldap_admins,${SSHLDAP_GROUPS_OPS_DN}");)

dn: "${SSHLDAP_SUDO_OPS_DN}"
changetype: modify
add: aci
aci:(target = "ldap:///${SSHLDAP_SUDO_OPS_DN}") 
    (targetattr = "*" )
    (version 3.0; acl "sshldap administer ou=Sudoers"; 
        allow(all)(groupdn = "ldap:///cn=sshldap_admins,${SSHLDAP_GROUPS_OPS_DN}");)

dn: "${SSHLDAP_VARS_OPS_DN}"
changetype: modify
add: aci
aci:(target = "ldap:///${SSHLDAP_VARS_OPS_DN}") 
    (targetattr = "*" )
    (version 3.0; acl "sshldap administer ou=Variables"; 
        allow(all)(groupdn = "ldap:///cn=sshldap_admins,${SSHLDAP_GROUPS_OPS_DN}");)

Code Block

language	text
theme	Emacs
title	sshldap-backend.ldif

...

collapse	true

dn: uid=service_sshldap,"${SSHLDAP_SVCS_OPS_DN}"
objectClass: top
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
cn: service_sshldap
sn: service_sshldap
uid: service_sshldap
userPassword: "${localSvcSLPasswd}"

dn: cn=sshldap_admins,"${SSHLDAP_GROUPS_OPS_DN}"
objectClass: top
objectClass: groupOfUniqueNames
objectClass: posixGroup
cn: sshldap_admins
uniqueMember: uid=service_sshldap,"${SSHLDAP_SVCS_OPS_DN}"
gidNumber: $((SSHLDAP_POSIX_GUID_UPPER-1))

dn: "${SSHLDAP_HOSTS_OPS_DN}"
objectClass: top
objectClass: organizationalUnit
ou: Hosts

dn: "${SSHLDAP_LAYERS_OPS_DN}"
objectClass: top
objectClass: organizationalUnit
ou: Layers

dn: "${SSHLDAP_SUDO_OPS_DN}"
objectClass: top
objectClass: organizationalUnit
ou: Sudoers

dn: "${SSHLDAP_VARS_OPS_DN}"
objectClass: top
objectClass: organizationalUnit
ou: Variables

################################################
#
#   Variables
#
################################################
dn: cn=posixAccount_idx,"${SSHLDAP_VARS_OPS_DN}"
objectClass: top
objectClass: posixGroup
cn: posixAccount_idx
gidNumber: ${SSHLDAP_POSIX_GUID_UPPER}
ou: Variable

dn: cn=posixGroup_idx,"${SSHLDAP_VARS_OPS_DN}"
objectClass: top
objectClass: posixGroup
cn: posixGroup_idx
gidNumber: ${SSHLDAP_POSIX_UID_UPPER}
ou: Variable

Code Block

language	text
theme	Emacs
title	sshlda-schema.ldif
collapse	true

dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 
  NAME ( 'sshPublicKey' )
  DESC 'MANDATORY: OpenSSH Public key'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40
  EQUALITY octetStringMatch 
  X-ORIGIN 'zibernetics package for authentication' 
  USAGE userApplications )

dn: cn=schema
changetype: modify
add: objectclasses
objectclasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0
  NAME ( 'ldapPublicKey' )
  DESC 'MANDATORY: OpenSSH LPK objectclass'
  SUP top
  AUXILIARY
  MAY ( sshPublicKey $ uid )
  X-ORIGIN 'zibernetics package for authentication' )

...

Filter by label (Content by label)

cql	label = "sshldap"

Versions Compared

Old Version 3

New Version Current

Key

SSH Integration

LDAP Schema

Page Comparison

Versions Compared

Old Version 3

New Version Current

Key

SSH Integration

LDAP Schema