Configuration

Setting up a SSHLDAP instance consists of defining your LDAP schema according to a predefined set of variables in a file (sshldap-config.properties) that is sourced before running the install script. These variables are as follows:

Variable	Description	Recommended Value
SSHLDAP_BASE_DN	This defines the base location to search for Users, Groups, and Hosts.	dc=${ziD},dc=com, where zID is the ziNet ID
SSHLDAP_BASE_TENANT_DN	This is the location of the tenant container. This allows SSHLDAP to support multi-tenant applications.	dc=tenants,${SSHLDAP_BASE_DN}
SSHLDAP_BASE_OPS_DN	This is the location of the base LDAP container that holds SSH-specific LDAP Groups (for example a Host is an LDAP group).	dc=ops,${SSHLDAP_BASE_DN}
SSHLDAP_USERS_TENANT_DN	This is the location of the User accounts for a specific tenant.	ou=People,ou=${localTenantId},${SSHLDAP_BASE_TENANT_DN}, where localTenantId is the current tenantID.
SSHLDAP_GROUPS_TENANT_DN	This is the location of Groups for a specific tenant.	ou=Groups,ou=${localTenantId},${SSHLDAP_BASE_TENANT_DN}
SSHLDAP_GROUPS_OPS_DN	This is the location of SSHLDAP Groups entities.	ou=Groups,${SSHLDAP_BASE_OPS_DN}
SSHLDAP_LAYERS_OPS_DN	This is the location of SSHLDAP Layer entities.	ou=Layers,${SSHLDAP_BASE_OPS_DN}
SSHLDAP_HOSTS_OPS_DN	This is the location of SSHLDAP Host entities.	ou=Hosts,${SSHLDAP_BASE_OPS_DN}
SSHLDAP_SVCS_OPS_DN	This is the location that the SSHLDAP admin service account should be placed.	ou=ServiceAccounts,${SSHLDAP_BASE_OPS_DN}
SSHLDAP_SUDO_OPS_DN	This is the location of SSHLDAP Sudo entities. This provides sudo access to a server.	ou=Sudoers,${SSHLDAP_BASE_OPS_DN}
SSHLDAP_VARS_OPS_DN	This is the location of SSHLDAP variables for keeping track of the next available posixGroup or posixAccount counters. This helps to keep unique IDs.	ou=Variables,${SSHLDAP_BASE_OPS_DN}
SSHLDAP_POSIX_UID_UPPER	This is the upper limit that local Linux accounts are assigned. As new SSHLDAP entities are created this counter will be the first available ID to be assigned to that entity.	Must be a unique number greater than the highest uidNumber for all servers that will be setup using SSHLDAP. Normally 2000 is sufficient. But this depends on your specific environment.
SSHLDAP_POSIX_GUID_UPPER	This is the upper limit that local Linux groups are assigned. As new SSHLDAP entities are created this counter will be the first available ID to be assigned to that entity.	Must be a unique number greater than the highest gidNumber for all servers that will be setup using SSHLDAP. Normally 2000 is sufficient. But this depends on your specific environment.
SSHLDAP_LDAP_FMT_OPTIONS	LDAP search options	"-LLL -o nettimeout=10 -o ldif-wrap=no"
SSHLDAP_LDAP_SERVER_URI	This is the location of the SSHLDAP LDAP server.	ldaps://prod-ds1.ops.<your domain>.com:1636
SSHLDAP_SECURITY_GRPS	This is a comma separated list of local (NOT LDAP) Linux groups that should be allowed access to server. This variable enables existing legacy groups which have local logins to continue to have access to the server after SSHLDAP is isntalled.	Varies. For Amazon Web Services EC2 Ubuntu instances, this value should be "ubuntu". That user account that all EC2 instances are spun up with.
SSHLDAP_PASSWD_SERVER_URI	This is the URI of a server that will be used for password changes rather than ldappasswd.
SSHLDAP_ACI_DN_TYPE	This variable is used to construct a LDAP ACI that provides access to the LDAP password attributes. This allows for suppression of these attributes within the directory, but then provide a limited set of users access to the attributes. This is used on conjunction with SSHLDAP_ACI_DN.	"userdn" or "groupdn" See: https://backstage.forgerock.com/#!/docs/opendj/2.6.0/admin-guide/chap-privileges-acis
SSHLDAP_ACI_DN	The following is an example: dn: dc=${ziD},dc=com changetype: modify add: aci aci: (target = "ldap:///dc=${ziD},dc=com") (targetattr = "isMemberOf \|\| memberOf \|\| sshPublicKey \|\| inetUserStatus \|\| pwdAccountLockedTime \|\| ds-pwp-account-disabled") (version 3.0;acl "sshldap read attributes dc=${ziD},dc=com"; allow (search, read)(${SSHLDAP_ACI_DN_TYPE} ="ldap:///${SSHLDAP_ACI_DN}");)	"anyone" or an LDAP DN. See: https://backstage.forgerock.com/#!/docs/opendj/2.6.0/admin-guide/chap-privileges-acis

Scripts

Script: install-sshldap.sh

This script sets up SSHLDAP on a server.

Result: 0 for success

Prerequisite: The install-zinet.sh and install-pki.sh scripts must have been run.

Parameter	Description	Default	Mandatory
-c Config Directory	The configuration directory containing the following files: sshldap-config.properties (required) *-cacert.crt (optional - a CA certificate to install if not using the ziNet PKI module)	N/A	Yes
-i hostID	This is the SSHLDAP Fabric hostID.	N/A	Yes
-t tenantID	This is a tenant ID. This is used to find Users and Group containers in the Directory as outlined above. e.g. SSHLDAP_USERS_TENANT_DN SSHLDAP_GROUPS_TENANT_DN	N/A	Yes
-a service_sshldap account password	This is the password for the default service account defined by this DN: uid=service_sshldap,${SSHLDAP_SVCS_OPS_DN}. Is this is not passed in, then the default behavior of the Directory Server must be to allow anonymous binds. In addition, you should set SSHLDAP_ACI_DN_TYPE=userdn and SSHLDAP_ACI_DN=anyone	N/A	No
-A service_sshldap account password file	A file containing the password for the default service account. The same rules apply as the '-a' parameter.	N/A	No

Script: sshldap-add-fabric.sh

This script will add a new fabric to SSHLDAP.

Prerequisite: SSHLDAP must have been installed with install-sshldap.sh

Result: 0 for success

Parameter	Description	Default	Mandatory
-l fabric config	A file containing a Fabric config
-D admin user DN	An admin user bind DN. This user must be able to perform modifies to any parts of the directory dpecified in the fabric config file.	N/A	Yes
-w admin user password	Admin user password.	N/A	No
-W	Prompt for a password. The default behavior will be to prompt for a password.	true	No
-y admin user password file	A file containing the admin user's password	N/A	Np

Script: sshldap-authn.sh

This script will perform a authentication for the user credentials passed in the parameters.

Result: 0 for successful authentication

Parameter	Description	Default	Mandatory
userId	This is the userID for the account to validate in the Directory Server. This will be in an account specified by $SSHLDAP_USERS_TENANT_DN.	The "login" attribute of the current user's .netrc file.	No
userPasswd	This is the password for the userID.	The "password" attribute of the current user's .netrc file.	No

Script: sshldap-authz.sh

This script will perform authorization of the given user against the current host.

Result: 0 for successful authorization

Parameter	Description	Default	Mandatory
userId (if called directly)	This is the userID for the account to validate in the Directory Server. This will be in an account specified by $SSHLDAP_USERS_TENANT_DN.	N/A	No
${PAM_USER} (if called by PAM)	See above	The "machine" attribute of the /etc/${ziD}/sshldap/.netrc file.	No

Script: sshldap-pubkey.sh

This script returns the sshpub key from the Directory Server for the given user.

Result: All SSH pubkeys on a separate line for each key.

Parameter	Description	Default	Mandatory
userId (if called directly)	This is the userID for the account to retrieve the ssh pubkey from the Directory Server.	N/A	No

Page:
SSHLDAP Setup (ziNet)
Page:
SSHLDAP Runtime (ziNet)
Page:
Linux Server Fabric (ziNet)
- sshldap
- fabric