CentOS · open ldap · Public key · SSH

Open LDAP and SSH Public key in CentOS6.2

Author: Kevin Zhang
Thanks Guide in CentOS 6.2 : http://blog.johnalvero.com/2012/03/ldap-server-installation-for-openssh.html (Centralize the administration of linux accounts/Centralize the administration of sudo access)
Thanks everyone in Open Source Community.

#edit CentOS network
vi /etc/resolv.conf //DNS
vi vi /etc/sysconfig/network-scripts/ifcfg-eth0 //NIC IP
vi /etc/networks //Route
#restart network service
/etc/init.d/network restart
#stop security services
setenforce permissive
service iptables stop

#Update software repository.
yum -y update

#Install LDAP packages
yum install openldap-servers openldap-clients -y

#Generate the ldap admin password
slappasswd -s mysecret
{SSHA}cFJqdWOeG4b1p3bJFGSds5QKGw8faPd7       //copy string as password by following steps
Note: mysecret will now be your Manager password. You will use this password to execute administrative commands. Displayed after is the corresponding hash. Use the hash in succeeding steps.

#TLS settings
sed -i ‘s/dc=my-domain,dc=com/dc=netbrain,dc=com/g’ /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
# Also, add the password and TLS settings in the file
cat <> /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
olcRootPW: {SSHA}cFJqdWOeG4b1p3bJFGSds5QKGw8faPd7
olcTLSCertificateFile: /etc/pki/tls/certs/slapdcert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/certs/slapdkey.pem

#Also add a password for “cn=admin,cn=config” user
cat <> /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif
olcRootPW: {SSHA}cFJqdWOeG4b1p3bJFGSds5QKGw8faPd7

#Monitor configuration
sed -i ‘s/cn=manager,dc=my-domain,dc=com/cn=Manager,dc=netbrain,dc=com/g’ /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{1\}monitor.ldif

#DB config
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap/

#Generate SSL keys
openssl req -new -x509 -nodes -out /etc/pki/tls/certs/slapdcert.pem -keyout /etc/pki/tls/certs/slapdkey.pem -days 365
chown -Rf root.ldap /etc/pki/tls/certs/slapdcert.pem
chown -Rf root.ldap /etc/pki/tls/certs/slapdkey.pem

#Schemas: Add openssh-lpk shema
cat < /etc/openldap/slapd.d/cn=config/cn=schema/cn={21}openssh-lpk.ldif
dn: cn={21}openssh-lpk
objectClass: olcSchemaConfig
cn: {21}openssh-lpk
olcAttributeTypes: {0}( NAME ‘sshPublicKey’ DES
C ‘MANDATORY: OpenSSH Public key’ EQUALITY octetStringMatch SYNTAX
1.1466. )
olcObjectClasses: {0}( NAME ‘ldapPublicKey’ DESC
 ‘MANDATORY: OpenSSH LPK objectclass’ SUP top AUXILIARY MAY ( sshPublicKey $
uid ) )
structuralObjectClass: olcSchemaConfig
entryUUID: 135574f4-bda0-102f-9362-0b01757f31d8
creatorsName: cn=config
createTimestamp: 20110126135819Z
entryCSN: 20110126135819.712350Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20110126135819Z

Make initial for base.ldif , e.g. : create  base.ldif by command : vi base.ldif ,then enter:
dn: dc=netbrain,dc=com
dc: netbrain
objectClass: top
objectClass: domain

#We can now start the services and add the entries:
chkconfig slapd on
service slapd start
ldapadd -x -W -D “cn=Manager,dc=netbrain,dc=com” -f base.ldif
ldapadd -x -W -D “cn=Manager,dc=netbrain,dc=com” -f newsudoers.ldif

#Try searching to verify
ldapsearch -x -b “dc=netbrain,dc=com”
ldapsearch -H “ldap://” -x -b “dc=netbrain,dc=com”

#Configuring ssh-lpk Clients
yum install openssh-ldap nss-pam-ldapd

#Setup LDAP config. This will modify various LDAP files including that of PAM
authconfig –disablenis –enablemkhomedir –enableshadow –enablelocauthorize –enableldap –ldapserver=ldap:// –enablemd5 –ldapbasedn=dc=netbrain,dc=com –updateall
# Or, you can use a curses-based application. Enable necessary options based on the above command but –enablemkhomedir is not available in authconfig-tui

#Allow SSH public-key login
cat < /etc/ssh/ldap.conf
uri ldap://
base dc=netbrain,dc=com
ssl no
cat <> /etc/ssh/sshd_config
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
AuthorizedKeysCommandRunAs nobody

#Tell system to lookup sudoers info from ldap or files respectively
echo ‘sudoers: ldap files’ >> /etc/nsswitch.conf
cat <> /etc/nslcd.conf
sudoers_base ou=sudoers,dc=netbrain,dc=com

#Restart sshd
service sshd restart

#install phpldapadmin for LAM (ldap account manager, an excellent web-based LDAP manage tool), just add epel repo and ask yum to install it
//Click this link to search a higher version when wget run failed
rpm -ivh epel-release-6-5.noarch.rpm
#start Apache
service httpd restart

Install http://www.ldap-account-manager.org/ its alternative to phpldapadmin, just download rpm for CentOS/fedora and install it. Following is LAM instruction.
  • Address for ldap-account-manager is http://yourip/lam/ , you can manage your LDAP accounts by this now.  
  • Edit server profiles for LAM and LDAP connection
  • Enter LAM default password: lam , and click ‘Ok’
  • Modify server address, Tree suffix, List of valid users
  • Modify LDAP suffix of Users and Groups
Remove Hosts、Samba domain option by red ‘x’
  • Remove ‘Samba 3’ items from Users and Groups
Add ‘SSH Public Key’ to Users from Available module to extent LAM capability to manage SSH public key
  • Return to login page after you click ‘Save’ button; Login by LDAP root password : mysecret 
  • Create Groups 1st
  • Create users
  • Public key setting in User
Notice: PuTTYGen generated key format like :
Comment: “rsa-key-20121022”

But change the text to:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAhGF6GIuMY8FJ1+CNApnSY1N2YSlkYz72Yvwua6N1nFpBklz1+dsIMg4rcTLcF34M/tW5Yz+NUDAw2AEbxQ32FPgw7sAOIXktkYOHtr7mmimiTjkoSCrJh1kqalPSpi8rglT/Bp67Ql2SZwvUFfMzHISryR0EZC4rXP/uvObrJe8=

#Debug LDAP in CentOS:
more  /var/log/secure
find . –name slapd
path/slapd –V –d debuglevel

Ubuntu check authentication log:
more /var/log/auth.log

#Actions after you boot up:
setenforce permissive
service iptables stop
/etc/init.d/slapd start
authconfig –disablenis –enablemkhomedir –enableshadow –enablelocauthorize –enableldap –ldapserver=ldap:// –enablemd5 –ldapbasedn=dc=netbrain,dc=com –updateall
service httpd start

Thanks Guide in Ubuntu:  
I failed run ldap with openssh-lpk in it because can’t download openssh source code to enable AuthorizedKeysCommand option in sshd.conf
1st of all when you start ldap installation under Ubuntu, Configure /etc/hosts, modify item to FDNQ format: ldap.netbrain.com ldap
openldap get dc from this item automatically.

You got the error msg:
$ sudo slapindex
   Runnig as root!
   There’s a fair chance slapd will fail to start.
   Check file permissions!
Try : sudo –u openldap slapindex


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s