SSH server ldap user


The idea is to use a LDAP server to manage users and groups to ease the maintenance and administration.

  • Only 1 group of users is allowed to connect
  • Access can be dynamically and easily granted

SSH LDAP server authentication

Server side requirements

You need to have a LDAP server with both the "memberOf" and "Reference Integrity" overlays enabled.

You also need to create some group for SSH users, this must be a groupOfNames - i.e not a posixGroup !!!

==> Every member of the "ssh-users" group will be able to log-in to the server

Client side requirements

You must allow the SSH authentication by password

LDAP client installation

Install LDAP pam client

apt-get install libpam-ldap nscd ldap-utils

Questions / Answers

  • LDAP URI? ldap:// || ldap://
  • Distinguished Name: dc=daxiongmao,dc=eu
  • LDAP version to use? 3
  • Make local root DB admin? Yes
  • Does LDAP require login? No
  • LDAP account for root: cn=admin,dc=daxiongmao,dc=eu
  • LDAP root password: ROOT_PWD

[!] You can either use IP @ or name for LDAP server

[!] All these settings are available in /etc/ldap.conf

[!] If you make a mistake and need to change a value, you can go through the menu again by issuing this command:

dpkg-reconfigure ldap-auth-config

Enable LDAP authentication

LDAP as authentication server

vim /etc/ldap/ldap.conf

Adjust the file like that:

BASE dc=daxiongmao,dc=eu
URI ldap://        ||     ldap://

DEREF never

Allow LDAP lookups


auth-client-config -t nss -p lac_ldap

Manual approach

vim /etc/nsswitch.conf

  • Replace "compat" by "files ldap"
  • "files" allows sudo to check its local configuration before checking the LDAP-based

LDAP user's home

This will create the LDAP user's home on server login.

Edit configuration file

vim /etc/pam.d/common-session

Add the following line BEFORE (~ line 28)

session required skel=/etc/skel umask=0022

LDAP client configuration

Edit LDAP's client configuration:

vim /etc/ldap.conf

Increase security

Uncomment / comment

bind_policy soft                   ~ line 72

#pam_password md5                  ~ line 131
pam_password crypt                 ~ line 138

LDAP schema binding

-- The following content depends on your configuration --

Uncomment and adjust the following lines:

pam_filter objectclass=posixAccount			~ line 80
pam_login_attribute uid                                 ~ line 83

nss_base_passwd         ou=people,dc=daxiongmao,dc=eu?one                   ~ line 173
nss_base_group          ou=groups,dc=daxiongmao,dc=eu?sub?gidNumber=*       ~ line 175
nss_base_hosts          ou=hosts,dc=daxiongmao,dc=eu                        ~ line 175
nss_base_netgroup       ou=groups,dc=daxiongmao,dc=eu                       ~ line 185

[!] Note that the "passwd" (= user binding) must use the one scope ; the groups binding can use the sub scope.

allow LDAP Group ID

This will allow use to LDAP Group ID = you don't have to create a local group with the same GID.

vim /etc/nsswitch.conf

Replace: "netgroup: nis" by

netgroup: nis ldap

Restart NSCD

/etc/init.d/nscd restart

Installation check

Get all data

ldapsearch -x

Get user list

getent passwd

Get user settings

getent passwd <user>

Get list of SSH users

getent group ssh-users

Login as LDAP user

su <user>

It should work smoothly ! :)

It might not even ask for a password !!! (Normal: you didn't restarted PAM so far)

Overall config check

You need to reboot your computer to enable all LDAP settings, including security !

SSH test

Test to SSH to the server using one LDAP account.

Since there is no filter (yet) all LDAP users should be able to log-in.

Local test

su <user>

>> It should ask for a password

LDAP group filter

Edit LDAP configuration

vim /etc/ldap.conf

Adjust the user binding (nss_base_passwd).

Single group binding

nss_base_passwd         ou=people,dc=daxiongmao,dc=eu?one?memberof=cn=ssh-users,ou=groups,dc=daxiongmao,dc=eu

[!] you need a LDAP server with MemberOf enable !!

[!] mind the case  ! overlay + {CN,OU,DC} in lower case !!

[!] you can only apply the scope "one" for it to work

Multi group binding

nss_base_passwd         ou=people,dc=daxiongmao,dc=eu?one?memberof=cn=ssh-users,ou=groups,dc=daxiongmao,dc=eu


All the changes in /etc/ldap.conf are read on real-time. You should be able to test them right away !

Only the "ssh-users" group's member should be able to log-in into the server now !



User filters: