Skip to Content

Authentication of Ezeelogin gateway users using Public keys fetched from Open LDAP server

Integrate  SSH Public key authentication on Ezeelogin gateway server by exporting the Public Key  from Openldap server for a centralized ssh key based authentication

1.  First you need to update Openldap LDAP server with a schema to add the sshPubicKey  attribute for users:

root@ldapserver:~  cat << EOL >~/openssh-lpk.ldif
dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: ( NAME 'sshPublicKey'
DESC 'MANDATORY: OpenSSH Public key'
EQUALITY octetStringMatch
olcObjectClasses: ( NAME 'ldapPublicKey' SUP top AUXILIARY
DESC 'MANDATORY: OpenSSH LPK objectclass'
MAY ( sshPublicKey $ uid )

2. You need to run the following command  to add ldif :

root@ldapserver:~ldapadd -Y EXTERNAL -H ldapi:/// -f ~/openssh-lpk.ldif          

 3. Login to the GUI of your ldap server.  Create a user with the “Generic: User Account” template. Select the user "jake" as shown below


4. Go to the “objectClass” attribute section, click “add value”, and choose the “ldapPublicKey” attribute.


5. After you submit, go back to the user edit page, click “Add new attribute” on the top part, and choose “sshPublicKey”, paste the public key into the text area, and finally click “Update Object”."


6. Create a script on your Ezeelogin server that queries LDAP for a user's public key under /usr/local/fetchsshkeys

ldapsearch -x '(&(objectClass=ldapPublicKey)(uid='"$1"'))' 'sshPublicKey' | \
sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'

Ensure that the public key is fetched for the user jake from the Openldap server by running the following comman


root@jumpserver:~ ldapsearch -x '(&(objectClass=ldapPublicKey)(uid='"jake j"'))' 'sshPublicKey' | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'


Install the script  on your system and make it executable by running:  chmod 0500 /usr/local/fetchsshkeys

7.Make sure your  /etc/ldap/ldap.conf or  /etc/openldap/ldap.conf  file is configured to point to the right Open LDAP server For example:

BASE dc=example,dc=com
URI ldap://

  8. Add the following lines on the gateway server to your  sshd_config  file to point to the script 

AuthorizedKeysCommand /usr/local/fetchsshkeys
AuthorizedKeysCommandUser root
  9. Now, the user "jake" will be authenticated using the public key fetched from the Open ldap server

Make sure that you have installed ldapsearch on your Ezeelogin server.

Related Articles

Can we map existing user group in ldap to ezeelogin as ezeelogin user group ?

Assigning user group for LDAP users?