Setting up OpenLDAP client server with SSH access on Ubuntu 14.04

This post documents how to set up an OpenLDAP client server (Ubuntu 14.04) that can make its OpenSSH server to load authorized keys from a pre-configured OpenLDAP server with ldaps:// available (discussed in the previous post, please read this first if you haven’t). Users are able to SSH access this client server, while their SSH public keys are stored on the OpenLDAP server. The SSH authentication process on the client server is mainly facilitated by ssh-ldap-pubkey.

Install packages

apt-get -y install libpam-ldap nscd ldap-utils
apt-get -y install python-pip python-ldap
pip install ssh-ldap-pubkey

Configure SSH server

  • Add the following lines to /etc/ssh/sshd_config:

    AuthorizedKeysCommand /usr/local/bin/ssh-ldap-pubkey-wrapper
    AuthorizedKeysCommandUser nobody
  • Restart SSH server

    service ssh restart

Configure PAM

  • Edit /etc/ldap.conf:

    uri ldaps://
    binddn cn=OpenLDAP Client,ou=users,dc=example,dc=com
    bindpw password
  • Edit /etc/pam.d/common-auth and add the following line:

    account required
  • Edit /etc/pam.d/common-password and remove use_authtok parameter

  • Edit /etc/pam.d/common-session and add the following line:

    session required skel=/etc/skel umask=0022

Configure NSS, login access control and sudo

  • Edit /etc/nsswitch.conf:

    passwd:         compat ldap
    group:          compat ldap
    shadow:         compat ldap
  • Edit /etc/security/access.conf, replace ldap-team with actual group name:

    - : ALL EXCEPT root (admin) (wheel) (ldap-team): ALL EXCEPT LOCAL
  • Edit /etc/sudoers using visudo command and add the following lines. Replace ldap-team with actual group name:

    %ldap-team ALL=(ALL) ALL
  • Restart nscd

    service nscd restart