OpenLDAP Setup with SSH-Authentication on Ubuntu

In this article I will describe how to setup an OpenLDAP Server and use it to authenticate SSH-Logins in your domain.

What is OpenLDAP

OpenLDAP is a directory service, similar to the MS Active Directory. Here you can centrally manage permissions for the whole network. For example, you can log in to all devices in the network with the same credentials.

In my case I use the LDAP to create a user with sudo-privileges in all containers to be able to connect via SSH. To ensure security, I use only public keys for the SSH login.

OpenLDAP Installation

First of all we have to install the OpenLDAP Server.

apt update
apt upgrade 
sudo apt install slapd ldap-utils

Then create an administrator password for your domain.

After that recall the configuration menu to add further details.

dpkg-reconfigure slapd

Select no

Choose your domain name.

Choose your organization name. It is usually identical to you domain name.

Set your admin-password again.

Now choose if you want you domain-database to get deleted if you uninstall the ldap-server. I choose no. That way in case I reinstall the server, I will not lose my data.

Next we have to create Objects in our organization. You can do that via the command line or a webinterfaces like phpLDAPadmin.

phpLDAPadmin Installation

phpLDAPadmin gives you a webinterface to configure you OpenLDAP.
You need a webserver to run it. I will use the Apache httpd.

apt install apache2
apt install php php-ldap php-xml

After that downlaod the latest release from GitHub.

Unzip it and move it into the root-directory of you webserver.

mv /var/www/html

Once that is done, copy the example-config and edit it to match your LDAP-Organization.

cp /var/www/phpldapadmin/config/config.php.example /var/www/phpldapadmin/config/config.php
vim /var/www/phpldapadmin/config/config.php
#  $config->custom->appearance['timezone'] = 'Australia/Melbourne';
$config->custom->appearance['timezone'] = 'Europe/Berlin';

$servers->setValue('server','name','My LDAP Server');
$servers->setValue('server','name','JRehkemper LDAP');

#  $servers->setValue('login','bind_id','cn=Manager,dc=example,dc=com');

Now open a webbrowser and navigate to your servers ip or dns-name. You should see phpLDAPadmin.

Now create users and other resources as neede.

Client Authentication

Next we will enable our client to use LDAP-Users for authentication.
First install the required packages.

sudo apt install libnss-ldap libpam-ldap ldap-utils

Go through the wizard and enter your LDAP-Information.

All the settings get saved int /etc/ldap.conf. You can change them there if needed.

Next we add ldap as an authentication option for Ubuntu.

vim /etc/nsswitch.conf

# add ldap
passwd:    files systemd ldap
group:     files systemd ldap

Next remove use_authtok from the /etc/pam.d/common-password.

vim /etc/pam.d/common-password
# before
password [success=1 user_unkown=ignore default=die] pam_ldap.so use_authtok try_first_pass

# after
password [success=1 user_unkown=ignore default=die] pam_ldap.so try_first_pass

At last we need to edit /etc/pam.d/common-session to create a homedirectory for ldap-users at login.

session option pam_mkhomedir.so skel=/etc/skel umask=077

Add Sudo Group for LDAP

To give sudo permissions to an LDAP user, we need to create a group in LDAP. In my case I call it ldapsudo-

On the client the /etc/sudoers.d/ldap file has to be modified. Here the group from the LDAP must be inserted at an arbitrary place.

vim /etc/sudoers.d/ldap

%ldapsudo ALL=(ALL:ALL) ALL

If you are already logged in as an ldap-user you need to logoff and log in again for the group to get loaded.

Use SSH-Keys for LDAP-Users

Even better than an SSH login with password is the login with a public key. To do this, you store the public key of the client from which you want to access the server in the LDAP. With the SSH login the client sends the own key and the server can check in the LDAP whether this fits to the public key deposited in the LDAP.

In the first step the schema of the LDAP server must be adapted.

For this we first create the following file.

vim /etc/ldap/schema/openssh-ldap.schema
attributetype ( NAME 'sshPublicKey' 
	DESC 'MANDATORY: OpenSSH Public key' 
	EQUALITY octetStringMatch

objectclass ( NAME 'ldapPublicKey' SUP top AUXILIARY
	DESC 'MANDATORY: OpenSSH LPK objectclass'
	MUST uid
	MAY sshPublicKey

Now add it to your LDAP-Server.

ldap-schema-manager -i /etc/ldap/schema/openssh-ldap.schema

Now we have to store a public key for our LDAP user.

I use the interface of PhpLdapAdmin for this.

To do this, select the user and click on add attributes in the objectClass area. There you select the item ldapPublicKey. After that you can add a new attribute. In the dropdown select sshPublicKey. Now there is a new section below where you can add the public key. If you want to add more than one public key, just click on Add.

Now the public key is stored in the LDAP, but the server needs a way to retrieve it. For this I use the following Lua script from GitHub.


You need to install some dependencies.

apt install lua-5.3
apt install lua-ldap

Furthermore you need to set you LDAP-Server in the config-file of the ssh-getkey-ldap-script.

vim /etc/ssh/getkey-ldap.conf

After that add the AuthorizedKeysCommand to your ssh-server configuration.

vim /etc/sshd/sshd_config
# before
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# after
AuthorizedKeysCommand /usr/local/bin/ssh-getkey-ldap
AuthorizedKeysCommandUser nobody

Now you can login with an ssh-key deposited in you OpenLDAP.

Setup-Script for more clients

If you want to save yourself some work, you can configure additional clients with a script like this one.
Just keep in mind to change it to your values.

echo "####"
echo "Updating System"
echo "####"
sudo apt update
sudo apt upgrade -y

echo "####"
echo "Installing Dependencies"
echo "####"
sudo DEBIAN_FRONTEND=noninteractive apt install libnss-ldap libpam-ldap ldap-utils -y

echo "####"
echo "Changing LDAP Configs"
echo "####"
if [[ -f /etc/ldap.secret ]]
    then echo "" >> /dev/null
        echo -n LDAP Password of Root:
        read -s password
        echo $password > /etc/ldap.secret
sed -i 's/#host' /etc/ldap.conf
sed -i 's/uri ldapi\/\/\//uri ldapi\/\/\/' /etc/ldap.conf
sed -i 's/base dc=example,dc=net/base dc=jrehkemper,dc=de/g' /etc/ldap.conf
sed -i 's/rootbinddn cn=manager,dc=example,dc=net/rootbinddn cn=admin,dc=jrehkemper,dc=de/g' /etc/ldap.conf

echo "####"
echo "Adding sudo Group"
echo "####"
if grep "%ldapsudo ALL=(ALL:ALL) ALL" /etc/sudoers
    then echo "done" >> /dev/null
    else echo "%ldapsudo ALL=(ALL:ALL) ALL" >> /etc/sudoers

echo "####"
echo "Edit SSH Config"
echo "####"
sed -i 's:#AuthorizedKeysCommand none:AuthorizedKeysCommand /usr/local/bin/ssh-getkey-ldap:g' /etc/ssh/sshd_config
sed -i 's:#AuthorizedKeysCommandUser nobody:AuthorizedKeysCommandUser nobody:g' /etc/ssh/sshd_config
systemctl restart sshd

echo "####"
echo "Setup SSH-Key Script"
echo "####"
sudo apt install lua5.3 lua-ldap -y
cd /tmp/
git clone -b v0.1.2 https://github.com/jirutka/ssh-getkey-ldap.git
cd ssh-getkey-ldap
sudo ./install
sed -i 's:host localhost:host' /etc/ssh/getkey-ldap.conf
sed -i 's:base ou=People,ou=example,c=org:base dc=jrehkemper,dc=de:g' /etc/ssh/getkey-ldap.conf
cd /root
sudo rm -r /tmp/ssh-getkey-ldap

echo "####"
echo "Configure LDAP Login"
echo "####"
sed -i 's/files systemd/files systemd ldap/g' /etc/nsswitch.conf
sed -i 's/use_authtok/ /g' /etc/pam.d/common-password
if grep "session optional pam_mkhomedir.so skel=/etc/skel umask=077" /etc/pam.d/common-session
    then echo "done" >> /dev/null
    else echo "session optional pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
profile picture of the author

Jannik Rehkemper

I'm an professional Linux Administrator and Hobby Programmer. My training as an IT-Professional started in 2019 and ended in 2022. Since 2023 I'm working as an Linux Administrator.