You are on page 1of 4

CONFIGURE CENTRALIZD LDAP + SSH AUTHENTICATION SERVER IN LINUX ENVIRONMENT

This tutorial shall explain the procedure of creating a centralized LDAP + SSH based authentication server. Such types of servers are useful when deployment require remote LDAP users to authenticate via SSH to perform administrative tasks on their respective machines. Machines and Configuration
1. LDAP Server

Name: ssh1.mitc.cdns.pk IP Address: 192.168.1.10 Operating System: RedHat Enterprise Linux 5.4 (64-bit) Other: RedHat Directory Server 8
(You need a license from RedHat or can simply use 389 Directory Server)

2. Production Server (Application Server)

Name: ssh2.mitc.cdns.pk IP Address: 192.168.1.11 Operating System: RedHat Enterprise Linux 5.4 (64-bit) Name: ssh3.mitc.cdns.pk IP Address: 192.168.1.12 Operating System: RedHat Enterprise Linux 5.4 (64-bit)

3. Production Server (Database Server)

Configuration of LDAP Server [root@ssh1 ~]# vi /etc/ssh/sshd_config Add the lines as mentioned below UsePAM yes PAMAuthenticationViaKbdInt yes Save and close the file Restart the sshd services

Install RedHat Directory Server After installation run the command redhat-idm-console and create Organizational Unit and a test user as shown in the picture below.

Configuration of Production Servers Configure client for LDAP server authentication authconfig --enableldap --enableldapauth --disablenis --enablecache --ldapserver=ssh1.mitc.cdns.pk --ldapbasedn=ou=TESTAdmin,dc=mitc,dc=cdns,dc=pk --updateall Type the command system-config-authentication and check the option Create the home directories on the first login and press OK button.

[root@ssh2 ~]# vi /etc/ssh/sshd_config Add the lines as mentioned below UsePAM yes PAMAuthenticationViaKbdInt yes Save and close the file Restart the sshd services In order to facilitate the LDAP user to change password without any problem modify and add lines as mentioned below: [root@ssh2 ~]# vi /etc/pam.d/passwd #%PAM-1.0 #auth include system-auth #account include system-auth #password include system-auth

password password

sufficient required

pam_ldap.so pam_unix.so nullok obscure min=4 max=8

Save and close the file Login as LDAP user on production server and try to change the password [tuser@ssh2 ~]$ passwd Changing password for user tuser. Enter login(LDAP) password: New password: Re-enter new password: LDAP password information changed for tuser passwd: all authentication tokens updated successfully. [tuser@ssh2 ~]$ ssh 192.168.1.12 Enter password: [tuser@ssh3 ~]$