LDAP / Active Directory

LDAP / Active Directory Integration

Synchronize SSH public keys between SSH-KLM and your LDAP or Active Directory infrastructure, enabling centralized SSH authentication using directory-stored public keys.

Architecture

┌──────────────┐       ┌──────────────────┐       ┌──────────────┐
│  SSH-KLM     │◄─────►│  LDAP / Active   │◄─────►│  SSH Servers  │
│  Platform    │       │  Directory       │       │  (sshd)       │
└──────────────┘       └──────────────────┘       └──────────────┘
       │                        │                         │
       │  • Push/pull keys      │  • Store sshPublicKey   │  • AuthorizedKeysCommand
       │  • Rotation events     │  • User attributes      │  • Real-time lookup
       │  • Policy enforcement  │  • Group membership     │  • No local key files
       ▼                        ▼                         ▼
┌──────────────┐       ┌──────────────────┐       ┌──────────────┐
│  Key         │       │  User Object     │       │  Authenticated│
│  Inventory   │       │  cn=jdoe,ou=...  │       │  Session      │
└──────────────┘       └──────────────────┘       └──────────────┘

Flow:

SSH-KLM manages key lifecycle (generation, rotation, revocation)
Public keys are synced to LDAP/AD as user attributes
SSH servers query LDAP at authentication time via AuthorizedKeysCommand
No authorized_keys files needed on individual hosts

Step 1: Configure LDAP Connection in SSH-KLM

Navigate to Settings → Directory Integration and configure the LDAP connection.

OpenLDAP Configuration

{
  "directory_type": "openldap",
  "connection": {
    "url": "ldaps://ldap.example.com:636",
    "bind_dn": "cn=ssh-klm-service,ou=services,dc=example,dc=com",
    "bind_password": "...",
    "base_dn": "ou=users,dc=example,dc=com",
    "tls": {
      "verify": true,
      "ca_cert": "/etc/ssh-klm/ldap-ca.pem"
    }
  },
  "sync": {
    "direction": "bidirectional",
    "interval_minutes": 15,
    "user_filter": "(objectClass=posixAccount)",
    "key_attribute": "sshPublicKey"
  }
}

Active Directory Configuration

{
  "directory_type": "active_directory",
  "connection": {
    "url": "ldaps://dc01.corp.example.com:636",
    "bind_dn": "CN=SSH-KLM Service,OU=Service Accounts,DC=corp,DC=example,DC=com",
    "bind_password": "...",
    "base_dn": "OU=Users,DC=corp,DC=example,DC=com",
    "tls": {
      "verify": true,
      "ca_cert": "/etc/ssh-klm/ad-ca.pem"
    }
  },
  "sync": {
    "direction": "bidirectional",
    "interval_minutes": 15,
    "user_filter": "(&(objectClass=user)(objectCategory=person))",
    "key_attribute": "msDS-cloudExtensionAttribute1"
  }
}

Note: Active Directory does not include an sshPublicKey attribute by default. You must either extend the schema or use an available extension attribute.

Step 2: Map SSH Keys to LDAP User Attributes

OpenLDAP Schema Extension

Add the sshPublicKey attribute to your LDAP schema:

dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13
  NAME 'sshPublicKey'
  DESC 'OpenSSH Public Key'
  EQUALITY octetStringMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0
  NAME 'ldapPublicKey'
  DESC 'OpenSSH Public Key Object'
  SUP top
  AUXILIARY
  MAY ( sshPublicKey ) )

Apply the schema:

ldapadd -Y EXTERNAL -H ldapi:/// -f ssh-public-key.ldif

Add SSH Key to a User

dn: uid=jdoe,ou=users,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: ldapPublicKey
-
add: sshPublicKey
sshPublicKey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrN... jdoe@workstation

Apply:

ldapmodify -H ldaps://ldap.example.com -D "cn=admin,dc=example,dc=com" -W -f add-key-to-user.ldif

Active Directory Schema Extension

For Active Directory, extend the schema with a custom attribute or use an existing unused attribute:

Option A: Use existing extension attribute

Map sshPublicKey to extensionAttribute1 or msDS-cloudExtensionAttribute1 (no schema change required).

Option B: Extend AD schema

# Run on Schema Master domain controller
$schemaPath = (Get-ADRootDSE).schemaNamingContext

New-ADObject -Name "sshPublicKey" -Type "attributeSchema" -Path $schemaPath -OtherAttributes @{
    lDAPDisplayName   = "sshPublicKey"
    attributeId       = "1.3.6.1.4.1.24552.500.1.1.1.13"
    oMSyntax          = 4
    attributeSyntax   = "2.5.5.10"
    isSingleValued    = $false
    searchFlags       = 1
}

Step 3: Configure sshd for LDAP-Based Key Lookup

Configure SSH servers to query LDAP for public keys instead of reading local authorized_keys files.

sshd_config

# Disable local authorized_keys lookup (optional, for strict LDAP-only)
AuthorizedKeysFile none

# Use LDAP lookup command
AuthorizedKeysCommand /usr/local/bin/ssh-ldap-keys %u
AuthorizedKeysCommandUser nobody

# Fallback: allow both LDAP and local keys
# AuthorizedKeysFile .ssh/authorized_keys
# AuthorizedKeysCommand /usr/local/bin/ssh-ldap-keys %u
# AuthorizedKeysCommandUser nobody

AuthorizedKeysCommand Script (OpenLDAP)

#!/bin/bash
# Fetches SSH public keys from LDAP for the given username

LDAP_URI="ldaps://ldap.example.com:636"
BASE_DN="ou=users,dc=example,dc=com"
BIND_DN="cn=ssh-lookup,ou=services,dc=example,dc=com"
BIND_PW_FILE="/etc/ssh/ldap-bind-password"

USERNAME="$1"

if [ -z "$USERNAME" ]; then
    exit 1
fi

ldapsearch -LLL -H "$LDAP_URI" \
    -D "$BIND_DN" \
    -y "$BIND_PW_FILE" \
    -b "$BASE_DN" \
    "(uid=$USERNAME)" \
    sshPublicKey | \
    sed -n 's/^sshPublicKey: //p'

Set permissions:

chmod 755 /usr/local/bin/ssh-ldap-keys
chown root:root /usr/local/bin/ssh-ldap-keys

AuthorizedKeysCommand Script (Active Directory)

#!/bin/bash
# Fetches SSH public keys from Active Directory

LDAP_URI="ldaps://dc01.corp.example.com:636"
BASE_DN="OU=Users,DC=corp,DC=example,DC=com"
BIND_DN="CN=SSH-Lookup,OU=Service Accounts,DC=corp,DC=example,DC=com"
BIND_PW_FILE="/etc/ssh/ad-bind-password"

USERNAME="$1"

if [ -z "$USERNAME" ]; then
    exit 1
fi

# Map Linux username to AD sAMAccountName
ldapsearch -LLL -H "$LDAP_URI" \
    -D "$BIND_DN" \
    -y "$BIND_PW_FILE" \
    -b "$BASE_DN" \
    "(sAMAccountName=$USERNAME)" \
    sshPublicKey | \
    sed -n 's/^sshPublicKey: //p'

Restart sshd

sudo systemctl restart sshd

Test the Lookup

# Test the script directly
sudo -u nobody /usr/local/bin/ssh-ldap-keys jdoe

# Test SSH authentication
ssh -v jdoe@server.example.com

Step 4: Sync and Rotation Workflows

Sync Modes

Mode	Description
SSH-KLM → LDAP	Keys managed in SSH-KLM are pushed to LDAP attributes
LDAP → SSH-KLM	Keys discovered in LDAP are imported into SSH-KLM inventory
Bidirectional	Changes in either system are synchronized

Key Rotation Workflow

SSH-KLM generates a new key pair (per rotation policy)
New public key is written to the user’s sshPublicKey attribute in LDAP
SSH servers immediately pick up the new key via AuthorizedKeysCommand
Old key is removed from LDAP after a grace period
SSH-KLM marks the old key as revoked in the inventory

Configure Rotation in SSH-KLM

{
  "rotation_policy": {
    "enabled": true,
    "interval_days": 90,
    "grace_period_hours": 24,
    "algorithm": "ed25519",
    "notify_user": true,
    "auto_sync_ldap": true
  }
}

Revocation

When a key is revoked in SSH-KLM:

The sshPublicKey attribute is removed from the user’s LDAP entry
All SSH servers immediately reject the revoked key
No host-level changes required

Example: Complete LDAP Schema for SSH Keys

# Complete schema file for OpenLDAP
dn: cn=openssh-lpk,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13
  NAME 'sshPublicKey'
  DESC 'OpenSSH Public Key'
  EQUALITY octetStringMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0
  NAME 'ldapPublicKey'
  DESC 'OpenSSH Public Key Object'
  SUP top
  AUXILIARY
  MAY ( sshPublicKey ) )

Example User Entry with SSH Key

dn: uid=jdoe,ou=users,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: ldapPublicKey
cn: John Doe
sn: Doe
uid: jdoe
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/jdoe
loginShell: /bin/bash
sshPublicKey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrN... jdoe@workstation
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB... jdoe@laptop

Troubleshooting

Issue	Cause	Resolution
LDAP connection refused	Firewall or TLS misconfiguration	Verify port 636 is open; check CA certificate
`AuthorizedKeysCommand` not executing	Incorrect permissions	Script must be owned by root, mode 755
Keys not found in LDAP	Wrong base DN or filter	Test with `ldapsearch` manually
Sync not updating LDAP	Bind DN lacks write permissions	Grant modify access to `sshPublicKey` attribute
AD schema extension fails	Not running on Schema Master	Transfer Schema Master role or run on correct DC
Multiple keys not working	Single-valued attribute	Ensure `sshPublicKey` is multi-valued in schema
sshd ignoring AuthorizedKeysCommand	`AuthorizedKeysCommandUser` not set	Must specify a valid user (e.g., `nobody`)

Security Considerations

Always use LDAPS (port 636) or StartTLS — never plain LDAP
Use a dedicated service account with minimal permissions for SSH-KLM
The AuthorizedKeysCommand script should not be writable by non-root users
Store bind passwords in files with 600 permissions, not in scripts
Audit LDAP access logs for unauthorized key modifications
Consider LDAP connection pooling for high-traffic SSH servers