Configuring NetWare OpenSSH (SSHD.NLM) to use a remote LDAP server

  • 3783350
  • 02-May-2007
  • 26-Apr-2012

Environment

Novell NetWare 6.5 Support Pack 6

Situation

NetWare 6.5's OpenSSH defaults to requiring an LDAP server be running on the same system where SSHD.NLM is running. Is there a way to tell SSHD.NLM to user a remote LDAP server?

Resolution

Yes, there is way to configure this, but it is not documented in the NetWare Online Doc nor in the sys:etc\ssh\sshd_config file.
DISCLAIMER:
It is uncertain whether this feature has been fully tested, and what the limitations of it may be. Therefore, the information is this document is offered "as is" and at this time Novell is not fully guaranteeing it's usage. The author of this document supports NetWare SSH but is not an LDAP expert.
In the sys:etc\ssh\sshd_config file, you can add a line in the format:
ldapauthhost [LDAP_SERVER] [PORT] [SECURE] [CERT_FILE]
Default values: PORT = 389, SECURITY = no, CERT_FILE = NULL
(NOTE: these defaults may not result in a functional configuration for SSHD.NLM)

Example of tested & successful syntax:
ldapauthhost 192.168.1.3 636 secure sys:/public/rootcert.der
Novell Technical Services tested this feature in the following manner. Note that this is not presented as an list of required steps. Rather, this is one documented method used internally at Novell to confirm the functionality of this feature:
1. Two NetWare 6.5 SP6 servers were installed, each including OpenSSH in that install. They were installed in the same container of the tree.
2. SSH services were verified on each server, initially using a configuration where each system was an LDAP server (running NLDAP.NLM) and SSHD was using it's local LDAP server. So each LDAP server was verified to be working, and each server had individual eDir certificate objects. And each server had a local certificate file at sys:public\rootcert.der.
3. On SERVER1, the LDAP server was stopped by unloading NLDAP.NLM, and the sys:etc\ssh\sshd_config file had the following line added, pointing to the SERVER2's IP address.
ldapauthhost 192.168.1.3 636 secure sys:/public/rootcert.der
4. SSHD.NLM on SERVER1 was unloaded and reloaded.
5. Users could still authenticate through SFTP to SERVER1, confirming that the new setting was successfully redirecting LDAP activity to SERVER2.
NOTE: Although many of the options for the ldapauthhost setting are considered optional, some configurations, including many of the defaults, are not always be enough to properly support SSHD. For example, ssh would not function correctly when just using:
ldapauthhost 192.168.1.3
Sys:etc\ssh\logs\sshd.log reported various errors, such as:
error: /etc/ssh/sshd_config line 124: Remote unsecured LDAP Host configured.
debug3: auth_edir_password() ldap_simple_bind_s() for cn=sftp_username,o=organization returned 0xd
These errors might simply mean that other LDAP configurations changes are needed to support the defaults. See KB 10100793 for additional tips on using this setting and configuring LDAP. (Go to https://www.novell.com/support and search on 10100793.)

Feedback service temporarily unavailable. For content questions or problems, please contact Support.