Environment
Novell NetWare 6.5 Support Pack 6
Situation
NetWare 6.5's OpenSSH defaults to requiring an LDAP server be
running on the same system where SSHD.NLM is running. Is
there a way to tell SSHD.NLM to user a remote LDAP server?
Resolution
Yes, there is way to configure this, but it is not documented
in the NetWare Online Doc nor in the sys:etc\ssh\sshd_config
file.
DISCLAIMER:
It is uncertain whether this feature has been fully tested,
and what the limitations of it may be. Therefore, the
information is this document is offered "as is" and at this time
Novell is not fully guaranteeing it's usage. The author of
this document supports NetWare SSH but is not an LDAP expert.
In the sys:etc\ssh\sshd_config file, you can add a line in the
format:
ldapauthhost [LDAP_SERVER] [PORT] [SECURE] [CERT_FILE]
Default values: PORT = 389, SECURITY = no, CERT_FILE =
NULL
(NOTE: these defaults may not result in a functional configuration for SSHD.NLM)
Example of tested & successful syntax:
ldapauthhost 192.168.1.3 636 secure sys:/public/rootcert.der
(NOTE: these defaults may not result in a functional configuration for SSHD.NLM)
Example of tested & successful syntax:
ldapauthhost 192.168.1.3 636 secure sys:/public/rootcert.der
Novell Technical Services tested this feature in the following
manner. Note that this is not presented as an list of
required steps. Rather, this is one documented method used
internally at Novell to confirm the functionality of this
feature:
1. Two NetWare 6.5 SP6 servers were installed, each
including OpenSSH in that install. They were installed in the
same container of the tree.
2. SSH services were verified on each server,
initially using a configuration where each system was an LDAP
server (running NLDAP.NLM) and SSHD was using it's local LDAP
server. So each LDAP server was verified to be working, and
each server had individual eDir certificate objects. And each
server had a local certificate file at
sys:public\rootcert.der.
3. On SERVER1, the LDAP server was stopped by unloading
NLDAP.NLM, and the sys:etc\ssh\sshd_config file had the following
line added, pointing to the SERVER2's IP address.
ldapauthhost 192.168.1.3 636 secure
sys:/public/rootcert.der
4. SSHD.NLM on SERVER1 was unloaded and
reloaded.
5. Users could still authenticate through SFTP to
SERVER1, confirming that the new setting was successfully
redirecting LDAP activity to SERVER2.
NOTE: Although many of the options for the ldapauthhost
setting are considered optional, some configurations, including
many of the defaults, are not always be enough to properly support
SSHD. For example, ssh would not function correctly when just
using:
ldapauthhost 192.168.1.3
Sys:etc\ssh\logs\sshd.log reported various errors, such
as:
error: /etc/ssh/sshd_config line
124: Remote unsecured LDAP Host configured.
debug3: auth_edir_password()
ldap_simple_bind_s() for cn=sftp_username,o=organization returned
0xd
These errors might simply mean
that other LDAP configurations changes are needed to support the
defaults. See KB 10100793 for additional tips on using this
setting and configuring LDAP. (Go to https://www.novell.com/support
and search on 10100793.)