Both InnoDB and PostgreSQL - as well as many other databases - use a technique called multi-version concurrency control (MVCC) to provide transaction isolation: transactions should not see the work of other, uncommitted transactions. MVCC means that, when a row is updated, the database stores both the old and new versions of the row.


Tuesday, March 13, 2012


We need password less ssh login, so here i have tried to make the keys centralized by storing them in LDAP

LDAP Server Setup

[root@ldap]#  yum install openldap{,-clients,-devel,} nss_ldap

make entry in /etc/hosts    directory.domain.com

Run this Command and copy output

[root@ldap]#  slappasswd

Note:  Enter desired password here



Output will like this, copy it


Now edit slapd.conf

[root@ldap]#  vi /etc/openldap/slapd.conf

check for this similar entry and edit as follows

database       bdb

suffix           "dc=directory,dc=domain,dc=com"

rootdn          "cn=Manager,dc=directory,dc=domain,dc=com"

rootpw                     {SSHA}AuOU1S01Nj+gQ9FIHf8gCompENETugiT   #(paste the encrypted password here)

directory       /var/lib/ldap

[root@ldap]#  service ldap start

Create a file named /etc/openldap/init.ldif and below line

dn: cn=Manager,dc=directory,dc=domain,dc=com

ou: People

description: All People in Organisation

objectClass: organizationalUnit

dn: ou=People,dc=directory,dc=domain,dc=com

ou: People

objectclass: organizationalUnit

dn: ou=Groups,dc=directory,dc=domain,dc=com

ou: Groups

description: All People in Organisation

objectClass: organizationalUnit

now you have to add that file in LDAP server

[root@ldap]#  ldapadd -x -D "cn=Manager,dc=directory,dc=domain,dc=com" -W -f /etc/openldap/init.ldif

It will now ask for password, paste or type the password that you typed for "slappasswd"

Now import any user from linux passwd file

[root@ldap]#  useradd manish

[root@ldap]#  passwd manish

[root@ldap]#  grep manish /etc/passwd > passwd.manish

[root@ldap]# /usr/share/openldap/migration/migrate_passwd.pl passwd.manish manish.ldif

[root@ldap]# ldapadd -x -D "cn=Manager,dc=directory,dc=domain,dc=com" -W -f manish.ldif

It will ask for the rootdn passwd, provide that.


[root@ldap]# ldapsearch -x -b "dc=directory,dc=domain,dc=com"

LDAP Client Setup

[root@ldap-client]# yum install nss_ldap openldap-clients

 make entry in /etc/hosts    directory.domain.com

now run this command: (This is to enable client authentication on SSH logins using LDAP server)

[root@ldap-client]# authconfig --useshadow --usemd5 --enableldap --enableldapauth --ldapserver=directory.domain.com --ldapbasedn="dc=directory,dc=domain,dc=com" --enablemkhomedir --updateall

Edit /etc/ldap.conf and add below lines

ssl no

tls_cacertdir /etc/openldap/cacerts

pam_password md5

uri ldap://directory.ibnlive.com/

base dc=directory,dc=ibnlive,dc=com

edit /etc/openldap/ldap.conf and add below lines

ssl no

tls_cacertdir /etc/openldap/cacerts

pam_password md5

uri ldap://directory.ibnlive.com/

base dc=directory,dc=ibnlive,dc=com

Now Test LDAP Client for auth:

1: ldapsearch -x (if successful the also run 2 one)

2: getent passwd | grep manish (though the user manish do not exists in client system, you should get answer for this)

3: ssh -l manish

4: su - manish  (though the user manish do not exists in client system, you should get login for this)

TLS (LDAP Server) – Secure LDAP Server

[root@ldap]#  mkdir /etc/ssl/openldap/

[root@ldap]# cd /etc/ssl/openldap/

[root@ldap]# openssl genrsa -out ldap.key 2048

[root@ldap]# openssl req -new -key ldap.key -out ldap.csr

[root@ldap]# openssl genrsa -out ca.key 2048

[root@ldap]# openssl req -new -x509 -days 3650 -key ca.key -out ca.cert  

[root@ldap]# openssl x509 -req -in ldap.csr -out ldap.cert -CA ca.cert -CAkey ca.key -CAcreateserial -days 3650

[root@ldap]# openssl x509 -in ldap.cert -text -noout

Edit /etc/openldap/slapd.conf on LDAP Server, append these lines: (If there is already below entries, comment that)

TLSCertificateFile /etc/ssl/openldap/ldap.cert

TLSCertificateKeyFile /etc/ssl/openldap/ldap.key

TLSCACertificateFile /etc/ssl/openldap/ca.cert

Now edit /etc/openldap/ldap.conf on LDAP CLIENT: remove all lines... and enter these

HOST  directory.domain.com

PORT 636

tls_cacertdir /etc/openldap/cacerts


pam_password md5

uri ldap://directory.domain.com/ ldaps://directory.domain.com:636

base dc=directory,dc=domain,dc=com

[root@ldap]# rm -rf /etc/ldap.conf

[root@ldap]# ln -s /etc/openldap/ldap.conf /etc/ldap.conf


Replication: LDAP Server to LDAP Standby Client Server

On Second Server: (Standby)

1. Follow the same above procedure for LDAP.

2. Create /etc/rsyncd.conf and enter below lines

log file = /var/log/rsyncd.log

pid file = /var/run/rsyncd.pid

lock file = /var/run/rsync.lock



comment=ldap sync

uid = root

gid = root

read only = no

list = no

auth users = root

secrets file = /etc/ldap-admin

strict modes = false

Save and exit

Now create a file /etc/ldap-admin

[root@ldap-standby]# echo "root:syncldapadmin" > /etc/ldap-admin

[root@ldap-standby]# rsync --daemon

Now add this in /etc/rc.local at end

[root@ldap-standby]# vi /etc/rc.local

rsync --daemon

Now edit /etc/sysconfig/iptables and add below line before "COMMIT"

[root@ldap-standby]#  vi /etc/sysconfig/iptables

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 873 -j ACCEPT

save and exit

[root@ldap-standby]# /etc/init.d/iptables restart

This is done


Now on LDAP Server.

create a file under /etc/ by name pass-ldap

[root@ldap]# echo "syncldapadmin" > /etc/pass-ldap

[root@ldap]# chmod 700 /etc/pass-ldap

now add a line in crontab

[root@ldap]# crontab -e

* * * * * /usr/bin/rsync -az /var/lib/ldap/ root@::ldap_standby/

save and exit


SSH Keys – LDAP Store

[root@ldap]#yum -y install gcc openldap-devel pam-devel zlib-devel openssl-devel

[root@ldap]#wget -qO - http://ftp.jaist.ac.jp/pub/OpenBSD/OpenSSH/portable/openssh-5.4p1.tar.gz | tar zxf -

[root@ldap]#cd openssh-5.4p1

[root@ldap]#wget -q http://openssh-lpk.googlecode.com/svn/trunk/patch/contrib/contrib-openssh-lpk-5.4p1-0.3.13.patch 

[root@ldap]#patch < contrib-openssh-lpk-5.4p1-0.3.13.patch

[root@ldap]#./configure --with-ldap --sysconfdir=/etc/ssh --prefix=/usr --with-pam

If error comes for pam, the issue this command

[root@ldap]#yum install pam-devel


Now take backup of /etc/init.d/sshd and /etc/ssh/

[root@ldap]#mkdir –p /opt/sshback

[root@ldap]#mv /etc/init.d/sshd /opt/sshnack/

[root@ldap]#mv /etc/ssh /opt/sshback/

[root@ldap]#yum -y erase openssh-server

[root@ldap]#make install

[root@ldap]#cp /opt/sshback/sshd /etc/init.d/

Now edit the “sshd_config

[root@ldap]#vi /etc/ssh/sshd_config

UseLPK yes

LpkLdapConf /etc/openldap/ldap.conf

LpkServers  ldap://localhost/

LpkUserDN   ou=People,dc=domain,dc=com

LpkGroupDN  ou=Groups,dc=domain,dc=com

LpkBindDN cn=Manager,dc=domain,dc=com

LpkBindPw controlman

LpkServerGroup tech

LpkForceTLS no

LpkSearchTimelimit 3

LpkBindTimelimit 3

LpkPubKeyAttr sshPublicKey

Now add a group in ldap

Create a file maingroup.ldif and add below lines, and add all users in that file as below

dn: cn=tech,ou=Groups dc=domain,dc=com

cn: tech

gidnumber: 504 

memberuid: user1

memberuid: user2

memberuid: user3

memberuid: user4

objectclass: posixGroup

[root@ldap]#ldapadd -x -D "cn=Manager,dc=domain,dc=com " -w -f maingroup.ldif

It should display like this:

adding new entry "cn=web18,ou=Groups,dc=domain,dc=com"

[root@ldap]#mkdir -p /var/empty/sshd/etc

Now edit the slapd.conf

[root@ldap]#vi /etc/openldap/slapd.conf

Include            /etc/openldap/schema/openssh-lpk_openldap.schema

Save and exit


PHPLDAPADMIN (frontend for LDAP Management)

Download phpldapadmin from
[root@ldap]#wget http://downloads.sourceforge.net/project/phpldapadmin/phpldapadmin-php5/1.2.2/phpldapadmin-1.2.2.tgz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fphpldapadmin%2Ffiles%2Fphpldapadmin-php5%2F1.2.2%2F&ts=1331543024&use_mirror=nchc
[root@ldap]#unzip phpldapadmin-1.2.2.zip
[root@ldap]#mv phpldapadmin  /var/www/html/
[root@ldap]#chown wwwrun:www /var/www/html/phpldapadmin
Now go to phpldapadmin/config/
[root@ldap]#mv config.php.example config.php
now access that from browser:

user: cn=Manager,dc=domain,dc=com



Now log into phpLDAPadmin and browse to the user you want to attach an SSH key to:

Now, under the user's "objectClass" entry, click "Add Value":


You should now see the following screen:

Select "ldapPublicKey" from the list and then hit "Add new ObjectClass".

Now that the ldapPublicKey ObjectClass is available to this user, you can add the sshPublicKey attribute to the user and paste their key in. Just hit "Add new attribute" as shown below, and you will get a dropdown menu.


In the dropdown menu, select "sshPublicKey" and you will see the dropdown change into the following:




Paste the user's key in here, then hit "Update Object", and that's it! You're done...the user now has their Public SSH key stored in your LDAP directory, and as long as their companion private key is available on the machine they're connecting from, they will never need to use a password to log into any machine that's pointed at your LDAP server.

Now restart SSHD and ldap app.

# /etc/init.d/sshd restart

#/etc/init.d/ldap restart

Generate public keys:  (do not provide any password)

# ssh-keygen -q -f ~/.ssh/id_rsa -t rsa

Enter passphrase (empty for no passphrase): …

Enter same passphrase again: …

# cat ~/.ssh/id_rsa.pub

Expecting:  like below

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAoLpYk/1bOPiQC8tP0aB7g5YfcmniEAdEEitGwRrjc3XZptLQm3syl11bXdGbBCXb8JT1r3R8OVsnN3Ml/zTy3f7GBIWDH47ytyBxhQcMaCYk9Kk6pG6jbJCoikkxYggD0BexeVCK8qNyi9uohLh6PWCWRX29wF2zqiRjWyy5t8WK8oBgahdx18nqRoQRxyLsk0YIiff8n/WFQ3lWW2H2AlHWRus5cLVZ6J1safgLChOX5BIGt4A/UHsKdXHJd/zcSt+xkEXO7WqzIlMF/hh62NdfV2oR2AQuhAvGcYeDJhMLqbf3GqBdhL/zBF+pxhu8IU/7wPBjpJV865XRI0/JTQ== root@vm-machine

Above line has to copy in sshpublic keys.


  1. sir my ldapadmin dont have the option ldappublic key option in the list
    i m trying to set active dir using ldap and kerberos .
    can u pls help me

  2. have you downloaded the schema

    download that, include in slapd.conf and restart ldap service

  3. is it can be implemented on 389-ds?

  4. I do not have idea... have to check this...

  5. no worries, thank you, i will test it too and share it what is the result

  6. yes, it can be implemented on centos ds as well...
    i share it on my blog :

  7. Steve van: The link about centos ds seems to be private,Please is it possible to view that link

  8. Manish

    Thanks much for sharing this article.

    The mentioned LDAP authentication in the article seems good for linux servers and actually I want to implement SSO(Single Sign On) in my office network where currently we have Windows Active Directory(AD) server authenticating windows login and we have obsolete RCS (Revision Control System) server where we will update group,shadow,password files for every linux users and this will replicated on all linux servers(preferably Redhat Linux servers) plus we have also key based authentication instead of using regular password.

    These windows/linux Production servers are located in diversified Datacenters.

    In the above scenario probably we are thinking like while creating the users in the Windows AD server itself we should have some mechanism which says that users should access to linux servers as well and the same login needs to be used for both windows and linux logins and on top of this we need to have key based authentication for the linux users alone.

    May I please ask for any help / suggestions in this scenario.