Sep 29 2017
06:21 AM
- last edited on
Jan 14 2022
05:29 PM
by
TechCommunityAP
Sep 29 2017
06:21 AM
- last edited on
Jan 14 2022
05:29 PM
by
TechCommunityAP
We are considering migrating our Novell eDirectory on-premise directory to AAD DS. One thing that we use our current directory for is storing SSH public keys for users, which are in turn used to allow users to log in to Linux instances.
I have seen documentation that states that AAD DS does not allow extending the LDAP schema (including adding User object attributes), but I cannot find documentation stating what the default schema looks like.
Is it possible to store users' public keys for SSH in AAD DS? Where can I see the documentation for the default schema (I'd like to know what I'm buying before I dive in)?
Aug 17 2018 04:42 AM
Dear Matthew Mellon
Did you indeed discover a method to store users public keys in a AAD ?
many thanks
Fons Ullings
Amsterdam UMC
Feb 07 2020 08:51 AM
@Matthew Mellon
Found any solution to this? I would be quite interested.
Thanks.
Feb 13 2020 10:40 PM
Indeed we found the solution within the Azure AD and we have even managed to provision complete Azure AD accounts via secure LDAP using this field. The field can also be out-of-the-box configured to be used in Linux distributions like RedHat, Ubunto, CentOS so that seamless SSH login is provided to our researchers. The Azure AD attribute field is: altSecurityIdentities
and configure Linux instaces:
# Once domain joined, add the following to the /etc/sssd/sssd.conf file under the [domain/] section:
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_use_tokengroups = True
# and under the [sssd] section add:
services = nss, pam, sudo, ssh
default_domain_suffix = XXXXXXXXX.onmicrosoft.com
# Then to the /etc/ssh/sshd_config add:
AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys [--domain XXXXXXXXX.onmicrosoft.com]
AuthorizedKeysCommandUser root
Regards
Fons Ullings
Nov 15 2020 07:22 PM
@Fons Ullings What's the Azure AD resource property for altSecurityIdentities you found? I couldn't find any property with that name in Azure AD user resource. I found alternativeSecurityIds in device resource that's translated to AD's altSecurityIdentities for devices, but I don't think it appropriate to store SSH public keys for user authentication.
Can we modify altSecurityIdentities via Microsoft Graph API?
Nov 16 2020 01:02 AM
I am pretty sure you can also use the GRAPH API but we are using successfully a secure LDAP feed to the Azure AD to alter the user public key (for example from a Yubikey). For out-of-the-box Linux systems that are joined with the Azure AD that are configured (so without additional code in these Linux boxes) it works. An example of this LDAPs feed in Python/LDAPs
import ldap
import ldap.modlist as modlist
import base64
l = ldap.initialize('ldaps://ldaps.xxxx-cloud.nl')
l.simple_bind_s('XXXAdmin', 'OK....')
# c'est moi
dn="CN=Fons.Ullings,OU=people,OU=XXX,DC=xxxx-cloud,DC=nl"
# new RSA certificate
new_rsa = 'ssh-rsa XXXXXXYYYYY'
newrsa_utf8 = '"{0}"'.format(new_rsa).encode('utf-8')
print(newrsa_utf8)
mod_list = [
(ldap.MOD_REPLACE, "altSecurityIdentities", newrsa_utf8),
]
l.modify_s(dn, mod_list)
l.unbind_s()
Regards
Fons Ullings
Mar 15 2023 11:59 PM
@Fons_Ullings Please do not overload the AD schema attribute altSecurityIdentities. Define your own new custom schema attribute. This will cause conflicts with deployments where the attribute is used for its soriginal purpose.
Herbert