The following describes how to fetch the public keys of the users from an LDAP server and have One Identity Safeguard for Privileged Sessions (SPS) generate a keypair that is used in the server-side connection on-the-fly, and upload the public key of this pair to the LDAP database.

To configure public-key authentication using an LDAP server and generated keys

  1. Navigate to Traffic Controls > SSH > Authentication Policies and create a new Authentication Policy.

  2. Select Authenticate the client to SPS using > LDAP > Public key, deselect all other options.

  3. Select Relayed authentication methods > Public key > Publish to LDAP, deselect all other options.

  4. Click .

  5. Navigate to Policies > LDAP Servers and click to create a new LDAP policy.

  6. Enter the parameters of the LDAP server. For details, see Authenticating users to an LDAP server.

  7. If different from sshPublicKey, enter the name of the LDAP attribute that stores the public keys of the users into the Publickey attribute name field.

    Caution:

    The public keys stored in the LDAP database must be in OpenSSH format.

  8. Enter the name of the LDAP attribute where SPS shall upload the generated keys into the Generated publickey attribute name field.

  9. Click .

  10. Navigate to Traffic Controls > SSH > Connections and create a new Connection.

  11. Enter the IP addresses of the clients and the servers into the From and To fields.

  12. Select the authentication policy created in Step 1 from the Authentication Policy field.

  13. Select the LDAP policy created in Step 7 from the LDAP Server field.

  14. If the server accepts a user only from a specific IP address, select the Use original IP address of the client radiobutton from the SNAT field.

  15. Configure the other options of the connection as necessary.

  16. Click .

  17. To test the above settings, initiate a connection from the client machine to the server.