In order to enable LDAP to fetch usernames for a SSH public key you need to pass a json configuration via --ldap-config="/path/to/ldap.json". Local public keys in./keys``` have precedence.

  • username: the bind user name to LDAP (optional).
  • password: the password for the bind user (optional, if empty it uses anonymous bind).
  • address: the full address and port to LDAP server.
  • baseDN: the base DN of your user scope.
  • filter: the filter to fetch a username. %s will be replaced by the requested authorization key.
  • attribute: the attribute name of the username.


        "username": "MyLdapBindUser",
        "password": "",
        "address": "ldap://server.local:389",
        "baseDN": "OU=Developer,DC=Domain,DC=local",
        "filter": "(sshPublicKeys=%s*)",
        "attribute": "sAMAccountName"