diff --git a/lam/docs/manual-sources/chapter-modules.xml b/lam/docs/manual-sources/chapter-modules.xml
index abb36e83..3801db25 100644
--- a/lam/docs/manual-sources/chapter-modules.xml
+++ b/lam/docs/manual-sources/chapter-modules.xml
@@ -1955,8 +1955,14 @@
You can manage your public keys for SSH in LAM if you installed
the LPK patch for
- SSH. Activate the "SSH public key" module for users in the
- server profile and you can add keys to your user entries.
+ SSH or setup AuthorizedKeysCommand (see below).
+
+ Activate the "SSH public key" module for users in the server
+ profile and you can add keys to your user entries.
+
+
+ ![]()
+
@@ -1965,6 +1971,30 @@
+
+ Example for
+ AuthorizedKeysCommand
+
+ This will dynamically get the public key from LDAP. In this case
+ there is no need to patch SSH sources.
+
+ Create the authentication script in e.g.
+ /usr/bin/ldapAuthSSH.sh
+
+
+#!/bin/bash
+uid=$1
+server=ldap.domain.com
+baseDN=ou=people,dc=example,dc=com
+port=389
+ldapsearch -x -h $server -p $port -b $baseDN -s sub "(&(objectclass=posixAccount)(uid=$uid))" | sed -n '/^ /{H;d};/sshPublicKey:/x;$g;s/\n *//g;s/sshPublicKey: //gp'
+
+
+
+ Now setup your sshd_config
+
+ AuthorizedKeysCommand /usr/bin/ldapAuthSSH.sh
+AuthorizedKeysCommandUser root
diff --git a/lam/docs/manual-sources/images/ldapPublicKey.png b/lam/docs/manual-sources/images/ldapPublicKey.png
index b2b885e7..3d927a68 100644
Binary files a/lam/docs/manual-sources/images/ldapPublicKey.png and b/lam/docs/manual-sources/images/ldapPublicKey.png differ
diff --git a/lam/docs/manual-sources/images/ldapPublicKey2.png b/lam/docs/manual-sources/images/ldapPublicKey2.png
new file mode 100644
index 00000000..9878d7e1
Binary files /dev/null and b/lam/docs/manual-sources/images/ldapPublicKey2.png differ