Re: ProFTPd + mod_LDAP + OpenLDAP
In article [EMAIL PROTECTED] you write: Today I compiled ProFTPd with support for mod_ldap (authenticating against OpenLDAP). I set up proftpd.conf as per the documentation and authentication was still failing. After examining the log files for ProFTPd, I noticed that it was attempting to lookup various attributed in the LDAP server after entering a username but before entering a password. It was attempting to get the value of the userPassword attribute, which my ACLs didn't allow. After changing OpenLDAP's ACLs to the following, user authentication worked: What I've done for LDAP and proftpd was just use the already-functional PAM support and not added mod_ldap. Then my /etc/pam.d/proftpd looks like == #%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth sufficient pam_ldap.so auth required pam_unix.so nullok # This is disabled because anonymous logins will fail otherwise, # unless you give the 'ftp' user a valid shell, or /bin/false and add # /bin/false to /etc/shells. #auth requiredpam_shells.so account sufficient pam_ldap.so account required pam_unix.so session sufficient pam_ldap.so session required pam_unix.so == and then added the line PersistentPasswdoff to /etc/proftpd.conf, which took a while (and some help from the developers) to work out. Now it all works fine for me. -- Steve McIntyre, Cambridge, UK. [EMAIL PROTECTED] They say that you play Cambridge twice - once on the way up and once on the way down. It's nice to be back... --- Armstrong Miller
RE: ProFTPd + mod_LDAP + OpenLDAP
Hey, sounds good. I'll mess with this a bit later and see if I can get it to work. I ended up creating an cn=proftpd,ou=misc,... entry to my tree with read access to the userPassword attributes. I didn't want to do it this way but someone suggested it and it *did* work, so... Anyways, thanks alot. That sounds like exactly what I was looking for. j. -- Jeremy L. Gaddis [EMAIL PROTECTED] -Original Message- From: Steve McIntyre [mailto:[EMAIL PROTECTED] Sent: Saturday, January 12, 2002 9:27 PM To: [EMAIL PROTECTED] Cc: debian-user@lists.debian.org Subject: Re: ProFTPd + mod_LDAP + OpenLDAP In article [EMAIL PROTECTED] you write: Today I compiled ProFTPd with support for mod_ldap (authenticating against OpenLDAP). I set up proftpd.conf as per the documentation and authentication was still failing. After examining the log files for ProFTPd, I noticed that it was attempting to lookup various attributed in the LDAP server after entering a username but before entering a password. It was attempting to get the value of the userPassword attribute, which my ACLs didn't allow. After changing OpenLDAP's ACLs to the following, user authentication worked: What I've done for LDAP and proftpd was just use the already-functional PAM support and not added mod_ldap. Then my /etc/pam.d/proftpd looks like == #%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth sufficient pam_ldap.so auth required pam_unix.so nullok # This is disabled because anonymous logins will fail otherwise, # unless you give the 'ftp' user a valid shell, or /bin/false and add # /bin/false to /etc/shells. #auth requiredpam_shells.so account sufficient pam_ldap.so account required pam_unix.so session sufficient pam_ldap.so session required pam_unix.so == and then added the line PersistentPasswdoff to /etc/proftpd.conf, which took a while (and some help from the developers) to work out. Now it all works fine for me. -- Steve McIntyre, Cambridge, UK. [EMAIL PROTECTED] They say that you play Cambridge twice - once on the way up and once on the way down. It's nice to be back... --- Armstrong Miller
Re: ProFTPd + mod_LDAP + OpenLDAP
Jeremy L. Gaddis [EMAIL PROTECTED] writes: Today I compiled ProFTPd with support for mod_ldap (authenticating against OpenLDAP). I set up proftpd.conf as per the documentation and authentication was still failing. After examining the log files for ProFTPd, I noticed that it was attempting to lookup various attributed in the LDAP server after entering a username but before entering a password. It was attempting to get the value of the userPassword attribute, which my ACLs didn't allow. After changing OpenLDAP's ACLs to the following, user authentication worked: access to attribute=userPassword by dn=REMOVED write by self write by * read This is far from what I want to have to do, however, as this allows anyone to see anyone else's encrypted password. Another option I thought of was changing the DN that ProFTPd attempts to bind as, but that'd require putting the root LDAP user's password in ProFTPd's configuration file. What's the best way to overcome this? Thanks. j. What about adding a entry for proftp to the LDAP Tree and change the acl to: access to attribute=userPassword by dn=REMOVED write by dn=cn=proftp by self write by * read Ramin
