ProFTPd + mod_LDAP + OpenLDAP

To: <debian-user@lists.debian.org>
Subject: ProFTPd + mod_LDAP + OpenLDAP
From: "Jeremy L. Gaddis" <jlgaddis@blueriver.net>
Date: Wed, 9 Jan 2002 19:43:46 -0500
Message-id: <[🔎] DEEEKMDBPONAICGLFKHDOEAGCAAA.jeremy@home.lan>

Today I compiled ProFTPd with support for mod_ldap
(authenticating against OpenLDAP).  I set up proftpd.conf
as per the documentation and authentication was still
failing.  After examining the log files for ProFTPd,
I noticed that it was attempting to lookup various
attributed in the LDAP server after entering a username
but before entering a password.  It was attempting to
get the value of the "userPassword" attribute, which my
ACLs didn't allow.  After changing OpenLDAP's ACLs to
the following, user authentication worked:

access to attribute=userPassword
        by dn="<REMOVED>" write
        by self write
        by * read

This is far from what I want to have to do, however,
as this allows anyone to see anyone else's encrypted
password.  Another option I thought of was changing
the DN that ProFTPd attempts to bind as, but that'd
require putting the root LDAP user's password in
ProFTPd's configuration file.

What's the best way to overcome this?

Thanks.

j.

--
Jeremy L. Gaddis     <jlgaddis@blueriver.net>

Reply to:

Follow-Ups:
- Re: ProFTPd + mod_LDAP + OpenLDAP
  - From: Ramin Motakef <ramin@motakef.de>
- Re: ProFTPd + mod_LDAP + OpenLDAP
  - From: Steve McIntyre <stevem@chiark.greenend.org.uk>

Prev by Date: Re: /var/lib/dpkg/status parse error
Next by Date: Re: /var/lib/dpkg/status parse error
Previous by thread: Re: pkg scripts/dependency issues
Next by thread: Re: ProFTPd + mod_LDAP + OpenLDAP
Index(es):
- Date
- Thread