Re: ProFTPd + mod_LDAP + OpenLDAP
"Jeremy L. Gaddis" <jlgaddis@blueriver.net> writes:
> Today I compiled ProFTPd with support for mod_ldap
> (authenticating against OpenLDAP). I set up proftpd.conf
> as per the documentation and authentication was still
> failing. After examining the log files for ProFTPd,
> I noticed that it was attempting to lookup various
> attributed in the LDAP server after entering a username
> but before entering a password. It was attempting to
> get the value of the "userPassword" attribute, which my
> ACLs didn't allow. After changing OpenLDAP's ACLs to
> the following, user authentication worked:
>
> access to attribute=userPassword
> by dn="<REMOVED>" write
> by self write
> by * read
>
> This is far from what I want to have to do, however,
> as this allows anyone to see anyone else's encrypted
> password. Another option I thought of was changing
> the DN that ProFTPd attempts to bind as, but that'd
> require putting the root LDAP user's password in
> ProFTPd's configuration file.
>
> What's the best way to overcome this?
>
> Thanks.
>
> j.
>
What about adding a entry for proftp to the LDAP Tree and change the
acl to:
access to attribute=userPassword
by dn="<REMOVED>" write
by dn="cn=proftp........"
by self write
by * read
Ramin
Reply to: