Re: ProFTPd + mod_LDAP + OpenLDAP

To: debian-user@lists.debian.org
Subject: Re: ProFTPd + mod_LDAP + OpenLDAP
From: Ramin Motakef <ramin@motakef.de>
Date: 10 Jan 2002 10:32:45 +0100
Message-id: <[🔎] 87hepuk0ua.fsf@nase.motahome.de>
In-reply-to: <[🔎] DEEEKMDBPONAICGLFKHDOEAGCAAA.jeremy@home.lan>
References: <[🔎] DEEEKMDBPONAICGLFKHDOEAGCAAA.jeremy@home.lan>

"Jeremy L. Gaddis" <jlgaddis@blueriver.net> writes:

> Today I compiled ProFTPd with support for mod_ldap
> (authenticating against OpenLDAP).  I set up proftpd.conf
> as per the documentation and authentication was still
> failing.  After examining the log files for ProFTPd,
> I noticed that it was attempting to lookup various
> attributed in the LDAP server after entering a username
> but before entering a password.  It was attempting to
> get the value of the "userPassword" attribute, which my
> ACLs didn't allow.  After changing OpenLDAP's ACLs to
> the following, user authentication worked:
> 
> access to attribute=userPassword
>         by dn="<REMOVED>" write
>         by self write
>         by * read
> 
> This is far from what I want to have to do, however,
> as this allows anyone to see anyone else's encrypted
> password.  Another option I thought of was changing
> the DN that ProFTPd attempts to bind as, but that'd
> require putting the root LDAP user's password in
> ProFTPd's configuration file.
> 
> What's the best way to overcome this?
> 
> Thanks.
> 
> j.
> 

What about adding a entry for proftp to the LDAP Tree and change the
acl to: 
 access to attribute=userPassword
         by dn="<REMOVED>" write
         by dn="cn=proftp........"
         by self write
         by * read

Ramin

Reply to:

References:
- ProFTPd + mod_LDAP + OpenLDAP
  - From: "Jeremy L. Gaddis" <jlgaddis@blueriver.net>

Prev by Date: Re: Debian Vs RedHat
Next by Date: Re: why does a process gets killed?
Previous by thread: ProFTPd + mod_LDAP + OpenLDAP
Next by thread: Re: ProFTPd + mod_LDAP + OpenLDAP
Index(es):
- Date
- Thread