Re: ProFTPd + mod_LDAP + OpenLDAP
In article <[🔎] DEEEKMDBPONAICGLFKHDOEAGCAAA.jeremy@home.lan> you write:
>Today I compiled ProFTPd with support for mod_ldap
>(authenticating against OpenLDAP). I set up proftpd.conf
>as per the documentation and authentication was still
>failing. After examining the log files for ProFTPd,
>I noticed that it was attempting to lookup various
>attributed in the LDAP server after entering a username
>but before entering a password. It was attempting to
>get the value of the "userPassword" attribute, which my
>ACLs didn't allow. After changing OpenLDAP's ACLs to
>the following, user authentication worked:
What I've done for LDAP and proftpd was just use the
already-functional PAM support and not added mod_ldap. Then my
/etc/pam.d/proftpd looks like
==================================================
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth sufficient pam_ldap.so
auth required pam_unix.so nullok
# This is disabled because anonymous logins will fail otherwise,
# unless you give the 'ftp' user a valid shell, or /bin/false and add
# /bin/false to /etc/shells.
#auth required pam_shells.so
account sufficient pam_ldap.so
account required pam_unix.so
session sufficient pam_ldap.so
session required pam_unix.so
==================================================
and then added the line
PersistentPasswd off
to /etc/proftpd.conf, which took a while (and some help from the
developers) to work out. Now it all works fine for me.
--
Steve McIntyre, Cambridge, UK. stevem@chiark.greenend.org.uk
"They say that you play Cambridge twice - once on the way up and once on the
way down. It's nice to be back..." --- Armstrong & Miller
Reply to: