VsFTPd - LDAP - PAM

I am trying to configure a VsFTPd server to authenticate agains an LDAP server. It may be easy, but since it is the first time that I am using both LDAP and PAM, I have some difficulties. VsFTPd runs on an Ubuntu Server 11.04 and the LDAP is OpenLDAP on an 10.10 Ubuntu Server. I disabled AppArmor on the first one. VsFTPd cannot connect to the LDAP server, in my syslog I have:

vsftpd: pam_ldap: ldap_simple_bind Can't contact LDAP server

The LDAP server is OK since I can do an ldapsearch.

Here is my /etc/pam.d/vsftpd file:

auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
@include common-account
@include common-session
@include common-auth
auth required pam_ldap.so
account required pam_ldap.so
session required pam_ldap.so
password required pam_ldap.so

And here is my /etc/ldap.conf file:

base dc=example,dc=com
uri ldapi:///ldap.example.com
ldap_version 3
rootbinddn cn=admin,dc=example,dc=com
pam_password md5
nss_initgroups_ignoreusers a_bunch_of_system_users

Can anyone help me please ? Thank you.

EDIT: new version of the /etc/pam.d/vsftpd file:

auth    required    pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

account required    pam_unix.so
account sufficient  pam_ldap.so

session required    pam_limits.so
session required    pam_unix.so
session optimal     pam_ldap.so

auth    required    pam_env.so
auth    sufficient  pam_unix.so nullok_secure
auth    sufficient  pam_ldap.so use_first_pass

auth    required    pam_shells.so

No change. I forgot to add that the ldapsearchonly works by providing an explicit ldap server with the -h option. Do you have another idea? Do you need another configuration file? Thank you for your help.

Actually, I just removed one "/" in the URI and I have some progress. I don't have the "Can't contact LDAP server" anymore, and I don't have to user the "-h" option anymore for ldapsearch. It still does not work and I have to figure out where there is a problem.

Would be possible to post the slapd.conf and review the ACLs? I had a similar issue in the past and it was pain because I put the ACLs in the wrong place.

Actually, I don't have any slapd.conf. I assumed it was because I am running under Ubuntu. However I did a wireshark capture of the exchange between the FTP server and the LDAP server : aneuropeanstudent.eu/ldap-ftp.wireshark In this capture, you can see between packets 9 and 15 that the binding is OK. But packet 18 is a useless search that returns no results and triggers the "INCORRECT LOGIN" for the FTP server. I don't know why this research is done. Also, excuse my ignorance, but what are you calling ACLs here ? Thank you for your help.

Also, I changed my /etc/pam.d/vsftpd file. See the question.

Where is the ldap server located? I thought it was on the same server?

The ACLs in question would be this, for example. ibm.com/developerworks/linux/tutorials/l-lpic3303/section2.h‌​tml It sounds like you able to perform an anonymous bind, so the next step to look at either your slapd.conf, ldap.conf or whatever configuration file that is used under Ubuntu's OpenLDAP Server.

I am not sure if the guest_enable is the actual fix. I have the following in my vsFTP config (I also have a LDAP server which I have my clients connect): pastebin.com/8bBuSaFM . Here is my vsftpd pam config: pastebin.com/VugWRUMz . And my passwordauth: pastebin.com/g5jbwFBU . Then again, I use a Red Hat type distro, which automate the lot of this stuff for you when you setup your client with LDAP authentication

Cool. FWIW, I looked it up that setting and as it turns out, guest_enable means that your login will use the default FTP user (which in this case is likely going to be "ftp"). This means that if you were logged in, either you failed ldap authentication and it defaulted to the ftp user on theserver or you never authenticated against ldap right from the start of the session.