VsFTPd - LDAP - PAM
Solution 1
According to man ldap.conf
:
URI <ldap[si]://[name[:port]] ...>
The URI scheme may be any of ldap, ldaps or ldapi, which refer to LDAP over TCP, LDAP over SSL (TLS) and LDAP over IPC (UNIX domain sockets), respectively.
So, change uri ldapi:///ldap.example.com
to uri ldap:///ldap.example.com
and try again.
Solution 2
Ok, this part of the problem is solved.
Here is the working /etc/pam.d/vsftpd
file:
auth required pam_ldap.so
account required pam_ldap.so
password required pam_ldap.so
And you have to add this line to /etc/vsftpd.conf
:
guest_enable=YES
After this, there is still some work to properly chroot the LDAP users in the FTP server, but they can now login.
Thank you again Rilindo for your help. After all, ACLs were not the issue here.
Related videos on Youtube
Totor
Updated on September 18, 2022Comments
-
Totor almost 2 years
I am trying to configure a VsFTPd server to authenticate agains an LDAP server. It may be easy, but since it is the first time that I am using both LDAP and PAM, I have some difficulties. VsFTPd runs on an Ubuntu Server 11.04 and the LDAP is OpenLDAP on an 10.10 Ubuntu Server. I disabled AppArmor on the first one. VsFTPd cannot connect to the LDAP server, in my syslog I have:
vsftpd: pam_ldap: ldap_simple_bind Can't contact LDAP server
The LDAP server is OK since I can do an
ldapsearch
.Here is my
/etc/pam.d/vsftpd
file:auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed @include common-account @include common-session @include common-auth auth required pam_ldap.so account required pam_ldap.so session required pam_ldap.so password required pam_ldap.so
And here is my
/etc/ldap.conf
file:base dc=example,dc=com uri ldapi:///ldap.example.com ldap_version 3 rootbinddn cn=admin,dc=example,dc=com pam_password md5 nss_initgroups_ignoreusers a_bunch_of_system_users
Can anyone help me please ? Thank you.
EDIT: new version of the
/etc/pam.d/vsftpd
file:auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed account required pam_unix.so account sufficient pam_ldap.so session required pam_limits.so session required pam_unix.so session optimal pam_ldap.so auth required pam_env.so auth sufficient pam_unix.so nullok_secure auth sufficient pam_ldap.so use_first_pass auth required pam_shells.so
-
Mohammed Noureldin almost 7 yearsI know it is a old question, but did you manage to get it fully functional?
-
-
Totor over 12 yearsNo change. I forgot to add that the
ldapsearch
only works by providing an explicit ldap server with the-h
option. Do you have another idea? Do you need another configuration file? Thank you for your help. -
Totor over 12 yearsActually, I just removed one "/" in the URI and I have some progress. I don't have the "Can't contact LDAP server" anymore, and I don't have to user the "-h" option anymore for ldapsearch. It still does not work and I have to figure out where there is a problem.
-
Rilindo over 12 yearsWould be possible to post the slapd.conf and review the ACLs? I had a similar issue in the past and it was pain because I put the ACLs in the wrong place.
-
Totor over 12 yearsActually, I don't have any slapd.conf. I assumed it was because I am running under Ubuntu. However I did a wireshark capture of the exchange between the FTP server and the LDAP server : aneuropeanstudent.eu/ldap-ftp.wireshark In this capture, you can see between packets 9 and 15 that the binding is OK. But packet 18 is a useless search that returns no results and triggers the "INCORRECT LOGIN" for the FTP server. I don't know why this research is done. Also, excuse my ignorance, but what are you calling ACLs here ? Thank you for your help.
-
Totor over 12 yearsAlso, I changed my
/etc/pam.d/vsftpd
file. See the question. -
Rilindo over 12 yearsWhere is the ldap server located? I thought it was on the same server?
-
Rilindo over 12 yearsThe ACLs in question would be this, for example. ibm.com/developerworks/linux/tutorials/l-lpic3303/section2.html It sounds like you able to perform an anonymous bind, so the next step to look at either your slapd.conf, ldap.conf or whatever configuration file that is used under Ubuntu's OpenLDAP Server.
-
Rilindo over 12 yearsI am not sure if the guest_enable is the actual fix. I have the following in my vsFTP config (I also have a LDAP server which I have my clients connect): pastebin.com/8bBuSaFM . Here is my vsftpd pam config: pastebin.com/VugWRUMz . And my passwordauth: pastebin.com/g5jbwFBU . Then again, I use a Red Hat type distro, which automate the lot of this stuff for you when you setup your client with LDAP authentication
-
Rilindo over 12 yearsCool. FWIW, I looked it up that setting and as it turns out, guest_enable means that your login will use the default FTP user (which in this case is likely going to be "ftp"). This means that if you were logged in, either you failed ldap authentication and it defaulted to the ftp user on theserver or you never authenticated against ldap right from the start of the session.