Author Topic: Install ProFTPd with LDAP User Authentication  (Read 46162 times)

dmeireles

  • Zen Monk
  • **
  • Posts: 51
  • Karma: +1/-0
  • Masturbation, the human version of autoexec.bat
    • View Profile
Install ProFTPd with LDAP User Authentication
« on: July 08, 2008, 05:49:26 pm »
Hi all.
This HOW-TO will explain how to setup a ProFTPd Server with user authentication against the eBox LDAP User DataBase.

1 - You'll need an Ubuntu 8.04 box with eBox installed and the Users module activated.

2 - Install the proftpd ldap package (sudo apt-get install proftpd-ldap). During the installation, you'll be prompted to choose the way you want proftp to be started (inetd or standalone). Choose Standalone.

3 - Check and write down your eBox LDAP Admin Password (sudo cat /etc/ldap.secret)

4 - Check and write down your server's FQDN (cat /etc/hosts)

5 - Rename your /etc/proftpd/ldap.conf file. Then create a new empty file (sudo touch /etc/proftpd/ldap.conf) and paste the following text in it (replace the words in CAPITAL TEXT with its correct value for your environement)

Quote
# ProFTPd LDAP Module for eBox Platform

<IfModule mod_ldap.c>
LDAPServer localhost
LDAPDNInfo cn=admin,dc=ebox YOUR_EBOX_LDAP_ADMIN_PASSWORD
LDAPDoAuth on "ou=Users,dc=ebox" (&(uid=%v)(objectclass=posixAccount))
LDAPDoUIDLookups on "ou=Users,dc=ebox"
LDAPDoGIDLookups on "ou=Groups,dc=ebox"
</IfModule>

6 - Rename your /etc/proftpd/proftpd.conf file. Then create a new empty file (sudo touch /etc/proftpd/proftpd.conf) and paste the following text in it (replace the CAPITAL TEXT with its correct value for your environement)

Quote
# ProFTPd config file for eBox LDAP authentication

Include /etc/proftpd/modules.conf

UseIPv6            off

ServerName         "SOME TEXT"
ServerType         standalone
ServerIdent on         "SOME TEXT FOR PEOPLE NOT TO SEE THIS IS PROFTP RUNNING"
DeferWelcome         off

MultilineRFC2228      on
DefaultServer         on
ShowSymlinks         on

TimeoutNoTransfer      600
TimeoutStalled         600
TimeoutIdle         1200

#DisplayLogin                    welcome.msg
#DisplayChdir                  .message true
ListOptions                   "-l"

DenyFilter         \*.*/

# Use this to jail all users in their homes
DefaultRoot         /home/samba
DefaultChDir         samba

# Required for eBox LDAP User Auth
RequireValidShell      off

Port            21

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
# PassivePorts                  49152 65534

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress      1.2.3.4

# Only for StandAlone Mode
MaxInstances         30

# Set the user and group that the server normally runs at.
User            proftpd
Group            nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask            022  022
# Normally, we want files to be overwriteable.
AllowOverwrite         on

# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
# PersistentPasswd      off

# This is required to use both PAM-based authentication and local passwords
# AuthOrder         *mod_auth_pam.c mod_auth_unix.c
# AuthOrder         mod_ldap.c

# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile         off

#<IfModule mod_sql.c>
# SQLBackend         mysql
#</IfModule>

TransferLog /var/log/proftpd/xferlog
SystemLog   /var/log/proftpd/proftpd.log

#<IfModule mod_quotatab.c>
#QuotaEngine off
#</IfModule>

#<IfModule mod_ratio.c>
#Ratios off
#</IfModule>


# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
#<IfModule mod_delay.c>
#DelayEngine on
#</IfModule>

#<IfModule mod_ctrls.c>
#ControlsEngine        off
#ControlsMaxClients    2
#ControlsLog           /var/log/proftpd/controls.log
#ControlsInterval      5
#ControlsSocket        /var/run/proftpd/proftpd.sock
#</IfModule>

#<IfModule mod_ctrls_admin.c>
#AdminControlsEngine off
#</IfModule>

Include /etc/proftpd/ldap.conf
#Include /etc/proftpd/sql.conf

DebugLevel 3

7 - I've noticed that, disableing some unused modules in modules.conf would somehow increase the password verification. So, if you want to try it out, paste the following content in your /etc/proftpd/modules.conf, otherwise, jump to no.8

Quote
#
# This file is used to manage DSO modules and features.
#

# This is the directory where DSO modules reside

ModulePath /usr/lib/proftpd

# Allow only user root to load and unload modules, but allow everyone
# to see which modules have been loaded

ModuleControlsACLs insmod,rmmod allow user root
ModuleControlsACLs lsmod allow user *

#LoadModule mod_ctrls_admin.c
#LoadModule mod_tls.c
#LoadModule mod_sql.c
LoadModule mod_ldap.c

#
# 'SQLBackend mysql' or 'SQLBackend postgres' directives are required
# to have SQL authorization working. You can also comment out the
# unused module here, in alternative.
#
#LoadModule mod_sql_mysql.c
#LoadModule mod_sql_postgres.c

#LoadModule mod_radius.c
LoadModule mod_quotatab.c
LoadModule mod_quotatab_file.c
LoadModule mod_quotatab_ldap.c
#LoadModule mod_quotatab_sql.c
#LoadModule mod_quotatab_radius.c
LoadModule mod_wrap.c
LoadModule mod_rewrite.c
LoadModule mod_load.c
LoadModule mod_ban.c
LoadModule mod_wrap2.c
LoadModule mod_wrap2_file.c
#LoadModule mod_wrap2_sql.c

# keep this module the last one
LoadModule mod_ifsession.c

8 - Restart the ProFTPd Server (sudo /etc/init.d/proftpd restart) and you're on!!!

Some notes:
- For debuging, do "tail -f /var/log/proftpd/proftpd.log" while using the server (be it logging in, logging out, restarting, etc...). You might want to change the "DebugLevel" value in proftpd.conf to it's max (9) so that you can have a more detailed log.
- Files are created with group and others read access. Don't see a problem in this, since the files will be in your home dir.

Post you coment, please!

##########

Post Update (8/06/2008)

- Changed "DefaultRoot" value (to allow access to the group folders, but not allowing the user to get out of /home)
- Added "ServerIdent on "SOME_TEXT"" to hide ftp server's info


##########

Post Update (22/08/2008)

Stuff that wasn't working now works like a charm!
- Doing an "ls" or "dir" now shows the group that owns the object
- Root folder as /home/samba now working, instead of sending the user to it's true home, unallowing him to browse the group dir's
« Last Edit: June 24, 2009, 01:49:01 pm by sixstone »

sixstone

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1417
  • Karma: +26/-0
    • View Profile
    • Sixstone's blog
Re: Install ProFTPd with LDAP User Autentication
« Reply #1 on: July 08, 2008, 06:32:41 pm »
Thanks very much for your trick ;) and share info with others.

Keep working on this!
My secret is my silence...

dmeireles

  • Zen Monk
  • **
  • Posts: 51
  • Karma: +1/-0
  • Masturbation, the human version of autoexec.bat
    • View Profile
Re: Install ProFTPd with LDAP User Autentication
« Reply #2 on: July 08, 2008, 09:19:19 pm »
Post updated. The following options can be interesting...

MaxClients NUMBER "Max numbers of clients connected! Try again later"
MaxClientsPerHost NUMBER "Number of connections from your IP above what I allow..."
AccessGrantMsg "Granted access for %u."


Now, I could use some help with the server not being able to retrieve the owner of files and folders... Some option to tell proftpd to read the UID number of the user...!?

dmeireles

  • Zen Monk
  • **
  • Posts: 51
  • Karma: +1/-0
  • Masturbation, the human version of autoexec.bat
    • View Profile
Re: Install ProFTPd with LDAP User Autentication
« Reply #3 on: July 11, 2008, 10:59:39 am »
Post updated: file/folder owner now is showed up :) Thanks to the creator of the module for the tip on this.

dmeireles

  • Zen Monk
  • **
  • Posts: 51
  • Karma: +1/-0
  • Masturbation, the human version of autoexec.bat
    • View Profile
Re: Install ProFTPd with LDAP User Autentication
« Reply #4 on: August 22, 2008, 01:40:52 pm »
Post updated! Check the last "post update" line in the first post.

PS: I don't see what more can I do to make this better, it's now doing perfectly what it was supodes to do, so if someone finds a gap, let me know!

dschmid

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: Install ProFTPd with LDAP User Authentication
« Reply #5 on: November 04, 2008, 08:58:47 am »
Hello, I followed the instructions and it's working fine. I only have the problem is when connecting from a local client with enabled firewall on ebox connecting is not possible. I created a service called ftp with port 20 and 21 TCP and not internal. I then created a firewall rule for internal to ebox with accepting the ftp service but still connecting is not possible. When I look in the firewall logs over the webinterface there are no entrys. Can me please someone tell his firewall configuration for the ftp server.

dmeireles

  • Zen Monk
  • **
  • Posts: 51
  • Karma: +1/-0
  • Masturbation, the human version of autoexec.bat
    • View Profile
Re: Install ProFTPd with LDAP User Authentication
« Reply #6 on: November 04, 2008, 11:17:06 am »
From the server itself, try to connect (don't do fto localhost, try instead ftp SERVER_FQDN). I've never used the Firewall module, but if this one uses ubuntu's ufw (Uncomplicated FireWall), you can try " sudo ufw allow ftp"

vlados

  • Zen Monk
  • **
  • Posts: 50
  • Karma: +0/-0
    • View Profile
Re: Install ProFTPd with LDAP User Authentication
« Reply #7 on: January 22, 2009, 11:33:26 pm »
Ok. Everything is fine, but I want users to be able to edit /var/www/ and when I log to the ftp and try to overwrite some file it returns:
Response:   550 footer.css: Permission denied
Error:   Critical error

What to do?

coastdweller

  • Zen Apprentice
  • *
  • Posts: 24
  • Karma: +0/-0
    • View Profile
Re: Install ProFTPd with LDAP User Authentication
« Reply #8 on: May 17, 2009, 09:49:51 pm »
This has to do with your user not being a part of the www-data group I believe.

JeppeM

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Install ProFTPd with LDAP User Authentication
« Reply #9 on: June 24, 2009, 01:11:44 pm »
Minor thing: in step 7 it should be /etc/proftpd/modules.conf :)

And if you're running ubuntu 8.10, it's proftpd-mod-ldap you need to install, in case someone else wants to try it out on intrepid :)

JeppeM

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: Install ProFTPd with LDAP User Authentication
« Reply #10 on: June 24, 2009, 01:56:20 pm »
Something which might help others later down the line:

I had a situation where i wanted to give access to the whole system for some users, but only one folder for other users... This wasn't as hard as I taught with a little googling... What you can do is make different groups in ebox. I made one called "world" and one called "all". Then in the proftpd.conf you can change the defaultRoot to something like this:

Code: [Select]
DefaultRoot             /home/samba !world
DefaultRoot             /home/samba/shares/world world

That means that everyone who isn't (the ! acts as a "IS NOT MEMBER OF" check) a member of the "world" group (ie, the "all" group, if you don't have members in both one and another) will be rooted to the /home/samba directory, but users of the world group will be rooted to /home/samba/shares/world.

You can read more (including how to do it with 3 places) here.

martinique

  • Zen Monk
  • **
  • Posts: 65
  • Karma: +2/-0
    • View Profile
Re: Install ProFTPd with LDAP User Authentication
« Reply #11 on: July 14, 2009, 10:17:13 am »
I need a slightly different setup, with an eBox group called 'guests', whose FTP homes must be in a subfolder, so that other users can read them, but which they cannot escape. Since the default eBox home folder structure apparently doesn't allow this, I decided to use a different base folder for FTP, which is OK for me. The basic setup required very small changes in proftpd.conf:

Code: [Select]
DefaultRoot /home/ftp !guests
DefaultRoot /home/ftp/guests guests
# DefaultChDir samba

That worked OK as such, but I need to have user folders created automatically under the new FTP root, because I don't want to spend the rest of my life creating them manually. After a little googling I tried adding the following lines, which should achieve just that:

Code: [Select]
LDAPGenerateHomedir on 755
LDAPForceGeneratedHomedir on
<IfGroup guests>
  LDAPGenerateHomedirPrefix /home/ftp/guests
</IfGroup>
<IfGroup !guests>
  LDAPGenerateHomedirPrefix /home/ftp
</IfGroup>

After that I can't connect, because the server decides to close the connection after asking for a username. I also tried adding CreateHome on 755 as some had done, but it seems to make no difference.

Here are the related lines from /var/log/syslog (shortened for easier reading):

Code: [Select]
ebox slapd[4733]: <= bdb_equality_candidates: (uid) not indexed
ebox slapd[4733]: <= bdb_equality_candidates: (memberUid) not indexed
ebox kernel: [71655.648969] proftpd[19531]: segfault at 00000000 eip b7d93781 esp bfa75860 error 4

...and /var/log/proftpd.log (log level set to maximum):

Code: [Select]
performing ident lookup
ident lookup returned 'UNKNOWN'
connected - local  : 10.x.x.y:21
connected - remote : 10.x.x.x:1495
FTP session opened.
dispatching PRE_CMD command 'USER myuser' to mod_rewrite
dispatching PRE_CMD command 'USER myuser' to mod_core
dispatching PRE_CMD command 'USER myuser' to mod_core
dispatching PRE_CMD command 'USER myuser' to mod_delay
dispatching PRE_CMD command 'USER myuser' to mod_auth
mod_ldap/2.8.17: not unbinding to an already unbound connection.
mod_ldap/2.8.17: not unbinding to an already unbound connection.
dispatching CMD command 'USER myuser' to mod_auth
mod_ldap/2.8.17: generated filter ou=Users,dc=ebox from template ou=Users,dc=ebox and value myuser
mod_ldap/2.8.17: connected to localhost:389
mod_ldap/2.8.17: set protocol version to 3
mod_ldap/2.8.17: successfully bound as cn=admin,dc=ebox with password ***************
mod_ldap/2.8.17: set dereferencing to 0
mod_ldap/2.8.17: set query timeout to 0s
mod_ldap/2.8.17: generated filter (&(uid=myuser)(objectclass=posixAccount)) from template (&(uid=%v)(objectclass=posixAccount)) and value myuser
mod_ldap/2.8.17: searched using filter (&(uid=myuser)(objectclass=posixAccount))
mod_ldap/2.8.17: fetching value(s) for attr uid
mod_ldap/2.8.17: fetching value(s) for attr uidNumber
mod_ldap/2.8.17: fetching value(s) for attr gidNumber
mod_ldap/2.8.17: fetching value(s) for attr homeDirectory
mod_ldap/2.8.17: pr_ldap_user_lookup(): LDAPForceGeneratedHomedir is enabled, but LDAPGenerateHomedir is not.
mod_ldap/2.8.17: generated filter (&(memberUid=myuser)(objectclass=posixGroup)) from template (&(memberUid=%v)(objectclass=posixGroup)) and value myuser
mod_ldap/2.8.17: searched using filter (&(memberUid=myuser)(objectclass=posixGroup))
ProFTPD terminating (signal 11)
FTP session closed.

The segfault looks bad. Also, "LDAPForceGeneratedHomedir is enabled, but LDAPGenerateHomedir is not" doesn't make sense, when it's definitely set. Does someone with more FTP+LDAP experience have any idea where it all goes wrong?
« Last Edit: July 14, 2009, 10:26:56 am by martinique »

cougarmaster

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +0/-0
    • View Profile
Re: Install ProFTPd with LDAP User Authentication
« Reply #12 on: May 16, 2010, 07:26:20 pm »
Hi,
  I have followed your hack and the problem I am having is this :-

            mod_ldap/2.8.17: pr_ldap_connect(): bind as cn=admin,dc=ebox failed: Invalid credentials

  Please help. Want to have ftp.

Tks in advance
Eric

binary-two

  • Zen Monk
  • **
  • Posts: 61
  • Karma: +3/-0
    • View Profile
Re: Install ProFTPd with LDAP User Authentication
« Reply #13 on: May 16, 2010, 11:54:33 pm »
Hey Eric, are you using ebox>=1.4? then you need to use cn=ebox,dn=ebox (or dn=what you selected when you configured slapd).

So long,

Björn

cougarmaster

  • Zen Monk
  • **
  • Posts: 80
  • Karma: +0/-0
    • View Profile
Re: Install ProFTPd with LDAP User Authentication
« Reply #14 on: May 17, 2010, 06:43:50 am »
TKS!!! Binary Two  ;D ;D ;D ;D

It works now need to point it to a new partition hehe...

Really appreciate the quick responses from the community :)
Eric