Help: VSFTPD use Active directory for authentication

[THUHV]

Hi, everyone!

I want to install a FTP server (VSFTPD) on my Redhat Enterprise Linux 5.5 and i want to use Active Directory LDAP (windows server 2008 enterprise) for authentication. I can't add my windows LDAP to FTP server.

I try my best but i cant to config it,

Everybody who can help me to config it, plz show me

hope to receive reply soon

Thanks you!

[jr0sco]

I did this about two years ago but it was on a win 2003 server. Post your /etc/vsftpd.conf and /etc/openldap/ldap.conf files here and I will have a look

JC

[THUHV]

Thanks for very fast reply!

Here you are, plz give me more option can i insert to my config so that i can use user from Active directory (on windows server) to authorise to VSFTPD on Redhat, thank you very much!

/etc/openldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
URI ldap://192.168.15.6/
BASE dc=hanghai,dc=vn
TLS_CACERTDIR /etc/openldap/cacerts

192.168.15.6 --> is my Active directory server.


And /etc/vsftpd.conf

#############################################
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=No
force_local_logins_ssl=No
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem
#############################################
#LDAPForceGeneratedHomedir
#LDAPGenerateHomedirPrefix
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
#
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=YES
anon_root=/home/ftp
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#anon_upload_enable=YES
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#anon_mkdir_write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note that the default log file location is /var/log/xferlog in this case.
xferlog_std_format=YES
#
# You may change the default value for timing out an idle session.
idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
data_connection_timeout=180
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#nopriv_user=ftpsecure
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that on some FTP servers, ASCII support allows a denial of service
# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
# predicted this attack and has always been safe, reporting the size of the
# raw file.
# ASCII mangling is a horrible feature of the protocol.
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# You may fully customise the login banner string:
ftpd_banner=Welcome to Saigon Postel local FTP server.

#Tap hop cac cau lenh cho phep trong ftp
#cmds_allowed

#Tat ca nguoi dung cuc bo bi cam truy cap tru nhung nguoi dung co ten trong vsftpd.user_list (su dung 2 cau lenh ben duoi)
#userlist_deny=YES
#userlist_enable=NO

#Nhung nguoi dung trong vsftpd.user_list se bi cam truy cap (dung cap cau lenh ben duoi).
#userlist_deny=NO
#userlist_enable=YES
#Duong dan toi user list
#userlist_file=/etc/vsftpd.user_list
#So luong user truy cap toi da vao server
#max_clients=1

# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#deny_email_enable=YES
# (default follows)
#banned_email_file=/etc/vsftpd.banned_emails
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#chroot_local_user=YES
#chroot_list_enable=YES
# (default follows)
#chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
#
# When "listen" directive is enabled, vsftpd runs in standalone mode and
# listens on IPv4 sockets. This directive cannot be used in conjunction
# with the listen_ipv6 directive.
#listen=YES
#
# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
# sockets, you must run two copies of vsftpd with two configuration files.
# Make sure, that one of the listen options is commented !!
#listen_ipv6=YES

[jr0sco]

A few questions

Can you logon with local users?

Whats the output when you ftp with AD user? and post the vsftpd.conf log file after trying to log on with AD user

Also post your /etc/pam.d/login file

JC

[THUHV]

thanks you for your support again!

I think we must have option to add user admin on AD to config file to verify ldap with AD --> so that we can get LDAP information from AD

I installed phpbb forum with LDAP mod and this forum can use AD user to login very well. (i provide user+pass ... for LDAP mod on phpbb).

I can't logon (with FTP) both local user or AD user and all of them will show the same this log: (/var/log/messages)

Sep 7 23:13:11 localhost xinetd[3023]: START: ftp pid=4708 from=192.168.15.201
Sep 7 23:13:12 localhost vsftpd: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Sep 7 23:13:14 localhost vsftpd: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
Sep 7 23:13:16 localhost vsftpd: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
Sep 7 23:13:24 localhost vsftpd: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...

And /etc/pam.d/login

[root@localhost pam.d]# cat login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session optional pam_keyinit.so force revoke

Thanks you for your help!

[jr0sco]

Sep 7 23:13:11 localhost xinetd[3023]: START: ftp pid=4708 from=192.168.15.201
Sep 7 23:13:12 localhost vsftpd: nss_ldap: reconnecting to LDAP server (sleeping 4 seconds)...
Sep 7 23:13:14 localhost vsftpd: nss_ldap: reconnecting to LDAP server (sleeping 32 seconds)...
Sep 7 23:13:16 localhost vsftpd: nss_ldap: reconnecting to LDAP server (sleeping 8 seconds)...
Sep 7 23:13:24 localhost vsftpd: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...

This looks like a connection issue. Like I said I only configured ldap with windows 2003 server, 2008 maybe different you might need to configure the win server to allow your ftp server to have access.

Also your pam file needs to be configured to allow ldap authentication to the ftp server.

Have a look at LDAP Authentication HOWTO and have a look at the ftp section, this may help you

JC

[THUHV]

thanks you very much, i'm reading your link, will report to you the result

thanks, have a good time!