forked from jedisct1/pure-ftpd
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README.LDAP
246 lines (158 loc) · 8.35 KB
/
README.LDAP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
If you never heard about LDAP before, *DON'T* enable LDAP support in
Pure-FTPd. LDAP is useless if you don't have to manage many shared accounts.
But well... if you want to learn about LDAP anyway, here's a good starting
point: http://www.openldap.org/
------------------------ LDAP SUPPORT ------------------------
Since release 0.95, Pure-FTPd has a built-in support for LDAP directories.
When LDAP is enabled, all account info is fetched from a central LDAP
directory.
To compile the server with LDAP support, you first have to build and install
OpenLDAP. OpenLDAP is freely available from http://www.openldap.org/ and
binary packages are included in many major distributions. But if you choose
a binary form, don't forget to also install the development packages if they
are available separately.
Then, configure Pure-FTPd with --with-ldap and your favorite extra gadgets:
./configure --with-ldap --with-cookie --with-throttling --with-ratios
If your LDAP libraries are installed in a special path, you can specify it
like this:
./configure --with-ldap=/usr/local/openldap
In this example, headers (ldap.h and lber.h files) will be searched in
/usr/local/openldap/include, while related libraries will be searched in
/usr/local/openldap/lib .
Then, install the server as usual:
make install
------------------------ LDAP CONFIGURATION FILE ------------------------
Before running the server, you have to create a configuration file. Why a
configuration file instead of simple command-line options? you may ask.
Because for security reasons, you may want to hide how to connect to your
LDAP server. And as command-line options can be discovered by local users
(with 'ps auxwww' for instance), it's more secure to use a configuration
file for sensitive data. Keep the file only readable by root (chmod 600) .
Here's a sample configuration file:
LDAPServer ldap.c9x.org
LDAPPort 389
LDAPBaseDN cn=Users,dc=c9x,dc=org
LDAPBindDN cn=Manager,dc=c9x,dc=org
LDAPBindPW r00tPaSsw0rD
LDAPDefaultUID 500
LDAPDefaultGID 100
Well... the keywords should be self-explanatory, but here we go for some
details anyway:
- LDAPServer is the LDAP server name (hey!) . It defaults to 'localhost'.
- LDAPPort is the connecton port. It defaults to 389, the standard port.
- LDAPBaseDN is the search starting point for users accounts. Your tree must
have posixAccount objects under that node.
- LDAPBindDN is the DN we should bind the server for simple authentication.
If you don't need authentication (ie. anonymous users can browse that part
of the LDAP directory), just remove that line.
- LDAPBindPW is the plaintext password to bind the previous DN. The
configuration file should be only readable by root if you are using
LDAPBindDN/LDAPBindPW.
- LDAPDefaultUID and LDAPDefaultGID are default values for objects without
any entry for them.
- LDAPFilter is the filter to use in order to find the object to authenticate
against. The special sequence \L is replaced with the login of the user. The
default filter is (&(objectClass=posixAccount)(uid=\L)) .
- LDAPHomeDir is the attribute to get the home directory ('homeDirectory' by
default) .
- LDAPVersion is the protocol version to use. Version 3 is recommended and
needed with OpenLDAP servers. It is the default.
- LDAPUseTLS can be True or False. True means that the server should use TLS
to connect to the LDAP server.
- LDAPAuthMethod can be BIND (experimental, but default if there is no
LDAPBindDN) or PASSWORD (default if a LDAPBindDN is set). The former tries
to authenticate users by binding, thus allowing to use an unprivileged LDAP
account. The later requires a privileged LDAP accounts and the FTP server
itself checks against the userPassword attribute.
In fact, the only mandatory keyword is LDAPBaseDN. Other keywords are
optional and defaults are ok for local testing.
Save the configuration file anywhere. Let's say /etc/pureftpd-ldap.conf .
Then, you have to run the pure-ftpd command with '-l ldap:' (it's an 'ell'
not a 'one') followed by the path of that configuration file. Here's an
example with tcpserver:
tcpserver -DHRl0 0 21 /usr/local/bin/pure-ftpd -l ldap:/etc/pureftpd-ldap.conf &
You can mix different authentication methods. For instance, if you want to
use system (/etc/passwd) accounts when an account is not found in a LDAP
directory, use -l ldap:/etc/pureftpd-ldap.conf -l unix
------------------------ THE LDAP SCHEMA ------------------------
Pure-FTPd uses the standard 'posixAccount' class to locate accounts. With
OpenLDAP, that class is defined in the 'nis' schema.
FTP login names should match 'uid' attributes of 'posixAccount' instances.
When a user logs in as 'joe', the following filter is used to locate Joe's
account:
(&(objectClass=posixAccount)(uid=joe))
Here's a sample entry in LDIF format:
dn: cn=Joe,dc=rtchat,dc=com
objectClass: posixAccount
cn: Joe
uid: joe
uidNumber: 500
gidNumber: 100
homeDirectory: /home/joe
userPassword: {crypt}wl6AOU6KgWUz6
'userPassword' is the hashed password, with the system 'crypt' function,
MD5, SHA, SMD5 or SSHA digests. Modern LDAP clients should handle all,
anyway (or get GQ from http://biot.com/gq/) .
SSHA is believed to be the most secure one-way hashing method, but it's also
the slowest and it can be time-consuming if you're accepting a lot of
users.
Please note that a login ('uid' field) can only contains common characters:
A...Z, a...z, 0...9, -, ., _, space and ' . For security purposes, other
characters are forbidden.
If you don't want to use posixAccount objects, you can edit src/log_ldap.h
to customize attribute names.
----------- EXTENDED LDAP SCHEMA (QUOTAS, THROTTLING, RATIOS) ----------
To enable quotas, download/upload rate throttling and/or download/upload
ratios, an extended LDAP schema is needed. This modified schema also allows
you to completely enable and disable users' FTP access by simply changing
the "FTPStatus" field in their LDAP entry.
Simply copy the included pureftpd.schema file to your OpenLDAP schema
directory (/usr/local/etc/openldap/schema in this example) and add the
appropriate line to your slapd.conf, like so:
include /usr/local/etc/openldap/pureftpd.schema
This schema defines a new objectClass, PureFTPdUser, which contains the
*OPTIONAL* status, quota, throttling and ratio fields as in the example
below:
dn: uid=Ichiro,dc=gmo,dc=jp
objectClass: PureFTPdUser
objectClass: posixAccount
cn: Ichiro
uid: Ichiro
uidNumber: 888
gidNumber: 888
homeDirectory: /home/ichiro
userPassword: {crypt}$1$w58NLo5z$NHhr6GzSPw0qxaxs3PAaK/
FTPStatus: enabled
FTPQuotaFiles: 50
FTPQuotaMBytes: 10
FTPDownloadBandwidth: 50
FTPUploadBandwidth: 50
FTPDownloadRatio: 5
FTPUploadRatio: 1
The example is mostly self-explanatory. FTPQuotaMBytes is the quota size in
megabytes. FTPDownloadBandwidth and FTPUploadBandwidth are in KB/sec.
FTPStatus should be either "enabled" or "disabled". If the FTPStatus field
exists and is set to anything except "enabled", the user will not be
permitted to log in. If the FTPStatus field does not exist, the user *WILL*
be allowed to log in as normal, to allow LDAP users without the PureFTPdUser
objectClass.
There are also optional FTPuid and FTPgid attributes. If present, they will
override uidNumber and gidNumber values, so that you can have different
uid/gid mapping for FTP and for other services.
Please note that all of the FTP* LDAP fields are optional for the
PureFTPdUser objectClass. You can have a user with just FTPQuotaFiles and
FTPQuotaMBytes set, for example, if you only wish to enforce a quota, but
not throttle the user's bandwidth or enforce ratios.
Of course, you must make sure to enable the features you wish to use at
compile time (--with-quotas, --with-throttling, --with-ratios) .
------------------------ ANONYMOUS USERS ------------------------
If you want to accept anonymous users on your FTP server, you don't need to
have any 'ftp' user in the LDAP directory. But you need to have a system
'ftp' account on the FTP server.
------------------------ ROOT USERS ------------------------
If an LDAP user entry has a root (0) uidNumber and/or gidNumber, Pure-FTPd
will refuse to log him in.
Without this preventive restriction, if your LDAP server ever gets
compromised, the attacker could also easily compromise the FTP server.
-Frank DENIS <j at pureftpd dot org>.
-Ben Gertzfield <che at debian dot org>.