Cool Solution - Install ProFTP and setup ldap authentication

From Univention Wiki

Jump to: navigation, search
Produktlogo UCS Version 4.1

Note: Cool Solutions are articles documenting additional functionality based on Univention products. Not all of the shown steps in the article are covered by Univention Support. For questions about your support coverage contact your contact person at Univention before you want to implement one of the shown steps.

Also regard the legal notes at Terms of Service.

Large environments may manage users centrally using a LDAP database. You can configure ProFTP service to do password/UID/GID lookups from an LDAP, instead of simple files as in the default configuration. This article describes how to connect ProFTPD with the domain's LDAP. After completing these steps, users can log in to the FTP server with their UCS domain username and password.

Preparation

For the installation to succeed, one package must be downloaded from the Univention unmaintained repositories. To activate the Univention unmaintained repository, execute the following command:

ucr set repository/online/unmaintained=yes

Hint: Unmaintained packages are not covered by security updates.

Installation

To install the ProFTP daemon on a system, the package univention-ftp must be installed either using the UMC module or by executing the following command in a command line shell:

univention-install univention-ftp proftpd-mod-ldap

Configuration

The ProFTP daemon must load its LDAP module.
Edit the file /etc/proftpd/modules.conf and remove the # in front of the line LoadModule mod_ldap.c

Also edit the file /etc/proftpd/proftpd.conf. First, remove the # in front of the line Include /etc/proftpd/ldap.conf, then, find the commented line including AuthOrder and add the following below it:

AuthOrder mod_ldap.c


Next, a simple authentication account should be created using UDM. This account can then be used for an authentication bind.
You can follow this article, if you need help creating one: LDAP search user

You will need the full DN of your newly created account for the next step. You can get it by executing the following command:

univention-ldapsearch -LLL uid=<NAME of the account> DN


In the LDAP configuration file /etc/proftpd/ldap.conf add the following lines to the <IfModule mod_ldap.c> section:

LDAPServer ldaps://<FQDN of the DC Master>:7636/??sub
LDAPBindDN "<DN of the authentication account" "<Password of the authentication account>"
LDAPUsers "cn=users,dc=example,dc=com" "(&(uid=%v)(objectclass=posixAccount))"


After all changes have been made, restart the proFTP server

service proftpd restart

Known Issues

Client can only connect in active mode, not passive

If you want to use passive mode, some additional configuration is needed. Please note that some FTP clients (e.g. FileZilla) try to connect in passive mode on default. This usually leads to timeouts while the client tries to receive a directory listing.

To avoid this, you have to enable the passive ports in your /etc/proftpd/proftpd.conf config. To enable the passive ports, uncomment the following line

# PassivePorts                  49152 65534

in which 49152 to 65534 ist the port range for passive mode. You might also define a port range that suits your network configuration better.

Additionally, the ports have to be opened in the univention-firewall. To open a port range, seperate the first and the last port with a colon (:)

ucr set security/packetfilter/tcp/49152:65534/all=ACCEPT \
        security/packetfilter/tcp/49152:65534/all/en="FTP passive mode"

Afterwards, restart univention-firewall

service univention-firewall restart

Users can't connect, because they don't have home directories

By default, the home directory of a user will only get created, when he logs in at least once.
The following Article explains how to automatically create home directories without the need of a login from a user:
Automatically create users home directories

Further links

Personal tools