Cool Solution - Install ProFTP and setup ldap authentication
From Univention Wiki
Large environments may manage users centrally using a LDAP database. You can configure ProFTP service to do password/UID/GID lookups from an LDAP, instead of simple files as in the default configuration. This article describes how to connect ProFTPD with the domain's LDAP. After completing these steps, users can log in to the FTP server with their UCS domain username and password.
For the installation to succeed, one package must be downloaded from the Univention unmaintained repositories. To activate the Univention unmaintained repository, execute the following command:
ucr set repository/online/unmaintained=yes
Hint: Unmaintained packages are not covered by security updates.
To install the ProFTP daemon on a system, the package univention-ftp must be installed either using the UMC module or by executing the following command in a command line shell:
univention-install univention-ftp proftpd-mod-ldap
The ProFTP daemon must load its LDAP module.
Edit the file /etc/proftpd/modules.conf and remove the # in front of the line LoadModule mod_ldap.c
Also edit the file /etc/proftpd/proftpd.conf. First, remove the # in front of the line Include /etc/proftpd/ldap.conf, then, find the commented line including AuthOrder and add the following below it:
Next, a simple authentication account should be created using UDM. This account can then be used for an authentication bind.
You can follow this article, if you need help creating one: LDAP search user
You will need the full DN of your newly created account for the next step. You can get it by executing the following command:
univention-ldapsearch -LLL uid=<NAME of the account> DN
In the LDAP configuration file /etc/proftpd/ldap.conf add the following lines to the <IfModule mod_ldap.c> section:
LDAPServer ldaps://<FQDN of the DC Master>:7636/??sub LDAPBindDN "<DN of the authentication account" "<Password of the authentication account>" LDAPUsers "cn=users,dc=example,dc=com" "(&(uid=%v)(objectclass=posixAccount))"
After all changes have been made, restart the proFTP server
service proftpd restart
Client can only connect in active mode, not passive
If you want to use passive mode, some additional configuration is needed. Please note that some FTP clients (e.g. FileZilla) try to connect in passive mode on default. This usually leads to timeouts while the client tries to receive a directory listing.
To avoid this, you have to enable the passive ports in your /etc/proftpd/proftpd.conf config. To enable the passive ports, uncomment the following line
# PassivePorts 49152 65534
in which 49152 to 65534 ist the port range for passive mode. You might also define a port range that suits your network configuration better.
Additionally, the ports have to be opened in the univention-firewall. To open a port range, seperate the first and the last port with a colon (:)
ucr set security/packetfilter/tcp/49152:65534/all=ACCEPT \ security/packetfilter/tcp/49152:65534/all/en="FTP passive mode"
Afterwards, restart univention-firewall
service univention-firewall restart
Users can't connect, because they don't have home directories
By default, the home directory of a user will only get created, when he logs in at least once.
The following Article explains how to automatically create home directories without the need of a login from a user:
Automatically create users home directories