Difference between revisions of "Cool Solution - Install ProFTP and setup ldap authentication"

From Univention Wiki

Jump to: navigation, search
Line 28: Line 28:
 
  udm users/user create --set username=proftpd-user --set lastname="ProFTPD Service" --set password="p4Ss-W0rd"
 
  udm users/user create --set username=proftpd-user --set lastname="ProFTPD Service" --set password="p4Ss-W0rd"
  
The new DN will be shown afterwards. To find the DN of the account, issue the following command on the command line:  
+
The new DN will be shown afterwards. To find the DN of the account, execute the following command on the command line:  
  
 
<pre>udm users/user list --filter username=<NAME of the account> | grep DN</pre>
 
<pre>udm users/user list --filter username=<NAME of the account> | grep DN</pre>
Line 57: Line 57:
 
''Note:'' ldap.conf file supports mod_ldap options at version 2.8.22
 
''Note:'' ldap.conf file supports mod_ldap options at version 2.8.22
  
=== Open ports in the Firewall ===
+
After all changes have been made, restart the proFTP server
To accept connections via the FTP port on your FTP Server, you need to open the ports ''20'' and ''21''. For that it is best practice to create a ''package filter rule'' instead of a ''local filter rule''
 
 
 
 
<pre>
 
<pre>
ucr set security/packetfilter/package/univention-ftp/tcp/20/all=ACCEPT
 
ucr set security/packetfilter/package/univention-ftp/tcp/21/all=ACCEPT
 
</pre>
 
Not necessary but recommended is a description for your new created filter rule(s).
 
 
ucr set security/packetfilter/package/''package''/''protocol''/''port(s)''/all/en=<DESCRIPTION>
 
 
After all changes have been made, the univention-firewall and the proFTP server have to be restarted
 
<pre>
 
invoke-rc.d univention-firewall restart
 
 
invoke-rc.d  proftpd restart
 
invoke-rc.d  proftpd restart
 
</pre>
 
</pre>
Line 82: Line 70:
 
# PassivePorts                  49152 65534
 
# PassivePorts                  49152 65534
 
</pre>
 
</pre>
while 49152 to 65534 ist the port range for passive mode. You might also define a port range that suits your network configuration better.
+
in which 49152 to 65534 ist the port range for passive mode. You might also define a port range that suits your network configuration better.
  
 
Additionally, the ports have to be opened in the univention-firewall. To open a port range, seperate the first and the last port with a colon (:)
 
Additionally, the ports have to be opened in the univention-firewall. To open a port range, seperate the first and the last port with a colon (:)
  
ucr set security/packetfilter/package/univention-ftp/tcp/''<start port>'':''<end port>''/all=ACCEPT
+
<pre>
 +
ucr set security/packetfilter/tcp/49152:65534/all=ACCEPT \
 +
        security/packetfilter/tcp/49152:65534/all/en="FTP passive mode"
 +
</pre>
  
 
Afterwards, restart univention-firewall
 
Afterwards, restart univention-firewall

Revision as of 08:21, 7 August 2014

Produktlogo UCS Version 3.2
Note: This article is not yet reviewed.


Introduction

Large environments may manage users centrally using a LDAP database. You can configure ProFTP service to do password/UID/GID lookups from an LDAP, instead of simple files as in the default configuration. This article describes how to connect ProFTPD with the domain's LDAP. After completing these steps, users can log in to the FTP server with their UCS domain username and password.


Preparation

For the installation to succeed, some packages must be downloaded from the Univention unmaintained repositories. To activate the Univention unmaintained repository, execute the following command:

ucr set repository/online/unmaintained=yes

Hint: Unmaintained packages are not covered by security updates.

Installation

To install the ProFTP daemon on a system, the package univention-ftp must be installed either using the UMC module or by executing the following command in a command line shell:

univention-install univention-ftp proftpd-mod-ldap

Configuration

The ProFTP daemon must load its LDAP module. Edit the file /etc/proftpd/modules.conf and remove the # in front of the line LoadModule mod_ldap.c

Also edit the file /etc/proftpd/proftpd.conf and remove the # in front of the line Include /etc/proftpd/ldap.conf

Next a simple authentication account should be created using UDM. This account can then be used for an authentication bind.

udm users/user create --set username=proftpd-user --set lastname="ProFTPD Service" --set password="p4Ss-W0rd"

The new DN will be shown afterwards. To find the DN of the account, execute the following command on the command line:

udm users/user list --filter username=<NAME of the account> | grep DN

In the LDAP configuration file /etc/proftpd/ldap.conf use the following settings:

# Only use LDAP Auth
AuthOrder                       mod_ldap.c
<IfModule mod_ldap.c>
LDAPServer <fqdn of the DC master>:7389
LDAPDNInfo "<DN of the authentication account>" "<Password of the authentication account>"
# Get user info (dn, uid, gid)
LDAPDoAuth on "cn=users,$ldap_base"
# GID to name in dir listing
LDAPDoGIDLookups on "cn=groups,$ldap_base"
# UID to name in dir listing
LDAPDoUIDLookups on "cn=users,$ldap_base"
LDAPUseTLS on
# Create homedir if not exists
CreateHome on 711 skel /etc/skel
LDAPGenerateHomedir on
</IfModule> 

Hint: change $ldap_base according to your LDAP base. The LDAP base can be obtained by executing ucr get ldap/base in a command line shell.

Hint: if you want your home directorys with other permissions, change the octal value at CreateHome.

Note: ldap.conf file supports mod_ldap options at version 2.8.22

After all changes have been made, restart the proFTP server

invoke-rc.d  proftpd restart

Passive mode

If you want to use passive mode, some additional configuration is needed. Please note that some FTP clients (e.g. FileZilla) try to connect in passive mode on default. This usually leads to timeouts while the client tries to receive a directory listing.

To avoid this, you have to enable the passive ports in your /etc/proftpd/proftpd.conf config. To enable the passive ports, uncomment the following line

# PassivePorts                  49152 65534

in which 49152 to 65534 ist the port range for passive mode. You might also define a port range that suits your network configuration better.

Additionally, the ports have to be opened in the univention-firewall. To open a port range, seperate the first and the last port with a colon (:)

ucr set security/packetfilter/tcp/49152:65534/all=ACCEPT \
        security/packetfilter/tcp/49152:65534/all/en="FTP passive mode"

Afterwards, restart univention-firewall

invoke-rc.d univention-firewall restart


Further links

Personal tools