Difference between revisions of "LDAP authentication with ProFTP in UCS 3.x"

From Univention Wiki

Jump to: navigation, search
(Created page with "__NOTOC__ {{Version|UCS=3.1}} If a FTP server should be used it is usally not wanted to maintain user lists. This article describes how to connect a ProFTP daemon with the doma...")
 
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
__NOTOC__ {{Version|UCS=3.1}}
+
#REDIRECT [[Cool Solutions - Install ProFTP and setup ldap authentication]]
 
 
If a FTP server should be used it is usally not wanted to maintain user lists. This article describes how to connect a ProFTP daemon with the domain's LDAP. After completing these steps, users can log in to the FTP server with their domain username and password.
 
 
 
<br>
 
 
 
== Preparation  ==
 
 
 
For the installation to succeed, some packages must be downloaded from the Univention unmaintained repositories. To activate the Univention unmaintained repository, execute the following command:
 
<pre>ucr set repository/online/unmaintained=yes
 
</pre>
 
 
 
''Hint:'' [http://sdb.univention.de/1164 Unmaintained packages] are not covered by security updates.
 
 
 
== Installation  ==
 
 
 
To install the ProFTP daemon on a system, the package '''univention-ftp''' must be installed either using the UMC module or by executing the following command in a command line shell:
 
<pre>univention-install univention-ftp
 
</pre>
 
== Configuration  ==
 
 
 
The ProFTP daemon must load its LDAP module. Edit the file '''/etc/proftpd/modules.conf''' and remove the '''#''' in front of the line '''LoadModule mod_ldap.c'''
 
 
 
Also edit the file '''/etc/proftpd/proftpd.conf''' and remove the # in front of the line '''Include /etc/proftpd/ldap.conf'''
 
 
 
Next a simple authentication account should be created using the UDM. This account can then be used for an authenticated bind. To find the DN of the account issue the following command on the command line:
 
 
 
<pre>udm users/user list --filter name=<NAME of the account> | grep DN</pre>
 
 
 
In the LDAP configuration file /etc/proftpd/ldap.conf use the following settings:
 
<pre>
 
# Only use LDAP Auth
 
AuthOrder                      mod_ldap.c
 
<IfModule mod_ldap.c>
 
LDAPServer <fqdn of the DC master>:7389
 
LDAPDNInfo "<DN of the authentication account>" "<Password of the authentication account>"
 
# Get user info (dn, uid, gid)
 
LDAPDoAuth on "cn=users,$ldap_base"
 
# GID to name in dir listing
 
LDAPDoGIDLookups on "cn=groups,$ldap_base"
 
# UID to name in dir listing
 
LDAPDoUIDLookups on "cn=users,$ldap_base"
 
LDAPUseTLS on
 
# Create homedir if not exists
 
LDAPGenerateHomedir on
 
</IfModule>
 
</pre>
 
''Hint:'' change '''$ldap_base''' according to the domain to use. The domain can be obtained by executing '''ucr get ldap/base''' in a command line shell.
 
 
 
== Further links  ==
 
 
 
*[http://www.proftpd.org/docs/directives/linked/config_ref_mod_ldap.html ProFTP LDAP documentation]
 
 
 
[[Category:EN]] [[Category:Howto]]
 

Latest revision as of 12:08, 7 September 2017

Personal tools