topic Re: Control ftp login in openldap in Operating System - Linux

Control ftp login in openldap

hangyu — Wed, 18 Oct 2006 22:49:23 GMT

In the config file /etc/ldap.conf of RH server, I have add "pam_check_host_attr yes", so that the user login is controlled by the user attribute , ( eg. host: ova_server ) , now the user can access the ova_server by telnet , ssh , however , if I want to control the ftp login , only a list of specific users ( eg. only three system administrators ) can ftp login to the server , can advise what can I do ? thx

Re: Control ftp login in openldap

Ivan Ferreira — Thu, 19 Oct 2006 08:09:13 GMT

Ftp access is controlled in by the ftpusers file (or similar). The vsftpd daemon does not provides a way to obtain the user_list from an ldap server.

Probably, you will have to restrict access locally on each server through the user_list file.

Re: Control ftp login in openldap

Steven E. Protter — Thu, 19 Oct 2006 08:16:07 GMT

Shalom,

To fully answer, the version of rh would be needed.

RH AS 2.1 and earlier based releases used wu-ftpd which has a configuration file called ftpusers which could limit ftp access to a list of users or deny certain users.

vsftpd controls this function via a well documented feature in /etc/vsfptd/vsftpd.conf concerning user listes..

vsftpd is the standard ftp server in Linux Es 3.0 and above.

Note that no matter how you package it, ftp transmits authentication in clear text and is therefore a large security risk. root user should never be graned ftp access.

SEP

Re: Control ftp login in openldap

hangyu — Thu, 19 Oct 2006 20:09:22 GMT

thx replies,

the ftp daemon is started , but I found that if I update the user.list , it will use the password in /etc/passwd not the password in openldap , can advise what can i do ? thx

Re: Control ftp login in openldap

Ivan Ferreira — Fri, 20 Oct 2006 08:06:44 GMT

Ensure that /etc/nsswitch.conf is properly configured.

For example:

/etc/nsswitch.conf

passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files ldap dns

If you use vsftpd, it should be pam enabled, so ldap user information have to be used. Check that /etc/pam.d/vsftpd is correctly configured, normally pointing to system-auth module, and system-auth using the ldap libraries.

Re: Control ftp login in openldap

hangyu — Thu, 26 Oct 2006 20:09:24 GMT

thx ivan

my "/etc/pam.d/vsftpd" is as below
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ft
pusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth

I can use ftp via vsftpd , but however , the auth password is /etc/shadow not the password keep in openldap server , if I want to use the password in openldap server , what can I do ? thx