HPE Community
Operating System - Linux
1819870 Members
2352 Online
109607 Solutions
New Discussion юеВ

Control ftp login in openldap

 
SOLVED
Go to solution
hangyu
Regular Advisor

тАО10-18-2006 03:49 PM

тАО10-18-2006 03:49 PM

Control ftp login in openldap

In the config file /etc/ldap.conf of RH server, I have add "pam_check_host_attr yes", so that the user login is controlled by the user attribute , ( eg. host: ova_server ) , now the user can access the ova_server by telnet , ssh , however , if I want to control the ftp login , only a list of specific users ( eg. only three system administrators ) can ftp login to the server , can advise what can I do ? thx
0 Kudos
Reply
5 REPLIES 5
Ivan Ferreira
Honored Contributor

тАО10-19-2006 01:09 AM

тАО10-19-2006 01:09 AM

Solution

Re: Control ftp login in openldap

Ftp access is controlled in by the ftpusers file (or similar). The vsftpd daemon does not provides a way to obtain the user_list from an ldap server.

Probably, you will have to restrict access locally on each server through the user_list file.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
Steven E. Protter
Exalted Contributor

тАО10-19-2006 01:16 AM

тАО10-19-2006 01:16 AM

Re: Control ftp login in openldap

Shalom,

To fully answer, the version of rh would be needed.

RH AS 2.1 and earlier based releases used wu-ftpd which has a configuration file called ftpusers which could limit ftp access to a list of users or deny certain users.

vsftpd controls this function via a well documented feature in /etc/vsfptd/vsftpd.conf concerning user listes..

vsftpd is the standard ftp server in Linux Es 3.0 and above.

Note that no matter how you package it, ftp transmits authentication in clear text and is therefore a large security risk. root user should never be graned ftp access.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
hangyu
Regular Advisor

тАО10-19-2006 01:09 PM

тАО10-19-2006 01:09 PM

Re: Control ftp login in openldap

thx replies,

the ftp daemon is started , but I found that if I update the user.list , it will use the password in /etc/passwd not the password in openldap , can advise what can i do ? thx
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

тАО10-20-2006 01:06 AM

тАО10-20-2006 01:06 AM

Re: Control ftp login in openldap

Ensure that /etc/nsswitch.conf is properly configured.

For example:

/etc/nsswitch.conf

passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files ldap dns

If you use vsftpd, it should be pam enabled, so ldap user information have to be used. Check that /etc/pam.d/vsftpd is correctly configured, normally pointing to system-auth module, and system-auth using the ldap libraries.

Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
hangyu
Regular Advisor

тАО10-26-2006 01:09 PM

тАО10-26-2006 01:09 PM

Re: Control ftp login in openldap

thx ivan

my "/etc/pam.d/vsftpd" is as below
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ft
pusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth

I can use ftp via vsftpd , but however , the auth password is /etc/shadow not the password keep in openldap server , if I want to use the password in openldap server , what can I do ? thx
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.