Java Mailing List Archive

http://www.redhatconfig.com/

Home » Red Hat Enterprise Linux 5 »

RE: [rhelv5-list] VSFTPd and LDAP

Collins, Kevin [MindWorks]

2008-03-11

Replies:

Author LoginPost Reply
I haven't followed this whole thread, but hopefully I can offer some
help. On my system, the unmodified /etc/pam.d/vsftpd looks like this:

-------
#%PAM-1.0
session   optional   pam_keyinit.so   force revoke
auth     required pam_listfile.so item=user sense=deny
file=/etc/vsftpd/ftpusers onerr=succeed
auth     required pam_shells.so
auth     include system-auth
account   include system-auth
session   include system-auth
session   required   pam_loginuid.so
-------

I think you want it to look more like this:

-------
#%PAM-1.0
session   optional   pam_keyinit.so   force revoke
auth     required pam_listfile.so item=user sense=deny
file=/etc/vsftpd/ftpusers onerr=succeed
auth     required pam_shells.so
auth     sufficient   pam_ldap.so try_first_pass
auth     required    pam_deny.so
account   include system-auth
session   include system-auth
session   required   pam_loginuid.so
-------


The key things being to use the "try_first_pass" (or no option) rather
than "use_first_pass" (see below from 'man pam_ldap' for the
distinction):

    use_first_pass
        Specifies that pam_ldap should always use the first
password provided in the authentication stack.

    try_first_pass
        Specifies that pam_ldap should first try the first
password provided in the authentication stack, and
        then prompt the user for their LDAP password if
authentication fails.

and also the inclusion of the "pam_deny" entry as the last in the auth
stack...

Also, I assume your system is properly configured to talk to the LDAP
server?

Kevin

-----Original Message-----
From: rhelv5-list-bounces@(protected)
[mailto:rhelv5-list-bounces@(protected)
Engineer)
Sent: Monday, March 10, 2008 8:24 PM
To: Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list
Subject: RE: [rhelv5-list] VSFTPd and LDAP


Hi Sam

I've been working on this but have not made much preogess.

The following vsftpd PAM config lets me in, regardless of the password.
If I uncomment the 'auth include system-auth' line then no password will
let me in.

I'm trying for something in the middle i.e. the correct password will
let me in :)

#%PAM-1.0
session   optional   pam_keyinit.so   force revoke
auth     required   pam_listfile.so item=user sense=deny
file=/etc/vsftpd/ftpusers onerr=succeed
auth     sufficient  pam_ldap.so use_first_pass
auth     required   pam_shells.so
auth     required   pam_nologin.so
#auth     include   system-auth
account [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] pam_ldap.so
account   include    system-auth
password  required   pam_cracklib.so
password  sufficient  pam_ldap.so use_authok
session   include    system-auth
session   required   pam_loginuid.so

The following line gets logged in /var/log/secuure
Mar 11 12:15:29 server vsftpd: pam_unix(vsftpd:auth): authentication
failure; logname= uid=0 euid=0 tty=ftp ruser=user
rhost=localhost.localdomain user=user

Any ideas?

CC

________________________________

 From: rhelv5-list-bounces@(protected)
[mailto:rhelv5-list-bounces@(protected)
 Sent: Thursday, 6 March 2008 8:49 AM
 To: Red Hat Enterprise Linux 5 (Tikanga) discussion
mailing-list; Red Hat Enterprise Linux 5 (Tikanga) discussion
mailing-list
 Subject: RE: [rhelv5-list] VSFTPd and LDAP
 
 

 > We've got a server running ProFTPd that uses an OpenLDAP
server
 > for authentication. I want to migrate this over to EL5 and
VSFTPd.
 > I've googled and found many references to getting VSFTPd to
work
 > with LDAP via PAM but the problem is that the system itself
*must
 > not* use LDAP for non-FTP logins.
 
 I don't see why this is a problem. If you modify
/etc/pam.d/vsftpd
 to allow LDAP logins, but don't touch system-auth, then your
system
 can be not using PAM, while vsftpd happily is.
 
 I do this for lots of services... (but not vsftpd)
 
 --
 Sam


NOTICE: This email and any attachments are confidential.
They may contain legally privileged information or
copyright material. You must not read, copy, use or
disclose them without authorisation. If you are not an
intended recipient, please contact us at once by return
email and then delete both messages and all attachments.


_______________________________________________
rhelv5-list mailing list
rhelv5-list@(protected)
https://www.redhat.com/mailman/listinfo/rhelv5-list

_______________________________________________
rhelv5-list mailing list
rhelv5-list@(protected)
https://www.redhat.com/mailman/listinfo/rhelv5-list
©2008 redhatconfig.com - Jax Systems, LLC, U.S.A.