Lightweight Directory Access Protocol (LDAP)

Lightweight Directory Access Protocol (LDAP) authentication from within Proftpd is provided via the mod_ldap module, which is not compiled in by default. For information on compiling in additional modules go back and read the chapter on installing Proftpd.

As of version 1.2 most of the annoying bugs have been removed and the code is of suitable quality to provide a stable authentication backend. The module became part of the distribution as of version 1.1.

What is LDAP

LDAP is a distributed, hierarchical directory service access protocol which is used to access repositories of users and other network- related entities. Because LDAP is often not tightly integrated with the host operating system, information such as users may need to be kept both in LDAP and in an operating system supported nameservice such as NIS. By using LDAP as the the primary means of resolving these entities, these redundancy issues are minimized and the scalability of LDAP can be exploited. (By comparison, NIS services based on flat files do not have the scalability or extensibility of LDAP or X.500.)

The object classes and attributes defined below are suitable for representing the aforementioned entities in a form compatible with LDAP and X.500 directory services.

Example 8-6. A typical configuration fragment

LDAPServer                      "localhost"
LDAPPrefix                      "dc=horde,dc=net"
LDAPDN                          "cn=thedn,dc=horde,dc=net"
LDAPDNPass                      "ldap_dnpass"
LDAPNegativeCache       on
	    

Ldap notes

I try to compile Proftpd 1.2.0pre9 with the ldap support. According to info on the homepage of the ldap module, the mod_ldap.c is in the /modules directory and I run configure with the --with-modules=mod_ldap but make always complains about missing lber.h and ldap.h (which are found in the OpenLDAP package). Does that means that I have to compile (or copy some files from?) OpenLDAP on the computer? My aim is to use a remote LDAP server, not a locally installed one (and I don't want, if possible, to install a LDAP server on this machine). How can I do? Sorry if my question seems a bit simple to the "gurus"! :-)

mon avis you don't need to install a full ldap server on your system,= but you need to have a set of ldap library (openldap, netscape...) and the corres= ponding include headers. I recommend you to install the openldap and build the li= braries only.

That's correct. For OpenLDAP, you can build the client header files, libraries, and utilities _only_ by saying: ./configure --disable-slapd --disable-slurpd when you build OpenLDAP. =C0 mon avis you don't need to install a full ldap server on your system,= but you need to have a set of ldap library (openldap, netscape...) and the corres= ponding include headers. I recommend you to install the openldap and build the li= braries only.

I try to compile Proftpd 1.2.0pre9 with the ldap support. According to info on the homepage of the ldap module, the mod_ldap.c is in the /modules directory and I run configure with the --with-modules=mod_ldap but make always complains about missing lber.h and ldap.h (which are found in the OpenLDAP package). Does that means that I have to compile (or copy some files from?) OpenLDAP on the computer? My aim is to use a remote LDAP server, not a locally installed one (and I don't want, if possible, to install a LDAP server on this machine). How can I do? Sorry if my question seems a bit simple to the "gurus"! :-) I've a proftpd authenticating users against a ldap server. The users are not unix users, then I can't use the normal quotta system. Does have proftpd an internal system to limit the size of a directory?? How can I control the size of each user directory?? thanks,

On Wed, Jan 12, 2000 at 11:05:15AM +0100, Juli=E1n Romero wrote: > I've a proftpd authenticating users against a ldap server. > The users are not unix users, then I can't use the normal quotta system. Hmmmm - considering that I've not dealt with the mod_ldap stuff this may well be a silly question. Does each of your users have a unique UID on the system ? Or are you using DefaultRoot and a single UID for all users ? If you've got a unique UID for each user then you *can* still use the quota system as it actually uses UIDs for the work - the user name to UID map is performed by the quota commands. That said, the quota commands often accept UIDs in the place of usernames. It has to be said that the standard quota stuff (at least under Solaris) is painful to use in automatic systems - its often easier to dig into the quota system and code your own programs to control the quota system than use the system provided ones.

Thanks to Jim, i succeeded in linking mod-ldap with LDAP-C SDK librai= ries (-lpthread -lldapssl30 is a good way)... But now, when I try to run proftpd, I get an error message which says= : - Fatal: Group: Unknown group 'nogroup'. ...I tried to add "ftp-master", "nobody", "nogroup" entries to my LDA= P server...but nothing changes! Thanx for any help...Peter, could you send me part of your proftpd.co= nf, or ldif entries you had to add on your LDAP server?

here's my proftpd.conf (very basic one, i thought...) ------------------- # This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server # and a single anonymous login. It assumes that you have a user/group # "nobody" and "ftp" for normal operation and anon. ServerName "Serveur test" ServerType standalone DefaultServer on #PAMConfig ftp #AuthPAMAuthoritative off LDAPServer test.rouen.men.fr LDAPDNInfo xxxxxxxxxxxxxxx LDAPDoAuth on "ou=3D..." LDAPDoUIDLookups off LDAPDoGIDLookups off LDAPNegativeCache on Port 21 Umask 022 MaxInstances 30 User nobody Group nobody <Directory /*> AllowOverwrite on </Directory> <Anonymous ~> User ftp Group ftp UserAlias anonymous ftp MaxClients 10 DisplayLogin welcome.msg DisplayFirstChdir .message <Directory *> <Limit WRITE> DenyAll </Limit> </Directory> <Directory incoming> <Limit READ WRITE> DenyAll </Limit> <Limit STOR> AllowAll </Limit> </Directory> </Anonymous> --------------------- % % Thanks to Jim, i succeeded in linking mod-ldap with LDAP-C SDK librairies % (-lpthread -lldapssl30 is a good way)... % % But now, when I try to run proftpd, I get an error message which says: % - Fatal: Group: Unknown group 'nogroup'. % % ...I tried to add "ftp-master", "nobody", "nogroup" entries to my LDAP % server...but nothing changes! % % LDAPServer test.rouen.men.fr % LDAPDNInfo xxxxxxxxxxxxxxx % LDAPDoAuth on "ou=..." % LDAPDoUIDLookups off % LDAPDoGIDLookups off % LDAPNegativeCache on In theory, you can have the users referenced in your proftpd.conf User/Group config directives in the LDAP database. I really haven't done any testing with a situation like that, though, but it *should* work. I usually have my User/Group users listed in /etc/passwd and /etc/group and just use the LDAP directory for user authentication. If you choose to reference LDAP-only users/groups in your User/Group config directives, you'll need to set both LDAPDoAuth and LDAPDoGIDLookups to on.

I am trying to build mod_ldap module (2.5.2) with proftpd on Solaris 2.6. I use Netscape DirectoryServer API libldapssl30.so. When I do make with the package it says one error: cannot find "llber" library. I remember if use Netscape directory server API 3.0, we need not llber library. Where to get llber (which looks for openldap on linux)? Does any one succeed to use proftpd authenticate with ldap on Solaris ? DO you get the same compiling problem? When I do ./configure --with module=mdo_ldap, for some system check the answer is no, does that matter?

I have a problem in running Proftpd from command line. I configure it as default run by "inet" NOT standalone. I add few entries in proftpd.conf but when I run it, error message say Fatal: unknown configuration directive 'LDAPDNInfo', any first directive start with 'LDAP' get the same error. I searched the source code no place read in "proftpd.conf" file , what is wrong with my mod_ldap module? Please drop me few lines if you have any idea where this config file is read in and how it proftpd talk to Unix Solaris nation unix.pam.so 1 module and pam talk to mod_ldap? Atcuallt where is the mod_ldap lib installed? In other email group, I succeeded allow wu_ftp to talk to standard pam_ldap and nss_ldap module for ftp user to authenticate with a remote LDAP server. I know here Proftp has its native LDAP support. Can anyone help me describe the code architecture? I am new to proftp.

A quick question is that, you user login as uid and pass then search on the proconfigured base in mod_ldap.conf file which is static. But uid may not unique in a whole LDAP server, for example a ISP company providing service for many domains. The search base is root. How you avoid this problem? OR, if use login as uid@domain.com can you parse it into "uid" and "domain.com" then do the ldap search with dn in mod_ldap.conf plus "domian.com" as new search base? OR your ProFTP can prompt user for a "domain" in addition to "user:" "password"? Which way is easier to deal with this problem?

I have problems with authentication when using mod_ldap. I'm using Solaris2.6, Netscape Directory Server, 1.2.0pre10 and mod_ldap-2.5.2. ProFTPD is running standalone. When trying to login I get: ---------- 220 ProFTPD 1.2.0pre10 Server (ProFTPD) [hostname] Name (IP-address:user): profuser 421 Service not available, remote server has closed connection Login failed. ---------- The "profuser" is registered in the NDS and has the objectclass posixaccount. In the errorlog of the NDS it looks like bind is ok but what happens after that??? errorlog: ----------- [28/Feb/2000:15:28:28 +0100] - new connection on 44 [28/Feb/2000:15:28:28 +0100] - listening for connections on 0 [28/Feb/2000:15:28:28 +0100] - activity on 44r [28/Feb/2000:15:28:28 +0100] - read activity on 44 [28/Feb/2000:15:28:28 +0100] - add_pb [28/Feb/2000:15:28:28 +0100] - listening for connections on 0 [28/Feb/2000:15:28:28 +0100] - get_pb [28/Feb/2000:15:28:28 +0100] - do_bind [28/Feb/2000:15:28:28 +0100] - BIND dn="cn=Directory Manager" method=128 version=2 [28/Feb/2000:15:28:28 +0100] - => get_ldapmessage_controls [28/Feb/2000:15:28:28 +0100] - <= get_ldapmessage_controls no controls [28/Feb/2000:15:28:28 +0100] - do_bind: version 2 method 0x80 dn cn=Directory Manager [28/Feb/2000:15:28:28 +0100] - => slapi_pw_find value: "password" [28/Feb/2000:15:28:28 +0100] - <= slapi_pw_find matched "password" using scheme "clear" [28/Feb/2000:15:28:28 +0100] - => send_ldap_result 0:: [28/Feb/2000:15:28:28 +0100] - flush_ber() wrote 14 bytes to socket 44 [28/Feb/2000:15:28:28 +0100] - <= send_ldap_result [28/Feb/2000:15:28:28 +0100] - listener got signaled [28/Feb/2000:15:28:28 +0100] - listening for connections on 0 [28/Feb/2000:15:28:28 +0100] - activity on 44r [28/Feb/2000:15:28:28 +0100] - read activity on 44 [28/Feb/2000:15:28:28 +0100] - add_pb [28/Feb/2000:15:28:28 +0100] - listening for connections on 0 [28/Feb/2000:15:28:28 +0100] - get_pb [28/Feb/2000:15:28:28 +0100] - PR_Recv(2588624) 0 (EOF) [28/Feb/2000:15:28:28 +0100] - listener got signaled ----------- In proftpd.conf I have these values: ----------- LDAPServer localhost LDAPDNInfo "cn=Directory Manager" password LDAPDoAuth on "ou=users,ou=customers,o=organization" LDAPDoUIDLookups off LDAPDoGIDLookups off LDAPNegativeCache on LDAPHomedirOnDemand off LDAPDefaultAuthScheme clear ---------- Is there anyone who knows what happens here after the Bind??? I added the "allowedservices" attribute but it makes no difference. How is it used? Have you edited mod_ldap.c? Did you do something else to get it going?

---------------------------------- > What attribute is "allowedservices"? I don't have that attribute > in my Directory Server. Is it a standard attribute or something > you've created? > Something I added in each LDAP user definition Same problem I got. Verify that your user as the following attributes (LDAP definition): userpassword homedirectory allowedservices (set it to FTP) It's the minimum requirements. Joakim Br=E5n=E4s (QRA) wrote: > What attribute is "allowedservices"? I don't have that attribute > in my Directory Server. Is it a standard attribute or something > you've created? > Something I added in each LDAP user definition -- Laurent PIERRE T=E9l:01 47 33 82 84 Fax:01 47 33 76 98 E-mail: laurent.pierre@alcove.fr ** Alc=F4ve lib=E8re votre informatique... Web: http://www.alcove.fr **

Just a wild guess - what about escapeing the whitespace ? like : LDAPDNInfo cn=3DDirectory\ Manager,dc=3Ddatelec,dc=3Dcom [ ] > % I guess this new release had correctly fixed the solaris bugs. > % > % I can connect to proftpd without this "signal 11" error. Nice job ! > > Good, I'm glad to hear it. > > % But I have now another issue : > % > % My cn for my Netscape Directory server is : Directory Manager > % > % So my proftpd.conf file seems like : > % > % > LDAPServer ldap_shagga > % > LDAPDNinfo cn="Directory Manager",dc=datelec,dc=com [ ] > [misc. snippage] > % But I guess your module doesn't parse correctly the cn field cause in my ldap > % server logs I get this error : > % > % > [16/Feb/2000:12:47:20 +0100] conn=7371 op=0 BIND dn="cn="Directory" method=128 version=2 > > Config-file parsing is taken care of by proftpd; oops ... sorry :) > it basically splits config > file parameters on whitespace. I think that the quotes in the middle of the > paramter are confusing it. What happens if you try: > > LDAPDNInfo "cn=Directory Manager,dc=datelec,dc=com" [ ] I've tried : same error... So I've to change the name of my Cn...... Exact ?

I guess this new release had correctly fixed the solaris bugs. I can connect to proftpd without this "signal 11" error. Nice job ! But I have now another issue : My cn for my Netscape Directory server is : Directory Manager So my proftpd.conf file seems like : > LDAPServer ldap_shagga > LDAPDNinfo cn="Directory Manager",dc=datelec,dc=com micr0sc0n > LDAPDoAuth on "dc=People,dc=datelec,dc=com" > LDAPDoUIDLookups off > LDAPDoGIDLookups off > But I guess your module doesn't parse correctly the cn field cause in my ldap server logs I get this error : > [16/Feb/2000:12:47:20 +0100] conn=7371 fd=164 slot=164 connection from 192.168.120.164 to 192.168.120.160 > [16/Feb/2000:12:47:20 +0100] conn=7371 op=0 BIND dn="cn="Directory" method=128 version=2 > [16/Feb/2000:12:47:20 +0100] conn=7371 op=0 RESULT err=32 tag=97 nentries=0 etime=0 > [16/Feb/2000:12:47:20 +0100] conn=7371 op=-1 fd=164 closed - B1 > Normally that should be (like a good connection): > [16/Feb/2000:12:47:59 +0100] conn=7372 fd=164 slot=164 connection from 192.168.120.165 to 192.168.120.160 > [16/Feb/2000:12:47:59 +0100] conn=7372 op=0 BIND dn="cn=Directory Manager" method=128 version=2 > [16/Feb/2000:12:47:59 +0100] conn=7372 op=0 RESULT err=0 tag=97 nentries=0 etime=0 >

> I released mod_ldap v2.5.1 on Saturday. It adds support for authenticated > binds and also fixes all known bugs up until this point in time (most > notably the mod_ldap-segfaults-under-solaris bug). Authenticated binds > allows mod_ldap to support any password encryption scheme that your LDAP > server supports; it will bind to your LDAP server with the credentials > listed by LDAPDNInfo and fetch all user information except for userPassword. > It will then re-bind to the LDAP server as the FTP user who is attempting > to log in with the user-supplied password. If the bind succeeds, the user > is allowed access. http://horde.net/~jwm/software/mod_ldap/ > > I know that a bunch of people on the list are using mod_ldap, so I figured > it would be of enough interest to post here. If there's a more appropriate > place for this (or you'd rather I didn't announce new versions here), please > let me know.

% I guess this new release had correctly fixed the solaris bugs. % % I can connect to proftpd without this "signal 11" error. Nice job ! Good, I'm glad to hear it. % But I have now another issue : % % My cn for my Netscape Directory server is : Directory Manager % % So my proftpd.conf file seems like : % % > LDAPServer ldap_shagga % > LDAPDNinfo cn="Directory Manager",dc=datelec,dc=com [ ] [misc. snippage] % But I guess your module doesn't parse correctly the cn field cause in my ldap % server logs I get this error : % % > [16/Feb/2000:12:47:20 +0100] conn=7371 op=0 BIND dn="cn="Directory" method=128 version=2 Config-file parsing is taken care of by proftpd; it basically splits config file parameters on whitespace. I think that the quotes in the middle of the paramter are confusing it. What happens if you try: LDAPDNInfo "cn=Directory Manager,dc=datelec,dc=com" [ ]

I'm trying to use proftpd with the ldap module (v2.0). I've made a beautiful compilation of proftpd with some others modules (the problem is the same without quota and ratio) > shagga (root) /tmp/proftpd-1.2.0pre10 > ./proftpd -l > Compiled-in modules: > mod_core.c > mod_auth.c > mod_xfer.c > mod_site.c > mod_ls.c > mod_unixpw.c > mod_log.c > mod_pam.c > mod_ratio.c > mod_ldap.c > My configuration file is something like that : > ServerName "Internal FTP Server" > ServerType StandAlone > DefaultServer on > Port 21 > > User nobody > Group nogroup > > MaxInstances 30 > > TimeoutStalled 300 > > DisplayLogin welcome.msg > DisplayFirstChdir .message > > RootLogin on > > AuthPAMAuthoritative off > > LDAPServer ldap_shagga > LDAPDNinfo cn=admin,dc=datelec,dc=com password > LDAPDoAuth on "dc=People,dc=datelec,dc=com" > LDAPDoUIDLookups off > LDAPDoGIDLookups off > When I start proftpd ( proftpd -d 5 -n ) and i try to connect to the server, I get this message : > shagga - ProFTPD 1.2.0pre10 standalone mode STARTUP > shagga (snardone.datelec.ch[192.168.120.165]) - connected - local : 192.168.120.164:21 > shagga (snardone.datelec.ch[192.168.120.165]) - connected - remote : 192.168.120.165:3451 > shagga (snardone.datelec.ch[192.168.120.165]) - ProFTPD terminating (signal 11) > Not too much debug infos !! Other important point : when I sniff if something come out off my ftp server I can see : NOTHING ! I guess something is wrong in my configuration file (I'm really not a LDAP "guru"). Thanks in advance, Stephan

> Yes, I admit that mod_ldap needs some serious debugging info added; the next > release is pretty frozen right now, but definitely in the next release. > After mod_ldap is called to parse its config file entries, it logs a summary > of all its config paramters, if you run proftpd normally (letting it fork > and without debugging), do you see something like this in your syslogs? Can > you look in your LDAP server's logs to see if mod_ldap is querying the LDAP > database yet? Also, what operating system are you using? Even if I try to start proftpd normally I can't see anything additional debug. I also do not see any connections from proftpd to my ldap (netscape Directory 4.1). I'm running proftpd under Solaris 2.6 (Sun). > > > % Other important point : when I sniff if something come out off my ftp server I can see : NOTHING ! > % > % I guess something is wrong in my configuration file (I'm really not a LDAP "guru"). > % > % PS: that's may be due to the compilation with netscape SDK.... > > I compiled pre10 on this machine (Slack Linux 4), and mod_ldap works fine > with your config (without AuthPAMAuthoritative, I don't have access to a > PAMified machine). But I'd like to find out if you see the config-summary > syslogged anywhere before I'm lead to believe that it's an SDK problem. So, I'm now looking for an Sun solaris 2.6 binaries plus libraries (ldap and lber).... I am seeing the same thing as Stephan (signal 11, proftpd closes connection). My proftpd config is the same as well. I'm on a solaris 7 box that has PAM and I have tried the proftpd directive "AuthPAMAuthoritative" set to "on" and "off" with the same result. I have carried out John's instruction to Stephan (run proftpd in standalone mode without debugging and check syslog for mod_ldap config parsing entries. However, I do not see anything. What I do see logged when a ftp client connection is made is the following: /var/adm/messages <snip> Jan 27 07:35:08 thumbsuck proftpd[20813]: thumbsuck.mweb.co.za (net-61-51.mweb.c o.za[196.2.61.51]) - ProFTPD terminating (signal 11) Jan 27 07:35:08 thumbsuck proftpd[20813]: thumbsuck.mweb.co.za (net-61-51.mweb.c o.za[196.2.61.51]) - ProFTPD terminating (signal 11) Jan 27 07:36:51 thumbsuck proftpd[20816]: thumbsuck.mweb.co.za (localhost[127.0. 0.1]) - ProFTPD terminating (signal 11) Jan 27 07:36:51 thumbsuck proftpd[20816]: thumbsuck.mweb.co.za (localhost[127.0. 0.1]) - ProFTPD terminating (signal 11) <snip> Seems odd that proftpd is logging what appears to 2 duplicate lines for each client connection. Note that I tried from two different clients. I also do not see any connections from proftpd to my ldap (openldap). Hopefully this may assist in pinning down this problem? Paul Gamble. On Wed, Jan 26, 2000 at 08:25:48PM +0100, Stephan Nardone wrote: % % I'm trying to use proftpd with the ldap module (v2.0). % % I've made a beautiful compilation of proftpd with some others modules % (the problem is the same without quota and ratio) % % > shagga (root) /tmp/proftpd-1.2.0pre10 > ./proftpd -l % > Compiled-in modules: % > mod_core.c % > mod_auth.c % > mod_xfer.c % > mod_site.c % > mod_ls.c % > mod_unixpw.c % > mod_log.c % > mod_pam.c % > mod_ratio.c % > mod_ldap.c I believe you need something like MySQL or PostgreSQL to store persistent ratios across FTP sessions; mod_ldap doesn't support storing ratio information (yet, I'll have to look to see what's involved). % My configuration file is something like that : % [snip] % > LDAPServer ldap_shagga % > LDAPDNinfo cn=admin,dc=datelec,dc=com password % > LDAPDoAuth on "dc=People,dc=datelec,dc=com" % > LDAPDoUIDLookups off % > LDAPDoGIDLookups off This looks fine. % When I start proftpd ( proftpd -d 5 -n ) and i try to connect to the server, I get this message : % % % > shagga - ProFTPD 1.2.0pre10 standalone mode STARTUP % > shagga (snardone.datelec.ch[192.168.120.165]) - connected - local : 192.168.120.164:21 % > shagga (snardone.datelec.ch[192.168.120.165]) - connected - remote : 192.168.120.165:3451 % > shagga (snardone.datelec.ch[192.168.120.165]) - ProFTPD terminating (signal 11) % % Not too much debug infos !! Yes, I admit that mod_ldap needs some serious debugging info added; the next release is pretty frozen right now, but definitely in the next release. After mod_ldap is called to parse its config file entries, it logs a summary of all its config paramters, if you run proftpd normally (letting it fork and without debugging), do you see something like this in your syslogs? Can you look in your LDAP server's logs to see if mod_ldap is querying the LDAP database yet? Also, what operating system are you using? % Other important point : when I sniff if something come out off my ftp server I can see : NOTHING ! % % I guess something is wrong in my configuration file (I'm really not a LDAP "guru"). % % PS: that's may be due to the compilation with netscape SDK.... I compiled pre10 on this machine (Slack Linux 4), and mod_ldap works fine with your config (without AuthPAMAuthoritative, I don't have access to a PAMified machine). But I'd like to find out if you see the config-summary syslogged anywhere before I'm lead to believe that it's an SDK problem. On Thu, Jan 27, 2000 at 07:48:45AM +0200, Paul Gamble - MWeb wrote: > I am seeing the same thing as Stephan (signal 11, proftpd closes > connection). My proftpd config is the same as well. I'm on a solaris 7 box It may not help much, but its probably worth pointing out that signal number 11 is a segmentation violation (SIGSEGV, see /usr/include/sys/signal.h) which indicate that some code within ProFTPD is doing bad things to memory. -- On Wed, Jan 26, 2000 at 08:25:48PM +0100, Stephan Nardone wrote: % % I'm trying to use proftpd with the ldap module (v2.0). % % I've made a beautiful compilation of proftpd with some others modules % (the problem is the same without quota and ratio) % % > shagga (root) /tmp/proftpd-1.2.0pre10 > ./proftpd -l % > Compiled-in modules: % > mod_core.c % > mod_auth.c % > mod_xfer.c % > mod_site.c % > mod_ls.c % > mod_unixpw.c % > mod_log.c % > mod_pam.c % > mod_ratio.c % > mod_ldap.c I believe you need something like MySQL or PostgreSQL to store persistent ratios across FTP sessions; mod_ldap doesn't support storing ratio information (yet, I'll have to look to see what's involved). % My configuration file is something like that : % [snip] % > LDAPServer ldap_shagga % > LDAPDNinfo cn=admin,dc=datelec,dc=com password % > LDAPDoAuth on "dc=People,dc=datelec,dc=com" % > LDAPDoUIDLookups off % > LDAPDoGIDLookups off This looks fine. % When I start proftpd ( proftpd -d 5 -n ) and i try to connect to the server, I get this message : % % % > shagga - ProFTPD 1.2.0pre10 standalone mode STARTUP % > shagga (snardone.datelec.ch[192.168.120.165]) - connected - local : 192.168.120.164:21 % > shagga (snardone.datelec.ch[192.168.120.165]) - connected - remote : 192.168.120.165:3451 % > shagga (snardone.datelec.ch[192.168.120.165]) - ProFTPD terminating (signal 11) % % Not too much debug infos !! Yes, I admit that mod_ldap needs some serious debugging info added; the next release is pretty frozen right now, but definitely in the next release. After mod_ldap is called to parse its config file entries, it logs a summary of all its config paramters, if you run proftpd normally (letting it fork and without debugging), do you see something like this in your syslogs? Can you look in your LDAP server's logs to see if mod_ldap is querying the LDAP database yet? Also, what operating system are you using? % Other important point : when I sniff if something come out off my ftp server I can see : NOTHING ! % % I guess something is wrong in my configuration file (I'm really not a LDAP "guru"). % % PS: that's may be due to the compilation with netscape SDK.... I compiled pre10 on this machine (Slack Linux 4), and mod_ldap works fine with your config (without AuthPAMAuthoritative, I don't have access to a PAMified machine). But I'd like to find out if you see the config-summary syslogged anywhere before I'm lead to believe that it's an SDK problem. Hi all, I am trying to use Apache's mass virtual hosting features to create a mass virtual hosting server for web data. Trouble is, to upload their data, users need to use ftp to do it. I am looking for an ftp server daemon wchich will let me do the following: - authenticate username/password in LDAP - chroot access to their home directory - NO POSIX ACCOUNT NEEDED in the LDAP server (easier to maintain, more secure) Can proftpd (with LDAP patches) do this?

P On Thu, Dec 02, 1999 at 03:28:04PM +0100, Graham Leggett wrote: % I am trying to use Apache's mass virtual hosting features to create a % mass virtual hosting server for web data. Trouble is, to upload their % data, users need to use ftp to do it. % % I am looking for an ftp server daemon wchich will let me do the % following: % % - authenticate username/password in LDAP Sure, mod_ldap can do this. % - chroot access to their home directory This is a part of ProFTPD itself, and has no problems with mod_ldap as far as I can see. % - NO POSIX ACCOUNT NEEDED in the LDAP server (easier to maintain, more % secure) Currently, mod_ldap uses the posixAccount objectclass; if you really don't want to use it, you can modify this behavior, but it will require modification of the mod_ldap source to change the names of the attributes that the module is looking for from the LDAP database. I'm thinking of making this compile-time configurable in the next release of mod_ldap[1]; a couple other people have mentioned that they don't want to use the posixAccount objectclass. [1] mod_ldap v2.0 will be released any day now; I've got 95% of the docs done, just gotta get the web site updated. I'll think about adding a non-posixAccount objectclass to my todo for the next release. If anybody wants an advance copy of v2.0, please let me know.

% Ideally what I am looking for is something that can match the % VirtualDocumentRoot directive in the Apache mod_vhost_alias module. % % Here you define a template of some kind that tells Apache where to find % the document root directory based on the DNS name of the website. % % It would be great if ProFTPd could do this also, either getting the DNS % name from an attribute in LDAP, or by using the username+SomeDNSSuffix % to correspond.

Hm, that would be interesting. Maybe a config option to vary the LDAPPrefix based on the IP address the remote user connected to. I'll have to check it out.

% The reason why I don't want to use the posixAccount objectclass is % because I cannot seem to find any widely available LDAP editors that % allow me to edit an object using it. What editors have you looked at, and what objectclasses have they supported? I'm still considering making objectclass a compile-time option, I just need some other objectclasses to support. :-)

% In addition, the need for posix user and group ids is a pain, something % has to assign them, and ensure these numbers are unique. This is too % much work just for ftp.

mod_ldap 2.0 changes that; it's the first release that will let you run in a pure virtual environment (an "ftp toaster" kind of deal). You can assign a single default UID/GID in your proftpd.conf and also create home directories on demand (when the user logs in for the first time). (Thanks to Bert Vermeulen <bert@be.easynet.net> and Krzysztof Dabrowski <brush@pol.pl> for ideas/patches in this area.)

% > Hm, that would be interesting. Maybe a config option to vary the LDAPPrefix % > based on the IP address the remote user connected to. I'll have to check it % > out. % % The Apache mass virtual hosting places many sites under one IP address, % so determining the hostname this way won't work - but it will work in % the case everyone is given their own IP address.

Okay; I didn't consider that possibility. In that case, something like that for the FTP protocol in general won't work; there's no way to do virtual hosting without an IP address for each FTP virtual host. I've heard that there's been some draft work on changing this situation, I don't have any URLs handy, but I think that some have been posted to the list in the past.

Yup, it's at http://horde.net/~jwm/software/proftpd-ldap/. It works well for me, and I've had reports of v2.0 working well at other (some large) sites. Let me know how things go.

Why use LDAP over SQL?

> >- Because LDAP is a standard, SQL is not. > > Excuse me? I think you're misinformed here, as SQL is a standard. What > various companies have done with propietary "extensions" is another issue, > but you can always choose not to use them and stick with core. But still , > I think I understand what you're getting at: portability.

SQL thinks it's a standard, but I'm talking in practical terms. Each vendor seems to have it's own variation on syntax, as well as access libraries, otherwise you have to install and correctly configure ODBC, a real pain.

The lack of a standard SQL schema is also a problem. The way application A stores it's user information is usually completely different to the way that application B does it, because there is no "right" way of doing it. Assuming it's even possible, making application A and B share the same schema is usually lots of work. Yuck.

> I have been considering using LDAP, which is what prompted my inquiry in > the first place. Feedback I've gotten from a few people implementing it is > that it works great, but does not scale as well as SQL, is more resource > intensive, and that for large user bases (e.g. couple hundred thousand) is > much slower. But I've not yet delved into this thoroughly enough to make a > sound evaluation.

LDAP scales much better than SQL because of the way the database is designed. You can spread your data logically across multiple machines, allowing different people to have different access to data sets (such as the US people being able to edit their userids, and the Europe people being able to edit thier userids, but neither can edit the other's, if you want it like that), while at the same time keeping the tree looking like a single logical data set. You can also (as we do here) mirror your data across many LDAP servers, so if one server goes down it won't take out your applications.

> >- LDAP's replication, scalability and fault tolerance support is simpl= e > >to configure and use, SQL's is vendor specific and unnecessarily > >complicated. > > I have been considering using LDAP, which is what prompted my inquiry i= n > the first place. Feedback I've gotten from a few people implementing i= t is > that it works great, but does not scale as well as SQL, is more resourc= e > intensive, and that for large user bases (e.g. couple hundred thousand)= is > much slower. But I've not yet delved into this thoroughly enough to ma= ke a > sound evaluation.

I'm speaking for a commercial LDAP implementation, Netscape-iPlanet Direc= tory Server 4.11. It's fast like hell! If you use the personalisation features of my.netscape.com, you can see that's it fast. And my. netscape has over 20million users in their ldap servers and each user has around 400 attri= butes.

PcWeek measured on a 4 CPU NT box over 5000 authentication / second with = this LDAP server. As Paul Tavernier wrote it really uses cool caching, and it's one of the = most stabe product I've ever seen. But if you have a lot's of write operation LDAP is not about handling the= m very fast.

1. performance is better for read operations (what an authentication is) 2. price 3. easier to implement failover than with eg an Oracle.

Рейтинг@Mail.ru