[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: using ldap with proftpd



Pierangelo Masarati wrote:
> 
> > It's now working but not as I wish :
> >
> > Prune wrote:
> > >
> > > Hi,
> > >
> > > I'm sorry to ask, but I can't find any doc about that..
> > >
> > > I've just installed the last proftpd server compiled with mod_ldap (vers
> > > 2.7.6)
> > > I add in the proftpd.conf :
> > >
> > > LDAPServer                      localhost
> > > LDAPAuthBinds                   on
> > > LDAPDNInfo                      dc=lecentre,dc=net
> > > #LDAPPrefix                     "dc=lecentre,dc=net"
> > > LDAPDoAuth                      on "dc=lecentre,dc=net"
> > >
> >
> > I changed the LDAPDNInfo line to :
> >
> > LDAPDNInfo            cn=manager, dc=lecentre, dc=net secret
> > (of course the pass is not the one I use :))
> >
> > I's now working. but this is not what I want.
> > isn't it possible to bind the user directly, without having to use the
> > manager account to do that ?
> >
> > Just for info, here are access granted to openldap in slapd.conf :
> >
> > access to dn=".*,ou=users,ou=lecentre.net,dc=lecentre,dc=net"
> >         by dn="cn=manager,dc=lecentre,dc=net" write
> >         by self write
> >         by anonymous auth
> >         by * none
> >
> > is this correct ?
> 
> I guess the auth code is douing a search with uid filter,
> so you must make uid searchable by anonymous if you wish
> to allow the app to authenticate without prior binding;
> use
> 
> access to dn=".*,ou=users,ou=lecentre.net,dc=lecentre,dc=net"
>         by dn="cn=manager,dc=lecentre,dc=net" write
>         by self write
>         by anonymous search
>         by * none
> 
> or add this rule BEFORE yours:
> 
> access to dn=".*,ou=users,ou=lecentre.net,dc=lecentre,dc=net" attrs=uid
>         by dn="cn=manager,dc=lecentre,dc=net" write
>         by self read
>         by anonymous search
> 
> (You shouldn't let self write all of its entry; you don't want
> let users change their uid or so!)
> 
> Pierangelo.

Thank you for the advice :)

I still have the same problem. As I can see in the ldap directive list,
I should normaly just have to add :

LDAPDoAuth on "ou=users, ou=lecentre.net, dc=lecentre, dc=net"

Am I right when I guess that proftpd will try to bind "uid=stool,
ou=users, ou=lecentre.net, dc=lecentre, dc=net" ?????

In fact, it binds :

Jul 14 15:09:45 diamond slapd[24529]: conn=13 op=0 BIND dn="" method=128
Jul 14 15:09:45 diamond slapd[24529]: conn=13 op=0 RESULT tag=97 err=0
text=
Jul 14 15:09:45 diamond slapd[24529]: conn=13 op=1 SRCH
base="ou=users,ou=lecentre.net,dc=lecentre,dc=net" scope=2
filter="(&(uid=stool)(objectClass=posixAccount))"
Jul 14 15:09:45 diamond slapd[24529]: conn=13 op=1 SEARCH RESULT tag=101
err=0 text=
Jul 14 15:09:45 diamond slapd[24529]: conn=13 op=2 SRCH
base="ou=users,ou=lecentre.net,dc=lecentre,dc=net" scope=2
filter="(&(uid=stool)(objectClass=posixAccount))"
Jul 14 15:09:45 diamond slapd[24529]: conn=13 op=2 SEARCH RESULT tag=101
err=0 text=
Jul 14 15:09:57 diamond slapd[24529]: conn=13 op=3 UNBIND

So, why ?

Prune