[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: PAM LDAP FTP (OT ??)



ons, 2003-02-05 kl. 15:35 skrev Federico Edelman:

> I'm setting up ftp (proftpd) authenticate thru PAM on Linux Debian.
> I'm installing:
> - openldap
> - pam-ldap
> - proftpd
> - ssh
> - libnss-ldap
> 
> My /etc/pam.d/ftp:
> 
> --- snip snip ---
> #%PAM-1.0
> auth		sufficient		pam_ldap.so
> auth		required		pam_listfile.so item=user
> sense=deny file=/etc/ftpuser onerr=succeed
> auth		required		pam_unix.so	shadow nullok
> use_first_pass
> account	sufficient		pam_ldap.so
> account	required		pam_unix.so
> session	sufficient		pam_ldap.so
> session	required		pam_unix.so
> --- snip snip ---
> 
> The ssh authentication work fine, but the ftp doesn't work.

Hmmm ... I've fiddled about all morning and some of the afternoon trying
to emulate your and Brian K. Jones' experiences. It's all grist to the
mill and I need them anyway :-)

Me: RH 7.2+++++, pam_ldap/nss_ldap, Openldap 2.1.12 / Berkeley 4.1.25,
Cyrus 2.1.10 SASL (latter has nothing to do with the below), Openssl
0.9.7.

wu-ftpd 2.6.2, openssh-3.5p1, both self-compiled with PAM support.

To cut things short, both wu-ftpd and openssh work for purely
Openldap-based (i.e. not /etc/passwd/shadow) users, as well as Unix
users.

What I found:

ftpd has to be called by xinetd (probably inetd in your case), otherwise
it doesn't work. OTOH, sshd has to run as a standalone system daemon,
otherwise it doesn't work, started in /etc/rc.d/init.d for me.

My /etc/pam.d/ftp (PADL's):

#%PAM-1.0
auth       required	/lib/security/pam_listfile.so item=user sense=deny
file=/etc/ftpusers onerr=succeed
auth       required	/lib/security/pam_shells.so
auth       sufficient	/lib/security/pam_ldap.so
auth       required	/lib/security/pam_pwdb.so shadow nullok
account    sufficient	/lib/security/pam_ldap.so
account    required	/lib/security/pam_pwdb.so
#session    sufficient	/lib/security/pam_ldap.so
session    required	/lib/security/pam_pwdb.so

My /etc/pam.d/sshd, Red Hat standard:

#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_stack.so service=system-auth
session    required     /lib/security/pam_limits.so
session    optional     /lib/security/pam_console.so

*** Notice no pam_ldap stuff in the latter? ***. If I use PADL's file,
with pam_ldap stuff, it doesn't work!

Hope this helps,

Tony

-- 

Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl