[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: PAM LDAP FTP (OT ??)
ons, 2003-02-05 kl. 15:35 skrev Federico Edelman:
> I'm setting up ftp (proftpd) authenticate thru PAM on Linux Debian.
> I'm installing:
> - openldap
> - pam-ldap
> - proftpd
> - ssh
> - libnss-ldap
>
> My /etc/pam.d/ftp:
>
> --- snip snip ---
> #%PAM-1.0
> auth sufficient pam_ldap.so
> auth required pam_listfile.so item=user
> sense=deny file=/etc/ftpuser onerr=succeed
> auth required pam_unix.so shadow nullok
> use_first_pass
> account sufficient pam_ldap.so
> account required pam_unix.so
> session sufficient pam_ldap.so
> session required pam_unix.so
> --- snip snip ---
>
> The ssh authentication work fine, but the ftp doesn't work.
Hmmm ... I've fiddled about all morning and some of the afternoon trying
to emulate your and Brian K. Jones' experiences. It's all grist to the
mill and I need them anyway :-)
Me: RH 7.2+++++, pam_ldap/nss_ldap, Openldap 2.1.12 / Berkeley 4.1.25,
Cyrus 2.1.10 SASL (latter has nothing to do with the below), Openssl
0.9.7.
wu-ftpd 2.6.2, openssh-3.5p1, both self-compiled with PAM support.
To cut things short, both wu-ftpd and openssh work for purely
Openldap-based (i.e. not /etc/passwd/shadow) users, as well as Unix
users.
What I found:
ftpd has to be called by xinetd (probably inetd in your case), otherwise
it doesn't work. OTOH, sshd has to run as a standalone system daemon,
otherwise it doesn't work, started in /etc/rc.d/init.d for me.
My /etc/pam.d/ftp (PADL's):
#%PAM-1.0
auth required /lib/security/pam_listfile.so item=user sense=deny
file=/etc/ftpusers onerr=succeed
auth required /lib/security/pam_shells.so
auth sufficient /lib/security/pam_ldap.so
auth required /lib/security/pam_pwdb.so shadow nullok
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_pwdb.so
#session sufficient /lib/security/pam_ldap.so
session required /lib/security/pam_pwdb.so
My /etc/pam.d/sshd, Red Hat standard:
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_limits.so
session optional /lib/security/pam_console.so
*** Notice no pam_ldap stuff in the latter? ***. If I use PADL's file,
with pam_ldap stuff, it doesn't work!
Hope this helps,
Tony
--
Tony Earnshaw
When all's said and done ...
there's nothing left to say or do.
e-post: tonni@billy.demon.nl
www: http://www.billy.demon.nl