[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Problems getting ProFTPD to play nice with OpenLDAP via TLS
I posted a similar message to the proftpd lists but I'm sending it here
in hopes someone here can help out as well.
First off, I can use the ldapsearch command on both the ldap server
itself and the ftp server to get data off of the ldap server via TLS.
ldap.conf is configured as such:
BASE o=ebitnetworks
URI ldaps://trek.tor1.ebit.ca
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERT /usr/local/etc/openldap/cacert.pem
TLS_CERT /usr/local/etc/openldap/newcert.pem
TLS_KEY /usr/local/etc/openldap/newreq.pem
TLS_REQCERT demand
I have proftpd configured as such:
LDAPDoAuth on "o=people,o=ebitnetworks"
LDAPUseTLS on
When I was trying to get ldapsearch working with TLS, I needed to make
a .ldaprc file for the user executing the command. Proftpd passes auth
info to the ldap API in addition to what is in it's own config file.
That being said, do I need to create a .ldaprc for the user "nobody"
which is the user proftpd runs as?! :/
When I try to use proftpd with above mentioned configurations, I get
this openldap error:
connection_get(13): got connid=4
connection_read(13): checking for input on id=4
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(13): got connid=4
connection_read(13): checking for input on id=4
TLS certificate verification: depth: 1, err: 0, subject:
/C=CA/ST=Ontario/L=Toronto/O=eBit Networks
Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca, issuer:
/C=CA/ST=Ontario/L=Toronto/O=eBit Networks
Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca
TLS certificate verification: depth: 0, err: 0, subject:
/C=CA/ST=Ontario/L=Toronto/O=eBit Networks
Inc./CN=eshara.ebit.ca/emailAddress=noc@ebit.ca, issuer:
/C=CA/ST=Ontario/L=Toronto/O=eBit Networks
Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca
TLS trace: SSL_accept:SSLv3 read client certificate A
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read certificate verify A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
=> ldap_dn2bv(16)
<= ldap_dn2bv(email=noc@ebit.ca,cn=eshara.ebit.ca,o=ebit networks
inc.,l=toronto,st=ontario,c=ca,16)=0
connection_get(13): got connid=4
connection_read(13): checking for input on id=4
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ber_get_next on fd 13 failed errno=35 (Resource temporarily unavailable)
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=1 oid= len=0
send_ldap_response: msgid=1 tag=120 err=1
ber_flush: 33 bytes to sd 13
connection_get(13): got connid=4
connection_read(13): checking for input on id=4
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 13 failed errno=0 (Undefined error: 0)
connection_read(13): input error=-2 id=4, closing.
connection_closing: readying conn=4 sd=13 for close
connection_close: deferring conn=4 sd=13
do_unbind
connection_resched: attempting closing conn=4 sd=13
connection_close: conn=4 sd=13
TLS trace: SSL3 alert write:warning:close notify
connection_get(13): got connid=5
connection_read(13): checking for input on id=5
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(13): got connid=5
connection_read(13): checking for input on id=5
TLS certificate verification: depth: 1, err: 0, subject:
/C=CA/ST=Ontario/L=Toronto/O=eBit Networks
Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca, issuer:
/C=CA/ST=Ontario/L=Toronto/O=eBit Networks
Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca
TLS certificate verification: depth: 0, err: 0, subject:
/C=CA/ST=Ontario/L=Toronto/O=eBit Networks
Inc./CN=eshara.ebit.ca/emailAddress=noc@ebit.ca, issuer:
/C=CA/ST=Ontario/L=Toronto/O=eBit Networks
Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca
TLS trace: SSL_accept:SSLv3 read client certificate A
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read certificate verify A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
=> ldap_dn2bv(16)
<= ldap_dn2bv(email=noc@ebit.ca,cn=eshara.ebit.ca,o=ebit networks
inc.,l=toronto,st=ontario,c=ca,16)=0
connection_get(13): got connid=5
connection_read(13): checking for input on id=5
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ber_get_next on fd 13 failed errno=35 (Resource temporarily unavailable)
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=1 oid= len=0
send_ldap_response: msgid=1 tag=120 err=1
ber_flush: 33 bytes to sd 13
connection_get(13): got connid=5
connection_read(13): checking for input on id=5
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 13 failed errno=0 (Undefined error: 0)
connection_read(13): input error=-2 id=5, closing.
connection_closing: readying conn=5 sd=13 for close
connection_close: deferring conn=5 sd=13
do_unbind
connection_resched: attempting closing conn=5 sd=13
connection_close: conn=5 sd=13
TLS trace: SSL3 alert write:warning:close notify
connection_get(13): got connid=6
connection_read(13): checking for input on id=6
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(13): got connid=6
connection_read(13): checking for input on id=6
TLS certificate verification: depth: 1, err: 0, subject:
/C=CA/ST=Ontario/L=Toronto/O=eBit Networks
Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca, issuer:
/C=CA/ST=Ontario/L=Toronto/O=eBit Networks
Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca
TLS certificate verification: depth: 0, err: 0, subject:
/C=CA/ST=Ontario/L=Toronto/O=eBit Networks
Inc./CN=eshara.ebit.ca/emailAddress=noc@ebit.ca, issuer:
/C=CA/ST=Ontario/L=Toronto/O=eBit Networks
Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca
TLS trace: SSL_accept:SSLv3 read client certificate A
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read certificate verify A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
=> ldap_dn2bv(16)
<= ldap_dn2bv(email=noc@ebit.ca,cn=eshara.ebit.ca,o=ebit networks
inc.,l=toronto,st=ontario,c=ca,16)=0
connection_get(13): got connid=6
connection_read(13): checking for input on id=6
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ber_get_next on fd 13 failed errno=35 (Resource temporarily unavailable)
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=1 oid= len=0
send_ldap_response: msgid=1 tag=120 err=1
ber_flush: 33 bytes to sd 13
connection_get(13): got connid=6
connection_read(13): checking for input on id=6
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 13 failed errno=0 (Undefined error: 0)
connection_read(13): input error=-2 id=6, closing.
connection_closing: readying conn=6 sd=13 for close
connection_close: deferring conn=6 sd=13
do_unbind
connection_resched: attempting closing conn=6 sd=13
connection_close: conn=6 sd=13
TLS trace: SSL3 alert write:warning:close notify
and at the same time, proftpd is spitting this out:
su-2.05b# /usr/local/libexec/proftpd -c
/usr/local/etc/proftpd/proftpd.conf -d 9 -n
- parsing '/usr/local/etc/proftpd/proftpd.conf' configuration
- FS: using system open()
- FS: using system read()
- FS: using system read()
- dispatching auth request "getpwnam" to module mod_ldap
- dispatching auth request "getpwnam" to module mod_auth_file
- dispatching auth request "getpwnam" to module mod_auth_unix
- dispatching auth request "getgrnam" to module mod_ldap
- dispatching auth request "getgrnam" to module mod_auth_file
- dispatching auth request "getgrnam" to module mod_auth_unix
- <Directory />: adding section for resolved path '/'
- FS: using system read()
- FS: using system read()
- FS: using system close()
69.90.17.218 -
69.90.17.218 - Config for eBit Networks Inc. FTP Server:
69.90.17.218 - /
69.90.17.218 - AllowOverwrite
69.90.17.218 - Umask
69.90.17.218 - DefaultServer
69.90.17.218 - Umask
69.90.17.218 - UserID
69.90.17.218 - UserName
69.90.17.218 - GroupID
69.90.17.218 - GroupName
69.90.17.218 - LDAPDoAuth
69.90.17.218 - LDAPUseTLS
69.90.17.218 - dispatching auth request "getgroups" to module mod_ldap
69.90.17.218 - dispatching auth request "getgroups" to module
mod_auth_file
69.90.17.218 - dispatching auth request "getgroups" to module
mod_auth_unix
69.90.17.218 - SETUP PRIVS at main.c:2704
69.90.17.218 - ROOT PRIVS at main.c:1956
69.90.17.218 - RELINQUISH PRIVS at main.c:1962
69.90.17.218 - ROOT PRIVS at main.c:2323
69.90.17.218 - opening scoreboard '/var/run/proftpd/proftpd.scoreboard'
69.90.17.218 - RELINQUISH PRIVS at main.c:2347
69.90.17.218 - ROOT PRIVS at inet.c:402
69.90.17.218 - RELINQUISH PRIVS at inet.c:417
69.90.17.218 - ROOT PRIVS at inet.c:452
69.90.17.218 - RELINQUISH PRIVS at inet.c:510
69.90.17.218 - ProFTPD 1.2.9 (stable) (built Thu May 6 14:00:06 EDT
2004) standalone mode STARTUP
69.90.17.218 - ROOT PRIVS at main.c:2171
69.90.17.218 - RELINQUISH PRIVS at main.c:2177
69.90.17.218 - FS: using system lstat()
69.90.17.218 - FS: using system lstat()
69.90.17.218 - ROOT PRIVS at main.c:1150
69.90.17.218 - RELINQUISH PRIVS at main.c:1154
69.90.17.218 - FS: using system lstat()
69.90.17.218 (vista.tht.net[216.126.88.2]) - performing ident lookup
69.90.17.218 (vista.tht.net[216.126.88.2]) - ROOT PRIVS at inet.c:402
69.90.17.218 (vista.tht.net[216.126.88.2]) - RELINQUISH PRIVS at
inet.c:417
69.90.17.218 (vista.tht.net[216.126.88.2]) - ident lookup returned
'jlixfeld'
69.90.17.218 (vista.tht.net[216.126.88.2]) - ROOT PRIVS at main.c:977
69.90.17.218 (vista.tht.net[216.126.88.2]) - SETUP PRIVS at main.c:982
69.90.17.218 (vista.tht.net[216.126.88.2]) - performing module session
initializations
69.90.17.218 (vista.tht.net[216.126.88.2]) - ROOT PRIVS at
mod_auth.c:130
69.90.17.218 (vista.tht.net[216.126.88.2]) - opening scoreboard
'/var/run/proftpd/proftpd.scoreboard'
69.90.17.218 (vista.tht.net[216.126.88.2]) - RELINQUISH PRIVS at
mod_auth.c:150
69.90.17.218 (vista.tht.net[216.126.88.2]) - connected - local :
69.90.17.218:21
69.90.17.218 (vista.tht.net[216.126.88.2]) - connected - remote :
216.126.88.2:65499
69.90.17.218 (vista.tht.net[216.126.88.2]) - FTP session opened.
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching PRE_CMD
command 'USER jlixfeld' to mod_core
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching PRE_CMD
command 'USER jlixfeld' to mod_core
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching PRE_CMD
command 'USER jlixfeld' to mod_auth
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request
"endpwent" to module mod_ldap
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request
"endgrent" to module mod_ldap
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching CMD command
'USER jlixfeld' to mod_ratio
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching CMD command
'USER jlixfeld' to mod_auth
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request
"getgroups" to module mod_ldap
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request
"getgroups" to module mod_auth_file
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request
"getgroups" to module mod_auth_unix
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching LOG_CMD
command 'USER jlixfeld' to mod_log
69.90.17.218 - scrubbing scoreboard
69.90.17.218 - ROOT PRIVS at mod_core.c:194
69.90.17.218 - RELINQUISH PRIVS at mod_core.c:201
69.90.17.218 - ROOT PRIVS at mod_core.c:223
69.90.17.218 - RELINQUISH PRIVS at mod_core.c:251
69.90.17.218 - FS: using system lstat()
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching PRE_CMD
command 'PASS (hidden)' to mod_core
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching PRE_CMD
command 'PASS (hidden)' to mod_core
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching PRE_CMD
command 'PASS (hidden)' to mod_wrap
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching PRE_CMD
command 'PASS (hidden)' to mod_auth
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request
"endpwent" to module mod_ldap
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request
"endgrent" to module mod_ldap
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching CMD command
'PASS (hidden)' to mod_auth
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request
"getgroups" to module mod_ldap
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request
"getgroups" to module mod_auth_file
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request
"getgroups" to module mod_auth_unix
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request
"getpwnam" to module mod_ldap
69.90.17.218 (vista.tht.net[216.126.88.2]) - mod_ldap: Starting TLS for
this connection.
69.90.17.218 (vista.tht.net[216.126.88.2]) - mod_ldap:
pr_ldap_connect(): Starting TLS failed: Operations error
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request
"getpwnam" to module mod_auth_file
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request
"getpwnam" to module mod_auth_unix
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request
"gid_name" to module mod_ldap
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request
"gid_name" to module mod_auth_file
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request
"gid_name" to module mod_auth_unix
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request
"auth" to module mod_ldap
69.90.17.218 (vista.tht.net[216.126.88.2]) - mod_ldap: Starting TLS for
this connection.
69.90.17.218 (vista.tht.net[216.126.88.2]) - mod_ldap:
pr_ldap_connect(): Starting TLS failed: Operations error
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request
"auth" to module mod_auth_pam
...
pam fails and mod_auth_unix eventually kicks in and auths me out of the
system passwd file.
Can anyone point me in the direction of where I may have possibly gone
wrong in my configs?
Thanks in advance.