[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problems getting ProFTPD to play nice with OpenLDAP via TLS



I posted a similar message to the proftpd lists but I'm sending it here in hopes someone here can help out as well.

First off, I can use the ldapsearch command on both the ldap server itself and the ftp server to get data off of the ldap server via TLS.

ldap.conf is configured as such:

BASE    o=ebitnetworks
URI     ldaps://trek.tor1.ebit.ca

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

TLS_CACERT      /usr/local/etc/openldap/cacert.pem
TLS_CERT        /usr/local/etc/openldap/newcert.pem
TLS_KEY         /usr/local/etc/openldap/newreq.pem
TLS_REQCERT     demand

 I have proftpd configured as such:

LDAPDoAuth                      on "o=people,o=ebitnetworks"
LDAPUseTLS                      on

When I was trying to get ldapsearch working with TLS, I needed to make a .ldaprc file for the user executing the command. Proftpd passes auth info to the ldap API in addition to what is in it's own config file. That being said, do I need to create a .ldaprc for the user "nobody" which is the user proftpd runs as?! :/

When I try to use proftpd with above mentioned configurations, I get this openldap error:

connection_get(13): got connid=4
connection_read(13): checking for input on id=4
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(13): got connid=4
connection_read(13): checking for input on id=4
TLS certificate verification: depth: 1, err: 0, subject: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca, issuer: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca
TLS certificate verification: depth: 0, err: 0, subject: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=eshara.ebit.ca/emailAddress=noc@ebit.ca, issuer: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca
TLS trace: SSL_accept:SSLv3 read client certificate A
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read certificate verify A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
=> ldap_dn2bv(16)
<= ldap_dn2bv(email=noc@ebit.ca,cn=eshara.ebit.ca,o=ebit networks inc.,l=toronto,st=ontario,c=ca,16)=0
connection_get(13): got connid=4
connection_read(13): checking for input on id=4
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ber_get_next on fd 13 failed errno=35 (Resource temporarily unavailable)
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=1 oid= len=0
send_ldap_response: msgid=1 tag=120 err=1
ber_flush: 33 bytes to sd 13
connection_get(13): got connid=4
connection_read(13): checking for input on id=4
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 13 failed errno=0 (Undefined error: 0)
connection_read(13): input error=-2 id=4, closing.
connection_closing: readying conn=4 sd=13 for close
connection_close: deferring conn=4 sd=13
do_unbind
connection_resched: attempting closing conn=4 sd=13
connection_close: conn=4 sd=13
TLS trace: SSL3 alert write:warning:close notify
connection_get(13): got connid=5
connection_read(13): checking for input on id=5
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(13): got connid=5
connection_read(13): checking for input on id=5
TLS certificate verification: depth: 1, err: 0, subject: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca, issuer: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca
TLS certificate verification: depth: 0, err: 0, subject: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=eshara.ebit.ca/emailAddress=noc@ebit.ca, issuer: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca
TLS trace: SSL_accept:SSLv3 read client certificate A
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read certificate verify A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
=> ldap_dn2bv(16)
<= ldap_dn2bv(email=noc@ebit.ca,cn=eshara.ebit.ca,o=ebit networks inc.,l=toronto,st=ontario,c=ca,16)=0
connection_get(13): got connid=5
connection_read(13): checking for input on id=5
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ber_get_next on fd 13 failed errno=35 (Resource temporarily unavailable)
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=1 oid= len=0
send_ldap_response: msgid=1 tag=120 err=1
ber_flush: 33 bytes to sd 13
connection_get(13): got connid=5
connection_read(13): checking for input on id=5
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 13 failed errno=0 (Undefined error: 0)
connection_read(13): input error=-2 id=5, closing.
connection_closing: readying conn=5 sd=13 for close
connection_close: deferring conn=5 sd=13
do_unbind
connection_resched: attempting closing conn=5 sd=13
connection_close: conn=5 sd=13
TLS trace: SSL3 alert write:warning:close notify
connection_get(13): got connid=6
connection_read(13): checking for input on id=6
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(13): got connid=6
connection_read(13): checking for input on id=6
TLS certificate verification: depth: 1, err: 0, subject: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca, issuer: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca
TLS certificate verification: depth: 0, err: 0, subject: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=eshara.ebit.ca/emailAddress=noc@ebit.ca, issuer: /C=CA/ST=Ontario/L=Toronto/O=eBit Networks Inc./CN=trek.tor1.ebit.ca/emailAddress=noc@ebit.ca
TLS trace: SSL_accept:SSLv3 read client certificate A
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read certificate verify A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
=> ldap_dn2bv(16)
<= ldap_dn2bv(email=noc@ebit.ca,cn=eshara.ebit.ca,o=ebit networks inc.,l=toronto,st=ontario,c=ca,16)=0
connection_get(13): got connid=6
connection_read(13): checking for input on id=6
ber_get_next
ber_get_next: tag 0x30 len 29 contents:
ber_get_next
ber_get_next on fd 13 failed errno=35 (Resource temporarily unavailable)
do_extended
ber_scanf fmt ({m) ber:
send_ldap_extended: err=1 oid= len=0
send_ldap_response: msgid=1 tag=120 err=1
ber_flush: 33 bytes to sd 13
connection_get(13): got connid=6
connection_read(13): checking for input on id=6
ber_get_next
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
TLS trace: SSL3 alert read:warning:close notify
ber_get_next on fd 13 failed errno=0 (Undefined error: 0)
connection_read(13): input error=-2 id=6, closing.
connection_closing: readying conn=6 sd=13 for close
connection_close: deferring conn=6 sd=13
do_unbind
connection_resched: attempting closing conn=6 sd=13
connection_close: conn=6 sd=13
TLS trace: SSL3 alert write:warning:close notify


and at the same time, proftpd is spitting this out:

su-2.05b# /usr/local/libexec/proftpd -c /usr/local/etc/proftpd/proftpd.conf -d 9 -n
- parsing '/usr/local/etc/proftpd/proftpd.conf' configuration
- FS: using system open()
- FS: using system read()
- FS: using system read()
- dispatching auth request "getpwnam" to module mod_ldap
- dispatching auth request "getpwnam" to module mod_auth_file
- dispatching auth request "getpwnam" to module mod_auth_unix
- dispatching auth request "getgrnam" to module mod_ldap
- dispatching auth request "getgrnam" to module mod_auth_file
- dispatching auth request "getgrnam" to module mod_auth_unix
- <Directory />: adding section for resolved path '/'
- FS: using system read()
- FS: using system read()
- FS: using system close()
69.90.17.218 -
69.90.17.218 - Config for eBit Networks Inc. FTP Server:
69.90.17.218 - /
69.90.17.218 - AllowOverwrite
69.90.17.218 - Umask
69.90.17.218 - DefaultServer
69.90.17.218 - Umask
69.90.17.218 - UserID
69.90.17.218 - UserName
69.90.17.218 - GroupID
69.90.17.218 - GroupName
69.90.17.218 - LDAPDoAuth
69.90.17.218 - LDAPUseTLS
69.90.17.218 - dispatching auth request "getgroups" to module mod_ldap
69.90.17.218 - dispatching auth request "getgroups" to module mod_auth_file
69.90.17.218 - dispatching auth request "getgroups" to module mod_auth_unix
69.90.17.218 - SETUP PRIVS at main.c:2704
69.90.17.218 - ROOT PRIVS at main.c:1956
69.90.17.218 - RELINQUISH PRIVS at main.c:1962
69.90.17.218 - ROOT PRIVS at main.c:2323
69.90.17.218 - opening scoreboard '/var/run/proftpd/proftpd.scoreboard'
69.90.17.218 - RELINQUISH PRIVS at main.c:2347
69.90.17.218 - ROOT PRIVS at inet.c:402
69.90.17.218 - RELINQUISH PRIVS at inet.c:417
69.90.17.218 - ROOT PRIVS at inet.c:452
69.90.17.218 - RELINQUISH PRIVS at inet.c:510
69.90.17.218 - ProFTPD 1.2.9 (stable) (built Thu May 6 14:00:06 EDT 2004) standalone mode STARTUP
69.90.17.218 - ROOT PRIVS at main.c:2171
69.90.17.218 - RELINQUISH PRIVS at main.c:2177
69.90.17.218 - FS: using system lstat()
69.90.17.218 - FS: using system lstat()
69.90.17.218 - ROOT PRIVS at main.c:1150
69.90.17.218 - RELINQUISH PRIVS at main.c:1154
69.90.17.218 - FS: using system lstat()
69.90.17.218 (vista.tht.net[216.126.88.2]) - performing ident lookup
69.90.17.218 (vista.tht.net[216.126.88.2]) - ROOT PRIVS at inet.c:402
69.90.17.218 (vista.tht.net[216.126.88.2]) - RELINQUISH PRIVS at inet.c:417
69.90.17.218 (vista.tht.net[216.126.88.2]) - ident lookup returned 'jlixfeld'
69.90.17.218 (vista.tht.net[216.126.88.2]) - ROOT PRIVS at main.c:977
69.90.17.218 (vista.tht.net[216.126.88.2]) - SETUP PRIVS at main.c:982
69.90.17.218 (vista.tht.net[216.126.88.2]) - performing module session initializations
69.90.17.218 (vista.tht.net[216.126.88.2]) - ROOT PRIVS at mod_auth.c:130
69.90.17.218 (vista.tht.net[216.126.88.2]) - opening scoreboard '/var/run/proftpd/proftpd.scoreboard'
69.90.17.218 (vista.tht.net[216.126.88.2]) - RELINQUISH PRIVS at mod_auth.c:150
69.90.17.218 (vista.tht.net[216.126.88.2]) - connected - local : 69.90.17.218:21
69.90.17.218 (vista.tht.net[216.126.88.2]) - connected - remote : 216.126.88.2:65499
69.90.17.218 (vista.tht.net[216.126.88.2]) - FTP session opened.
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching PRE_CMD command 'USER jlixfeld' to mod_core
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching PRE_CMD command 'USER jlixfeld' to mod_core
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching PRE_CMD command 'USER jlixfeld' to mod_auth
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "endpwent" to module mod_ldap
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "endgrent" to module mod_ldap
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching CMD command 'USER jlixfeld' to mod_ratio
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching CMD command 'USER jlixfeld' to mod_auth
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "getgroups" to module mod_ldap
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "getgroups" to module mod_auth_file
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "getgroups" to module mod_auth_unix
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching LOG_CMD command 'USER jlixfeld' to mod_log
69.90.17.218 - scrubbing scoreboard
69.90.17.218 - ROOT PRIVS at mod_core.c:194
69.90.17.218 - RELINQUISH PRIVS at mod_core.c:201
69.90.17.218 - ROOT PRIVS at mod_core.c:223
69.90.17.218 - RELINQUISH PRIVS at mod_core.c:251
69.90.17.218 - FS: using system lstat()
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_core
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_core
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_wrap
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching PRE_CMD command 'PASS (hidden)' to mod_auth
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "endpwent" to module mod_ldap
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "endgrent" to module mod_ldap
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching CMD command 'PASS (hidden)' to mod_auth
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "getgroups" to module mod_ldap
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "getgroups" to module mod_auth_file
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "getgroups" to module mod_auth_unix
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "getpwnam" to module mod_ldap
69.90.17.218 (vista.tht.net[216.126.88.2]) - mod_ldap: Starting TLS for this connection.
69.90.17.218 (vista.tht.net[216.126.88.2]) - mod_ldap: pr_ldap_connect(): Starting TLS failed: Operations error
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "getpwnam" to module mod_auth_file
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "getpwnam" to module mod_auth_unix
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "gid_name" to module mod_ldap
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "gid_name" to module mod_auth_file
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "gid_name" to module mod_auth_unix
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "auth" to module mod_ldap
69.90.17.218 (vista.tht.net[216.126.88.2]) - mod_ldap: Starting TLS for this connection.
69.90.17.218 (vista.tht.net[216.126.88.2]) - mod_ldap: pr_ldap_connect(): Starting TLS failed: Operations error
69.90.17.218 (vista.tht.net[216.126.88.2]) - dispatching auth request "auth" to module mod_auth_pam
...
pam fails and mod_auth_unix eventually kicks in and auths me out of the system passwd file.


Can anyone point me in the direction of where I may have possibly gone wrong in my configs?

Thanks in advance.