Hi there,

I have a question. We have a vsftpd service running which authenticates
it's virtual users against an application level openldap database. No IPA
involved here. It works using pam_ldap. The virtual users are mapped to a
local user thru the "guest_user=<user>" directive in vsftpd.conf. As the
vsftpd service is running on a IPA client (RHEL6), I was kind of hoping
this "local user" would in fact be a IPA user. Nope. He must currently live
in /etc/passwd. This is, I suspect, because we have a different pam file
for vsftpd to be able to communicate with the application openldap, making
it impossible to also use IPA.

I there a way to have the vsftpd check (and use) with IPA for it's local
users and the application level openldap service for it's virtual users?

This is the pam file vsftpd came with originally:

session    optional     pam_keyinit.so    force revoke
auth       required pam_listfile.so item=user sense=deny
file=/etc/vsftpd/ftpusers onerr=succeed
auth       required pam_shells.so
auth       include password-auth
account    include password-auth
session    required     pam_loginuid.so
session    include password-auth

And this is the pam file we now use:

auth required /lib64/security/pam_ldap.so
account required /lib64/security/pam_ldap.so
session  required /lib64/security/pam_ldap.so
password required /lib64/security/pam_ldap.so

Thanks for any answer.


Freeipa-users mailing list

Reply via email to