[galaxy-dev] wiki contributions: Admin/Config/ProFTPd_with_AD

Thu, 14 Nov 2013 13:04:47 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'd like to contribute what I've learnt today to this particular page.
As it is "locked", I am unsure how to contribute my information, so I'm
posting here in the hopes that someone with rights will update it.
Formatted in (pandoc compatible) Markdown for your ease.




# Configuring ProFTPD with OpenLDAP

I've found a set of working options for using ProFTPD with OpenLDAP
servers (instead of AD).

This configuration file can be modified and placed in
`/etc/proftpd/conf.d/galaxy.conf

Using the /conf.d/ directory, you can allow the ProFTPd to serve both
local users (with PAM authentication) in the main configuration file,
AND galaxy users on another port.

```
<VirtualHost xxx.yyy.zzz>
        RequireValidShell       off
        User                    galaxy
        Group                   galaxy
        Umask                   137 027
        AllowOverwrite          on

        # Ensure auth is LDAP
        AuthPAM                 off
        AuthOrder               mod_ldap.c

        # Serve this VirtualHost on port 4000
        Port                    4000

        # LDAP Bind information
        LDAPServer              ldaps://xxx.yyy.zzz/??sub
        LDAPUsers               "ou=People,dc=yyy,dc=zzz"  "(uid=%u)"
        LDAPAuthBinds           on

        # Force those numbers even if LDAP finds a valid UID/GID
        LDAPDefaultUID          1003
        LDAPDefaultGID          1003
        LDAPForceDefaultUID     on
        LDAPForceDefaultGID     on

        # Please generate home dir with user/group rwx permissions.
Could probably be stricter
        CreateHome              on 770
        LDAPGenerateHomedir     on 770

        # Force this homedir even if LDAP said something different
        LDAPForceGeneratedHomedir               on
        LDAPGenerateHomedirPrefix
"/home/galaxy/galaxy/database/ftp/%u...@cpt.tamu.edu"

        # The username is already incorporated in the %u, use this or it
will get appended again
        LDAPGenerateHomedirPrefixNoUsername     on

        TransferLog             /var/log/proftpd/xfer-galaxy.log

        # Cause every FTP user to be "jailed" (chrooted) into their home
directory
        DefaultRoot
"/home/galaxy/galaxy/database/ftp/%u...@cpt.tamu.edu"
        # Allow users to resume interrupted uploads
        AllowStoreRestart       on
        # I set these as my passive ports because I run a very strict
firewall. Change as needed
        PassivePorts            49152 50000
</VirtualHost>
```

Notably, this configuration allows a galaxy virtualhost to coexist with
the normal FTP capabilities provided by ProFTPd, so users can still
access their home directories AND galaxy users can upload to galaxy.
Authentication can of course be changed to suit one's needs.

# TLS Configuration

If you're running the galaxy FTP portion under a VirtualHost, like
described above, you'll notice that TLS directives placed in the main
proftpd.conf file do not apply to VirtualHosts. As such, you can add a
section that looks like this to every VirtualHost that needs to be secured

```
<IfModule mod_tls.c>
        TLSEngine                       on
        TLSLog                          /var/log/proftpd/tls.galaxy.log
        # Your cert and private key
        TLSRSACertificateFile           /etc/ssl/certs/my.crt
        TLSRSACertificateKeyFile        /etc/ssl/private/my.key
        TLSCACertificateFile            /etc/ssl/certs/ca.bundle
        # I've found that this is required for FileZilla
        TLSOptions    NoCertRequest EnableDiags NoSessionReuseRequired
        # Most clients won't be sending certs
        TLSVerifyClient                 off
        TLSRequired                     on
</IfModule>
```







Cheers,
Eric

- -- 
Eric Rasche
Programmer II
Center for Phage Technology
Texas A&M University
College Station, TX 77843
404-692-2048
e...@tamu.edu
rasche.e...@yandex.ru
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJShTqNAAoJEMqDXdrsMcpVZh8QAL1PvZTtTco+hBeJ+2o9jCyp
DpasNtMm0PTKjmBR7Cq5lxNJeGlAcAJmafGKxnf7EEGPhJnw8xWUDwGolmjJmzik
o9kl/4vASKQPz6+SX7zqz5Fn2155FrSfgZXruSc3N/56UR6N1mbUdJ0fOdm83vfi
hlmVOErujrCkx5S8zSALf7UgTfDT3aPsCyLmy6wy+keNUhpDp5jY2Kvzfm133PIM
YIxKM93rPA+IZb99h2BHRNOQjGIcIIM5cWhQ+NSd1lrRmSKZHFvvfVRvKbjb7uxL
A+JJ86A3QEsfJm9Krch55KKYpWoom3l53xw+EMLBsO6Surerc6hZcsZsEhPaK/sq
GiM33nGZ7DUulJE3OW3lKgilSZY07d3C7ol1fPhovsI20XN3ESdaHAliOSQdT4hn
VqomH8qw8rWxKR1omP6MGfvWw1Sg8d8NylvyehylTOwLHO1iRGKT/HmzqEJSEVzb
TReA9r85d35tIRlnuuNcHPIdAQreH1fp4Pz1F3sCzn3at9Y2WHNvc9ySHaZXMo6M
/KvfdUFGQlDMtWIE3moK1mz5/IsIgDQiZm6Jc+hTcOTXueZ1RTIynLD4n6BHih6r
UrdCdHdwIb5WGLyQbO+scn5YybmYSLtbcc5UBS1PvgdQr61/QA9J0XI8SeRUrSX+
gNFhUh3T5bfrnA0eXnaq
=GZx9
-----END PGP SIGNATURE-----
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

Reply via email to