Hi Eric, I've pasted the text into the http://wiki.galaxyproject.org/Admin/Config/ProFTPd_with_AD page. I used the Apache syntax highlighter for the ProFTPd configuration file snippets, which I'm pretty sure is not exactly right, but I'm guessing it's close enough.
To unlock a page for editing you need to create an account, login, and then edit the page. This is a big pain until your account becomes *vetted*. Until then you have to answer Galaxy trivial pursuit questions on every save. We vet accounts on request, or once a month, whichever happens sooner. Thanks for contributing this, Dave C On Thu, Nov 14, 2013 at 1:03 PM, Eric Rasche <rasche.e...@yandex.ru> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I'd like to contribute what I've learnt today to this particular page. > As it is "locked", I am unsure how to contribute my information, so I'm > posting here in the hopes that someone with rights will update it. > Formatted in (pandoc compatible) Markdown for your ease. > > > > > # Configuring ProFTPD with OpenLDAP > > I've found a set of working options for using ProFTPD with OpenLDAP > servers (instead of AD). > > This configuration file can be modified and placed in > `/etc/proftpd/conf.d/galaxy.conf > > Using the /conf.d/ directory, you can allow the ProFTPd to serve both > local users (with PAM authentication) in the main configuration file, > AND galaxy users on another port. > > ``` > <VirtualHost xxx.yyy.zzz> > RequireValidShell off > User galaxy > Group galaxy > Umask 137 027 > AllowOverwrite on > > # Ensure auth is LDAP > AuthPAM off > AuthOrder mod_ldap.c > > # Serve this VirtualHost on port 4000 > Port 4000 > > # LDAP Bind information > LDAPServer ldaps://xxx.yyy.zzz/??sub > LDAPUsers "ou=People,dc=yyy,dc=zzz" "(uid=%u)" > LDAPAuthBinds on > > # Force those numbers even if LDAP finds a valid UID/GID > LDAPDefaultUID 1003 > LDAPDefaultGID 1003 > LDAPForceDefaultUID on > LDAPForceDefaultGID on > > # Please generate home dir with user/group rwx permissions. > Could probably be stricter > CreateHome on 770 > LDAPGenerateHomedir on 770 > > # Force this homedir even if LDAP said something different > LDAPForceGeneratedHomedir on > LDAPGenerateHomedirPrefix > "/home/galaxy/galaxy/database/ftp/%u...@cpt.tamu.edu" > > # The username is already incorporated in the %u, use this or it > will get appended again > LDAPGenerateHomedirPrefixNoUsername on > > TransferLog /var/log/proftpd/xfer-galaxy.log > > # Cause every FTP user to be "jailed" (chrooted) into their home > directory > DefaultRoot > "/home/galaxy/galaxy/database/ftp/%u...@cpt.tamu.edu" > # Allow users to resume interrupted uploads > AllowStoreRestart on > # I set these as my passive ports because I run a very strict > firewall. Change as needed > PassivePorts 49152 50000 > </VirtualHost> > ``` > > Notably, this configuration allows a galaxy virtualhost to coexist with > the normal FTP capabilities provided by ProFTPd, so users can still > access their home directories AND galaxy users can upload to galaxy. > Authentication can of course be changed to suit one's needs. > > # TLS Configuration > > If you're running the galaxy FTP portion under a VirtualHost, like > described above, you'll notice that TLS directives placed in the main > proftpd.conf file do not apply to VirtualHosts. As such, you can add a > section that looks like this to every VirtualHost that needs to be secured > > ``` > <IfModule mod_tls.c> > TLSEngine on > TLSLog /var/log/proftpd/tls.galaxy.log > # Your cert and private key > TLSRSACertificateFile /etc/ssl/certs/my.crt > TLSRSACertificateKeyFile /etc/ssl/private/my.key > TLSCACertificateFile /etc/ssl/certs/ca.bundle > # I've found that this is required for FileZilla > TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired > # Most clients won't be sending certs > TLSVerifyClient off > TLSRequired on > </IfModule> > ``` > > > > > > > > Cheers, > Eric > > - -- > Eric Rasche > Programmer II > Center for Phage Technology > Texas A&M University > College Station, TX 77843 > 404-692-2048 > e...@tamu.edu > rasche.e...@yandex.ru > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBAgAGBQJShTqNAAoJEMqDXdrsMcpVZh8QAL1PvZTtTco+hBeJ+2o9jCyp > DpasNtMm0PTKjmBR7Cq5lxNJeGlAcAJmafGKxnf7EEGPhJnw8xWUDwGolmjJmzik > o9kl/4vASKQPz6+SX7zqz5Fn2155FrSfgZXruSc3N/56UR6N1mbUdJ0fOdm83vfi > hlmVOErujrCkx5S8zSALf7UgTfDT3aPsCyLmy6wy+keNUhpDp5jY2Kvzfm133PIM > YIxKM93rPA+IZb99h2BHRNOQjGIcIIM5cWhQ+NSd1lrRmSKZHFvvfVRvKbjb7uxL > A+JJ86A3QEsfJm9Krch55KKYpWoom3l53xw+EMLBsO6Surerc6hZcsZsEhPaK/sq > GiM33nGZ7DUulJE3OW3lKgilSZY07d3C7ol1fPhovsI20XN3ESdaHAliOSQdT4hn > VqomH8qw8rWxKR1omP6MGfvWw1Sg8d8NylvyehylTOwLHO1iRGKT/HmzqEJSEVzb > TReA9r85d35tIRlnuuNcHPIdAQreH1fp4Pz1F3sCzn3at9Y2WHNvc9ySHaZXMo6M > /KvfdUFGQlDMtWIE3moK1mz5/IsIgDQiZm6Jc+hTcOTXueZ1RTIynLD4n6BHih6r > UrdCdHdwIb5WGLyQbO+scn5YybmYSLtbcc5UBS1PvgdQr61/QA9J0XI8SeRUrSX+ > gNFhUh3T5bfrnA0eXnaq > =GZx9 > -----END PGP SIGNATURE----- > ___________________________________________________________ > Please keep all replies on the list by using "reply all" > in your mail client. To manage your subscriptions to this > and other Galaxy lists, please use the interface at: > http://lists.bx.psu.edu/ > > To search Galaxy mailing lists use the unified search at: > http://galaxyproject.org/search/mailinglists/ > -- http://galaxyproject.org/ http://getgalaxy.org/ http://usegalaxy.org/ http://wiki.galaxyproject.org/
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
