RE: [rhelv5-list] VSFTPd and LDAP

Collins, Kevin [Beeline] Tue, 11 Mar 2008 08:56:25 -0700

I haven't followed this whole thread, but hopefully I can offer some
help. On my system, the unmodified /etc/pam.d/vsftpd looks like this:


-------
#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
auth       required pam_listfile.so item=user sense=deny
file=/etc/vsftpd/ftpusers onerr=succeed
auth       required pam_shells.so
auth       include  system-auth
account    include  system-auth
session    include  system-auth
session    required     pam_loginuid.so
-------

I think you want it to look more like this:

-------
#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
auth       required pam_listfile.so item=user sense=deny
file=/etc/vsftpd/ftpusers onerr=succeed
auth       required pam_shells.so
auth        sufficient    pam_ldap.so try_first_pass
auth        required      pam_deny.so
account    include  system-auth
session    include  system-auth
session    required     pam_loginuid.so
-------


The key things being to use the "try_first_pass" (or no option) rather
than "use_first_pass" (see below from 'man pam_ldap' for the
distinction):

       use_first_pass
              Specifies that pam_ldap should always use the first
password provided in the authentication stack.

       try_first_pass
              Specifies that pam_ldap should first try the first
password provided in the  authentication  stack,  and
              then prompt the user for their LDAP password if
authentication fails.
 
and also the inclusion of the "pam_deny" entry as the last in the auth
stack...

Also, I assume your system is properly configured to talk to the LDAP
server?

Kevin

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Coe, Colin C. (Unix
Engineer)
Sent: Monday, March 10, 2008 8:24 PM
To: Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list
Subject: RE: [rhelv5-list] VSFTPd and LDAP


Hi Sam

I've been working on this but have not made much preogess.

The following vsftpd PAM config lets me in, regardless of the password.
If I uncomment the 'auth include system-auth' line then no password will
let me in.

I'm trying for something in the middle i.e. the correct password will
let me in  :)

#%PAM-1.0
session    optional     pam_keyinit.so    force revoke
auth       required     pam_listfile.so item=user sense=deny
file=/etc/vsftpd/ftpusers onerr=succeed
auth       sufficient   pam_ldap.so use_first_pass
auth       required     pam_shells.so
auth       required     pam_nologin.so
#auth       include     system-auth
account  [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore]  pam_ldap.so
account    include      system-auth
password   required     pam_cracklib.so
password   sufficient   pam_ldap.so use_authok
session    include      system-auth
session    required     pam_loginuid.so

The following line gets logged in /var/log/secuure
Mar 11 12:15:29 server vsftpd: pam_unix(vsftpd:auth): authentication
failure; logname= uid=0 euid=0 tty=ftp ruser=user
rhost=localhost.localdomain  user=user

Any ideas?

CC

________________________________

        From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sharpe, Sam J
        Sent: Thursday, 6 March 2008 8:49 AM
        To: Red Hat Enterprise Linux 5 (Tikanga) discussion
mailing-list; Red Hat Enterprise Linux 5 (Tikanga) discussion
mailing-list
        Subject: RE: [rhelv5-list] VSFTPd and LDAP
        
        

        > We've got a server running ProFTPd that uses an OpenLDAP
server
        > for authentication.  I want to migrate this over to EL5 and
VSFTPd.
        > I've googled and found many references to getting VSFTPd to
work
        > with LDAP via PAM but the problem is that the system itself
*must
        > not* use LDAP for non-FTP logins. 
        
        I don't see why this is a problem. If you modify
/etc/pam.d/vsftpd
        to allow LDAP logins, but don't touch system-auth, then your
system
        can be not using PAM, while vsftpd happily is.
        
        I do this for lots of services... (but not vsftpd)
        
        --
        Sam 


NOTICE: This email and any attachments are confidential. 
They may contain legally privileged information or 
copyright material. You must not read, copy, use or 
disclose them without authorisation. If you are not an 
intended recipient, please contact us at once by return 
email and then delete both messages and all attachments.


_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list

_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list

RE: [rhelv5-list] VSFTPd and LDAP

Reply via email to