In the end I just enabled authentication via LDAP for everything but the bizarre thing is every thing someone logs in successfully a message is logged in /var/log/secure
Mar 12 15:41:06 server vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=user rhost=localhost.localdomain user=user When a wrong password is tried I get a pam_ldap invalid credentials message in /var/log/messages and the FTP session is not started. CC > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Collins, > Kevin [Beeline] > Sent: Wednesday, 12 March 2008 12:55 AM > To: Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list > Subject: RE: [rhelv5-list] VSFTPd and LDAP > > I haven't followed this whole thread, but hopefully I can offer some > help. On my system, the unmodified /etc/pam.d/vsftpd looks like this: > > ------- > #%PAM-1.0 > session optional pam_keyinit.so force revoke > auth required pam_listfile.so item=user sense=deny > file=/etc/vsftpd/ftpusers onerr=succeed > auth required pam_shells.so > auth include system-auth > account include system-auth > session include system-auth > session required pam_loginuid.so > ------- > > I think you want it to look more like this: > > ------- > #%PAM-1.0 > session optional pam_keyinit.so force revoke > auth required pam_listfile.so item=user sense=deny > file=/etc/vsftpd/ftpusers onerr=succeed > auth required pam_shells.so > auth sufficient pam_ldap.so try_first_pass > auth required pam_deny.so > account include system-auth > session include system-auth > session required pam_loginuid.so > ------- > > > The key things being to use the "try_first_pass" (or no option) rather > than "use_first_pass" (see below from 'man pam_ldap' for the > distinction): > > use_first_pass > Specifies that pam_ldap should always use the first > password provided in the authentication stack. > > try_first_pass > Specifies that pam_ldap should first try the first > password provided in the authentication stack, and > then prompt the user for their LDAP password if > authentication fails. > > and also the inclusion of the "pam_deny" entry as the last in the auth > stack... > > Also, I assume your system is properly configured to talk to the LDAP > server? > > Kevin > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Coe, > Colin C. (Unix > Engineer) > Sent: Monday, March 10, 2008 8:24 PM > To: Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list > Subject: RE: [rhelv5-list] VSFTPd and LDAP > > > Hi Sam > > I've been working on this but have not made much preogess. > > The following vsftpd PAM config lets me in, regardless of the > password. > If I uncomment the 'auth include system-auth' line then no > password will > let me in. > > I'm trying for something in the middle i.e. the correct password will > let me in :) > > #%PAM-1.0 > session optional pam_keyinit.so force revoke > auth required pam_listfile.so item=user sense=deny > file=/etc/vsftpd/ftpusers onerr=succeed > auth sufficient pam_ldap.so use_first_pass > auth required pam_shells.so > auth required pam_nologin.so > #auth include system-auth > account [default=bad success=ok user_unknown=ignore > service_err=ignore > system_err=ignore] pam_ldap.so > account include system-auth > password required pam_cracklib.so > password sufficient pam_ldap.so use_authok > session include system-auth > session required pam_loginuid.so > > The following line gets logged in /var/log/secuure > Mar 11 12:15:29 server vsftpd: pam_unix(vsftpd:auth): authentication > failure; logname= uid=0 euid=0 tty=ftp ruser=user > rhost=localhost.localdomain user=user > > Any ideas? > > CC > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Sharpe, Sam J > Sent: Thursday, 6 March 2008 8:49 AM > To: Red Hat Enterprise Linux 5 (Tikanga) discussion > mailing-list; Red Hat Enterprise Linux 5 (Tikanga) discussion > mailing-list > Subject: RE: [rhelv5-list] VSFTPd and LDAP > > > > > We've got a server running ProFTPd that uses an OpenLDAP > server > > for authentication. I want to migrate this over to EL5 and > VSFTPd. > > I've googled and found many references to getting VSFTPd to > work > > with LDAP via PAM but the problem is that the system itself > *must > > not* use LDAP for non-FTP logins. > > I don't see why this is a problem. If you modify > /etc/pam.d/vsftpd > to allow LDAP logins, but don't touch system-auth, then your > system > can be not using PAM, while vsftpd happily is. > > I do this for lots of services... (but not vsftpd) > > -- > Sam > > > NOTICE: This email and any attachments are confidential. > They may contain legally privileged information or > copyright material. You must not read, copy, use or > disclose them without authorisation. If you are not an > intended recipient, please contact us at once by return > email and then delete both messages and all attachments. > > > _______________________________________________ > rhelv5-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/rhelv5-list > > _______________________________________________ > rhelv5-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/rhelv5-list > NOTICE: This email and any attachments are confidential. They may contain legally privileged information or copyright material. You must not read, copy, use or disclose them without authorisation. If you are not an intended recipient, please contact us at once by return email and then delete both messages and all attachments. _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
