On Wed, 2008-03-12 at 15:44 +0900, Coe, Colin C. (Unix Engineer) wrote: > In the end I just enabled authentication via LDAP for everything
Now you've done that, it should be simple to take your /etc/pam.d/vsftpd and /etc/pam.d/system-auth files and merge them into one (replace the references to "<service> include system-auth" in vsftpd with the relevant "<service>" lines from system-auth, save that file as vsftpd Then, turn off LDAP authentication (by commenting out the lines in system-auth). You should end up with a system that uses LDAP for vsftpd but not for anything else. > but the > bizarre thing is every thing someone logs in successfully a message is > logged in /var/log/secure > > Mar 12 15:41:06 server vsftpd: pam_unix(vsftpd:auth): authentication > failure; logname= uid=0 euid=0 tty=ftp ruser=user > rhost=localhost.localdomain user=user That says that the vsftpd user fails the pam_unix test in the PAM configs. It's not surprising if they are only in LDAP and indeed I get the same behaviour. I believe you can configure it to not print the warnings, but I'm not sure exactly which PAM module option controls this. -- Sam > When a wrong password is tried I get a pam_ldap invalid credentials > message in /var/log/messages and the FTP session is not started. > > CC > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Collins, > > Kevin [Beeline] > > Sent: Wednesday, 12 March 2008 12:55 AM > > To: Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list > > Subject: RE: [rhelv5-list] VSFTPd and LDAP > > > > I haven't followed this whole thread, but hopefully I can offer some > > help. On my system, the unmodified /etc/pam.d/vsftpd looks like this: > > > > ------- > > #%PAM-1.0 > > session optional pam_keyinit.so force revoke > > auth required pam_listfile.so item=user sense=deny > > file=/etc/vsftpd/ftpusers onerr=succeed > > auth required pam_shells.so > > auth include system-auth > > account include system-auth > > session include system-auth > > session required pam_loginuid.so > > ------- > > > > I think you want it to look more like this: > > > > ------- > > #%PAM-1.0 > > session optional pam_keyinit.so force revoke > > auth required pam_listfile.so item=user sense=deny > > file=/etc/vsftpd/ftpusers onerr=succeed > > auth required pam_shells.so > > auth sufficient pam_ldap.so try_first_pass > > auth required pam_deny.so > > account include system-auth > > session include system-auth > > session required pam_loginuid.so > > ------- > > > > > > The key things being to use the "try_first_pass" (or no option) rather > > than "use_first_pass" (see below from 'man pam_ldap' for the > > distinction): > > > > use_first_pass > > Specifies that pam_ldap should always use the first > > password provided in the authentication stack. > > > > try_first_pass > > Specifies that pam_ldap should first try the first > > password provided in the authentication stack, and > > then prompt the user for their LDAP password if > > authentication fails. > > > > and also the inclusion of the "pam_deny" entry as the last in the auth > > stack... > > > > Also, I assume your system is properly configured to talk to the LDAP > > server? > > > > Kevin > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Coe, > > Colin C. (Unix > > Engineer) > > Sent: Monday, March 10, 2008 8:24 PM > > To: Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list > > Subject: RE: [rhelv5-list] VSFTPd and LDAP > > > > > > Hi Sam > > > > I've been working on this but have not made much preogess. > > > > The following vsftpd PAM config lets me in, regardless of the > > password. > > If I uncomment the 'auth include system-auth' line then no > > password will > > let me in. > > > > I'm trying for something in the middle i.e. the correct password will > > let me in :) > > > > #%PAM-1.0 > > session optional pam_keyinit.so force revoke > > auth required pam_listfile.so item=user sense=deny > > file=/etc/vsftpd/ftpusers onerr=succeed > > auth sufficient pam_ldap.so use_first_pass > > auth required pam_shells.so > > auth required pam_nologin.so > > #auth include system-auth > > account [default=bad success=ok user_unknown=ignore > > service_err=ignore > > system_err=ignore] pam_ldap.so > > account include system-auth > > password required pam_cracklib.so > > password sufficient pam_ldap.so use_authok > > session include system-auth > > session required pam_loginuid.so > > > > The following line gets logged in /var/log/secuure > > Mar 11 12:15:29 server vsftpd: pam_unix(vsftpd:auth): authentication > > failure; logname= uid=0 euid=0 tty=ftp ruser=user > > rhost=localhost.localdomain user=user > > > > Any ideas? > > > > CC > > > > ________________________________ > > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Sharpe, Sam J > > Sent: Thursday, 6 March 2008 8:49 AM > > To: Red Hat Enterprise Linux 5 (Tikanga) discussion > > mailing-list; Red Hat Enterprise Linux 5 (Tikanga) discussion > > mailing-list > > Subject: RE: [rhelv5-list] VSFTPd and LDAP > > > > > > > > > We've got a server running ProFTPd that uses an OpenLDAP > > server > > > for authentication. I want to migrate this over to EL5 and > > VSFTPd. > > > I've googled and found many references to getting VSFTPd to > > work > > > with LDAP via PAM but the problem is that the system itself > > *must > > > not* use LDAP for non-FTP logins. > > > > I don't see why this is a problem. If you modify > > /etc/pam.d/vsftpd > > to allow LDAP logins, but don't touch system-auth, then your > > system > > can be not using PAM, while vsftpd happily is. > > > > I do this for lots of services... (but not vsftpd) > > > > -- > > Sam > > > > > > NOTICE: This email and any attachments are confidential. > > They may contain legally privileged information or > > copyright material. You must not read, copy, use or > > disclose them without authorisation. If you are not an > > intended recipient, please contact us at once by return > > email and then delete both messages and all attachments. > > > > > > _______________________________________________ > > rhelv5-list mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/rhelv5-list > > > > _______________________________________________ > > rhelv5-list mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/rhelv5-list > > > > NOTICE: This email and any attachments are confidential. > They may contain legally privileged information or > copyright material. You must not read, copy, use or > disclose them without authorisation. If you are not an > intended recipient, please contact us at once by return > email and then delete both messages and all attachments. > > > _______________________________________________ > rhelv5-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/rhelv5-list _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
