-
-
Notifications
You must be signed in to change notification settings - Fork 188
/
README.LDAP
283 lines (186 loc) · 10.2 KB
/
README.LDAP
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
If you never heard about LDAP before, *DON'T* enable LDAP support in
Pure-FTPd. LDAP is useless if you don't have to manage many shared accounts.
But well... if you want to learn about LDAP anyway, here's a good starting
point: http://www.openldap.org/
------------------------ LDAP SUPPORT ------------------------
Pure-FTPd has a built-in support for LDAP directories. When LDAP is
enabled, all account info is fetched from a central LDAP directory.
To compile the server with LDAP support, you first have to build and install
OpenLDAP. OpenLDAP is freely available from http://www.openldap.org/ and
binary packages are included in many major distributions. But if you choose
a binary form, don't forget to also install the development packages if they
are available separately.
Then, configure Pure-FTPd with --with-ldap and your favorite extra gadgets:
./configure --with-ldap --with-everything
If your LDAP libraries are installed in a special path, you can specify it
like this:
./configure --with-ldap=/usr/local/openldap
In this example, headers (ldap.h and lber.h files) will be searched in
/usr/local/openldap/include, while related libraries will be searched in
/usr/local/openldap/lib .
Then, install the server as usual:
make install
------------------------ LDAP CONFIGURATION FILE ------------------------
Before running the server, you have to create a configuration file. Why a
configuration file instead of simple command-line options? you may ask.
Because for security reasons, you may want to hide how to connect to your
LDAP server. And as command-line options can be discovered by local users
(with 'ps auxwww' for instance), it's more secure to use a configuration
file for sensitive data. Keep the file only readable by root (chmod 600) .
Here's a sample configuration file:
LDAPServer ldap.c9x.org
LDAPPort 389
LDAPBaseDN cn=Users,dc=c9x,dc=org
LDAPBindDN cn=Manager,dc=c9x,dc=org
LDAPBindPW r00tPaSsw0rD
LDAPDefaultUID 500
LDAPForceDefaultUID False
LDAPDefaultGID 100
LDAPForceDefaultGID False
Well... the keywords should be self-explanatory, but here we go for some
details anyway:
- LDAPScheme is the scheme (aka protocol) to connect with to the LDAP server.
It defaults to 'ldap'. To connect to a server listening on TLS port, set it
to 'ldaps' (and change the port below). To connect to a server listening on
a Unix domain socket, set it to 'ldapi'
- LDAPServer is the LDAP server name (hey!) . It defaults to 'localhost'.
If the 'ldapi' scheme is in use, this field should be set to the
*URL-encoded* path of the server socket. For example,
'/var/run/ldap.sock' becomes '%2Fvar%2Frun%2Fldap.sock'.
- LDAPPort is the connection port. It defaults to 389, the standard port.
Port value should be changed for 'ldaps' connection (the TLS port for an
LDAP server is usually 636).
- LDAPBaseDN is the search starting point for users accounts. Your tree must
have posixAccount objects under that node.
- LDAPBindDN is the DN we should bind the server for simple authentication.
If you don't need authentication (ie. anonymous users can browse that part
of the LDAP directory), just remove that line.
- LDAPBindPW is the plaintext password to bind the previous DN. The
configuration file should be only readable by root if you are using
LDAPBindDN/LDAPBindPW.
- LDAPDefaultUID and LDAPDefaultGID are default values for objects without
any entry for them.
- LDAPForceDefaultUID and LDAPForceDefaultGID - These options both default to
`False`. Any value other than `True` (case insensitive) is also treated as
`False`. When set these options cause the respective uid or gid value returned
by the LDAP server for a username to be ignored and instead use the value set
by `LDAPDefaultUID` or `LDAPDefaultGID`. If the appropriate `LDAPDefaultXID`
option is not set, these options have no effect.
This is useful for allowing users to authenticate against LDAP but access or
create content with common a set of ownership/permissions. It also provides a
measure of security in that it prevents pure-ftpd processes from being created
with arbitrary uid/gids that may conflict with local accounts.
- LDAPFilter is the filter to use in order to find the object to authenticate
against. The special sequence \L is replaced with the login of the user. The
default filter is (&(objectClass=posixAccount)(uid=\L)) .
- LDAPHomeDir is the attribute to get the home directory ('homeDirectory' by
default) .
- LDAPVersion is the protocol version to use. Version 3 is recommended and
needed with OpenLDAP servers. It is the default.
- LDAPUseTLS can be True or False. True means that the server should use TLS
to connect to the LDAP server over ldap protocol. This property has no effect
when ldaps protocol is used, as the connection is inherently secured with TLS.
This was introduced in pure-ftpd 1.0.37.
- LDAPAuthMethod can be BIND (experimental, but default if there is no
LDAPBindDN) or PASSWORD (default if a LDAPBindDN is set). The former tries
to authenticate users by binding, thus allowing to use an unprivileged LDAP
account. The later requires a privileged LDAP accounts and the FTP server
itself checks against the userPassword attribute.
In fact, the only mandatory keyword is LDAPBaseDN. Other keywords are
optional and defaults are ok for local testing.
Save the configuration file anywhere. Let's say /etc/pureftpd-ldap.conf .
Then, you have to run the pure-ftpd command with '-l ldap:' (it's an 'ell'
not a 'one') followed by the path of that configuration file. Here's an
example:
pure-ftpd -l ldap:/etc/pureftpd-ldap.conf -B
You can mix different authentication methods. For instance, if you want to
use system (/etc/passwd) accounts when an account is not found in a LDAP
directory, use -l ldap:/etc/pureftpd-ldap.conf -l unix
------------------------ THE LDAP SCHEMA ------------------------
Pure-FTPd uses the standard 'posixAccount' class to locate accounts. With
OpenLDAP, that class is defined in the 'nis' schema.
FTP login names should match 'uid' attributes of 'posixAccount' instances.
When a user logs in as 'joe', the following filter is used to locate Joe's
account:
(&(objectClass=posixAccount)(uid=joe))
Here's a sample entry in LDIF format:
dn: cn=Joe,dc=rtchat,dc=com
objectClass: posixAccount
cn: Joe
uid: joe
uidNumber: 500
gidNumber: 100
homeDirectory: /home/joe
userPassword: {scrypt}$7$C6..../....YzvCLmJDYJpH76BxlZB9fCpCEj2AbGQHoLiG9I/VRO1$/enQ.o1BNtmxjxNc/8hbZq8W0JAqR5YpufJXGAdzmf3
'userPassword' is the password hashed with the system 'crypt' function,
SCRYPT or ARGON2.
Please note that a login can only contains common characters: A...Z, a...z,
0...9, -, ., _, space, :, @ and ' . For paranoia purposes, other characters
are forbidden.
If you don't want to use posixAccount objects, you can edit src/log_ldap.h
to customize attribute names.
----------- EXTENDED LDAP SCHEMA (QUOTAS, THROTTLING, RATIOS) ----------
To enable quotas, download/upload rate throttling and/or download/upload
ratios, an extended LDAP schema is needed. This modified schema also allows
you to completely enable and disable users' FTP access by simply changing
the "FTPStatus" field in their LDAP entry.
Simply copy the included pureftpd.schema file to your OpenLDAP schema
directory (/usr/local/etc/openldap/schema in this example) and add the
appropriate line to your slapd.conf, like so:
include /usr/local/etc/openldap/pureftpd.schema
This schema defines a new objectClass, PureFTPdUser, which contains the
*OPTIONAL* status, quota, throttling and ratio fields as in the example
below:
dn: uid=Ichiro,dc=gmo,dc=jp
objectClass: PureFTPdUser
objectClass: posixAccount
cn: Ichiro
uid: Ichiro
uidNumber: 888
gidNumber: 888
homeDirectory: /home/ichiro
userPassword: {crypt}$1$w58NLo5z$NHhr6GzSPw0qxaxs3PAaK/
FTPStatus: enabled
FTPQuotaFiles: 50
FTPQuotaMBytes: 10
FTPDownloadBandwidth: 50
FTPUploadBandwidth: 50
FTPDownloadRatio: 5
FTPUploadRatio: 1
The example is mostly self-explanatory. FTPQuotaMBytes is the quota size in
megabytes. FTPDownloadBandwidth and FTPUploadBandwidth are in KB/sec.
FTPStatus should be either "enabled" or "disabled". If the FTPStatus field
exists and is set to anything except "enabled", the user will not be
permitted to log in. If the FTPStatus field does not exist, the user *WILL*
be allowed to log in as normal, to allow LDAP users without the PureFTPdUser
objectClass.
There are also optional FTPuid and FTPgid attributes. If present, they will
override uidNumber and gidNumber values, so that you can have different
uid/gid mapping for FTP and for other services.
Please note that all of the FTP* LDAP fields are optional for the
PureFTPdUser objectClass. You can have a user with just FTPQuotaFiles and
FTPQuotaMBytes set, for example, if you only wish to enforce a quota, but
not throttle the user's bandwidth or enforce ratios.
Of course, you must make sure to enable the features you wish to use at
compile time (--with-quotas, --with-throttling, --with-ratios) .
------------------------ ANONYMOUS USERS ------------------------
If you want to accept anonymous users on your FTP server, you don't need to
have any 'ftp' user in the LDAP directory. But you need to have a system
'ftp' account on the FTP server.
------------------------ ROOT USERS ------------------------
If an LDAP user entry has a root (0) uidNumber and/or gidNumber, Pure-FTPd
will refuse to log them in.
Without this preventive restriction, if your LDAP server ever gets
compromised, the attacker could also easily compromise the FTP server.
------------------------ ARGON2 ------------------------
Password hashed with argon2i and argon2id can be used, provided that pure-ftpd
was linked to libsodium.
They are expected to be provided as a string, as returned by the
crypto_pwhash_str() function or by its bindings.
------------------------ SCRYPT ------------------------
Password hashed with scrypt can be used, provided that pure-ftpd was linked to
libsodium.
They are expected to be provided in escrypt format, as returned by the
crypto_pwhash_scryptsalsa208sha256_str() function or by its bindings.
For example, the string $7$C6..../....YzvCLmJDYJpH76BxlZB9fCpCEj2AbGQHoLiG9I/VRO1$/enQ.o1BNtmxjxNc/8hbZq8W0JAqR5YpufJXGAdzmf3
would verify the password "test".