Ubuntu 12.04上实现ProFTPD基于OpenLDAP的LDAP身份认证
系统环境
安装OpenLDAP
Ubuntu上安装OpenLDAP比较简单:
1
| $ sudo apt-get install slapd ldap-utils
|
具体使用文档可以参考OpenLDAP的Ubuntu官方文档。
配置组织结构
- 添加新的
basedn,这里以dc=example,dc=com为例:
(backend.ldif) download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
| # Load dynamic backend modules
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: back_hdb.la
# Database settings
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcSuffix: dc=example,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: password
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcAccess: to attrs=userPassword by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
|
(organization.ldif) download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
| # Create top-level object in domain
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectclass: organization
o: Exmaple
dc: example
description: Comtech LDAP Configuration
# Admin user.
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: password
dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
ou: users
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups
dn: uid=bill,ou=users,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: bill
sn: Chu
givenName: Bill
cn: Bill Chu
displayName: Bill Chu
uidNumber: 1000
gidNumber: 10000
userPassword: password
gecos: Bill Chu
loginShell: /bin/bash
homeDirectory: /home/bill
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: bill.chu@example.com
l: Cardiff
o: Comtech
title: System Administrator
postalAddress:
initials: BC
dn: cn=example,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: comtech
gidNumber: 10000
|
这里添加了一个管理员admin和一个用户bill。
1
2
| $ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f backend.ldif
$ sudo ldapadd -x -D cn=admin,dc=example,dc=com -W -f organization.ldif
|
安装ProFTPD
1
| $ sudo apt-get install proftpd-mod-ldap
|
这个deb包包含了编译的ldap模块(mod_ldap)。
配置ProFTPD
- 修改
/etc/proftpd/proftpd.conf:
去掉下面几行注释:
1
2
3
4
| DefaultRoot ~
RequireValidShell off
Include /etc/proftpd/ldap.conf
|
- 修改
/etc/proftpd/modules.conf:
去掉下面一行注释,加载ldap模块:
- 修改
/etc/proftpd/ldap.conf:
这个配置文件最为关键:
(ldap.conf) download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| <IfModule mod_ldap.c>
LDAPServer ldap://localhost/??sub
LDAPBindDN "cn=admin,dc=example,dc=com" "adminPassword"
LDAPUsers ou=users,dc=example,dc=com (uid=%u)
LDAPForceDefaultGID on
LDAPForceDefaultUID on
# proftpd uid & gid
# $ id proftpd
LDAPDefaultGID 65534
LDAPDefaultUID 107
# 设置用户的主目录。设置为 /home/ftp 作为 LDAP 用户登录的主目录 注意:要事先创建 /home/ftp 目录,并正确授>
LDAPGenerateHomedir on
# $ sudo mkdir /home/ftp
# $ sudo chown proftpd:nogroup /home/ftp
LDAPGenerateHomedirPrefix /home/ftp
LDAPForceGeneratedHomedir on
# 在用户主目录下,创建用户个人目录。如果设置为 on,则所有用户共享同一主目录
LDAPGenerateHomedirPrefixNoUsername off
# 如果用户主目录不存在,创建它
CreateHome on
</IfModule>
|
其中的LDAPDefaultUID与LDAPDefaultGID为proftpd用户的uid与gid,可以通过以下命令查看:
1
| $ cat /etc/passwd | grep proftpd
|
以如上配置为例,我们需要在/home目录下建立FTP目录,并赋予相应权限:
1
2
| $ sudo mkdir /home/ftp
$ sudo chown proftpd:nogroup /home/ftp
|
1
| $ service proftpd restart
|
参考资料:
有问题请留言,如有错误,欢迎指正。