This is a short howto (hopefully) providing enough information to install Proftpd and use LDAP as user database.
I have become obsessed with LDAP – at least for the time being. It seem to be the answer to my redundancy and distribution plans.
A production server is in the process of being converted (migrated actually) to have a single SSO LDAP structure.
A virtualization host crash (thank you Linode) forced me to move a couple of sites onto this new fancy LDAP server. Shortly after, a user prompted me about the lack of FTP on the new webhost.
Now the shoe needs to fit.
Installing the required packages
This is the easy part.
# apt-get install proftpd-mod-ldap
The LDAP module will depend on the proftpd server so this is really the only thing you need to install.
Requirements for the LDAP server
The LDAP module for Proftpd is hard coded to lookup only users of objectClass: posixUsers which in my opinion is less intuitive than having a specified schema for proftpd.
An example .ldif is shown below. I have added objectClass: domain, which is unnecessary.
The uidNumber and the gidNumber maps the uid and gid on the system. 115 is proftfd user and 65534 is group nobody. From a ftp client owner will appear as domain.tld or whatever you specify as uid.
version: 1 dn: dc=domain.tld,ou=webhosting,dc=example,dc=com objectClass: domain objectClass: top objectClass: posixAccount cn: domain.tld dc: domain.tld gidNumber: 65534 homeDirectory: /var/www/domain.tld/www uid: domain.tld uidNumber: 115 loginShell: /bin/false userPassword::
Configuring the authentication
First you need to edit /etc/proftpd/ldap.conf to match you LDAP setup. Somthing like this is appropriate.
<IfModule mod_ldap.c> LDAPServer ldap://example.com/??sub LDAPDNInfo "cn=proftpd,dc=example,dc=com" "password" LDAPDoAuth on "ou=webhosting,dc=example,dc=com" </IfModule>
notice the ??sub after the ldap. This is very important as it specifies the search scope. The configuration parameter LDAPSearchScope is apparently ignored.
Again, a sour comment; the bind should have been done as the user logging in, and not as a dedicated user. Admin is a bad choice – create a dedicated user. Besides, the /etc/proftpd/ldap.conf is world readable!
Next you have to tell proftpd to load the module.
Uncomment the line
Now you have to uncomment the line.
in /etc/proftpd/proftpd.conf to load the Ldap configuration.
While editing proftpd.conf you should also lift the RequireValidShell restriction (or give the user a valid loginShell parameter. If do not do this, you will not be able to log in.
Now is the time to take a look at the standard proftpd configuration and make sure that anonymous login is disabled and ditto /etc/passwd users.