vsftpd using Ldap+pam authentication issue
 

Hi,all

Maybe my words will be a litter long, please pay more patience. Thanks.

I want to use ldap+pam to authentocicate the http and vftspd service. The LDAP server(192.168.123.33) is OpenLDAP with common port 389.

The server(192.168.123.68) that supplies http and vsftpd is installed CentOS 4.3(final), and I configure the following files:

# grep -v "#" /etc/ldap.conf
base dc=plasmon,dc=sit
uri ldap://192.168.123.33:389
binddn cn=root,dc=plasmon,dc=sit
bindpw phillip
bind_timelimit 300
idle_timelimit 300
timelimit 300
ssl off

# cat /etc/pam.d/login
auth sufficient pam_ldap.so
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_ldap.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so

Here, I could control the http service with ldap certification as well. I configure the "vsftpd" as the following:

# cat /etc/pam.d/vsftpd
auth sufficient pam_ldap.so
#%PAM-1.0
auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth required /lib/security/pam_pwdb.so shadow nullok
auth required /lib/security/pam_shells.so
account sufficient pam_ldap.so
account required /lib/security/pam_pwdb.so
session required /lib/security/pam_pwdb.so

Then on 3rd machine named "192.168.123.32" to log in this ftp server:
# ftp 192.168.123.32
It always has such error messages:
530 Login incorrect.
Login failed.

I've tried many ways to modified this "vsftpd" file, but failed.
Finally, I copied the "login" file to "vsftpd" without any changes. As you can see:

# cat /etc/pam.d/vsftpd
auth sufficient pam_ldap.so
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account sufficient pam_ldap.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so

and then tried to log on ftp server again, how supprised I am, the ldap users could be certificated and logging on successfully.
Although I am confused, I modified the "vsftpd" again, delete the two lines contain "pam_ldap.so":


# cat /etc/pam.d/vsftpd
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so


Try to log on ftp again. The result is so amazing, the ldap user still could log on the ftp.

Dose pam_ldap.so not work? How could it work with vsftps authenciation process? Why my last test are still be able to log in ftp even without pam_ldap.so?

By the way, after every time modified "vsftpd", I've done restarting the "vsftpd" service to make sure the modification could take effect.

Please help me. Any sugguestion appreciated.

Thanks and regards,
Phillip

Fixed this issue by myself.
Compile the lasted souce code of "pam_ldap", and use the created "pam_ldap.so" to instead the old one located in "/lib/security", everything is ok now.

The old "pam_ldap.so" is created from rpm packages, so I sugguest you'd better use tarball to use pam_ldap.