vsftpd using Ldap+pam authentication issue
Hi,all
Maybe my words will be a litter long, please pay more patience. Thanks. I want to use ldap+pam to authentocicate the http and vftspd service. The LDAP server(192.168.123.33) is OpenLDAP with common port 389. The server(192.168.123.68) that supplies http and vsftpd is installed CentOS 4.3(final), and I configure the following files: # grep -v "#" /etc/ldap.conf base dc=plasmon,dc=sit uri ldap://192.168.123.33:389 binddn cn=root,dc=plasmon,dc=sit bindpw phillip bind_timelimit 300 idle_timelimit 300 timelimit 300 ssl off # cat /etc/pam.d/login auth sufficient pam_ldap.so #%PAM-1.0 auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account sufficient pam_ldap.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session optional pam_console.so Here, I could control the http service with ldap certification as well. I configure the "vsftpd" as the following: # cat /etc/pam.d/vsftpd auth sufficient pam_ldap.so #%PAM-1.0 auth required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth required /lib/security/pam_pwdb.so shadow nullok auth required /lib/security/pam_shells.so account sufficient pam_ldap.so account required /lib/security/pam_pwdb.so session required /lib/security/pam_pwdb.so Then on 3rd machine named "192.168.123.32" to log in this ftp server: # ftp 192.168.123.32 It always has such error messages: 530 Login incorrect. Login failed. I've tried many ways to modified this "vsftpd" file, but failed. Finally, I copied the "login" file to "vsftpd" without any changes. As you can see: # cat /etc/pam.d/vsftpd auth sufficient pam_ldap.so #%PAM-1.0 auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account sufficient pam_ldap.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session optional pam_console.so and then tried to log on ftp server again, how supprised I am, the ldap users could be certificated and logging on successfully. Although I am confused, I modified the "vsftpd" again, delete the two lines contain "pam_ldap.so": # cat /etc/pam.d/vsftpd #%PAM-1.0 auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session optional pam_console.so Try to log on ftp again. The result is so amazing, the ldap user still could log on the ftp. Dose pam_ldap.so not work? How could it work with vsftps authenciation process? Why my last test are still be able to log in ftp even without pam_ldap.so? By the way, after every time modified "vsftpd", I've done restarting the "vsftpd" service to make sure the modification could take effect. Please help me. Any sugguestion appreciated. Thanks and regards, Phillip |
Fixed this issue by myself.
Compile the lasted souce code of "pam_ldap", and use the created "pam_ldap.so" to instead the old one located in "/lib/security", everything is ok now. The old "pam_ldap.so" is created from rpm packages, so I sugguest you'd better use tarball to use pam_ldap. |
All times are GMT -5. The time now is 05:02 PM. |