Hallo,
I have a problem configuring ProFTP to use LDAP over SSL (i.e. ldaps on port 636).
In short:
- ProFTP without TLS (TLSEngine off) DOES authenticate with LDAP without SSL (LDAPServer 1.2.3.4:389)
- ProFTP with TLS (TLSEngine on, path to the ftp-ssl certificates) DOES authenticate with LDAP without SSL (LDAPServer 1.2.3.4:389)
- ProFTP with TLS (TLSEngine on, path to the ftp-ssl certificates) DOES NOT authenticate with LDAP with SSL (LDAPUseTLS on; LDAPServer 1.2.3.4:636)
If I look in the logs I see that the ProFTP Server connects to the LDAP server on the correct port, the LDAP server accepts the connection but the TLS fails!
In principle for me it is obvious because in the ProFTP configuration I do give the path to the FTP-SSL certificates and keys but I do not input any path for the LDAP-SSL certificates and keys i.e. im my opinion it can not work like this.
So my question is how to make it work? As I have said in my opinion the key point is to be able to set the path where the ProFTP server finds the certificates for the LDAP server.
I do not find any hint whatsoever in the net.
The steps I have done:
LDAP Server:
- The LDAP Server IP (say) 1.2.3.4
- The LDAP Server listens to port 636 (ldaps) and port (ldap).
- I have created a certificate for the LDAP server (slapd.pem, slapd.key)
- The LDAP server itself is fully functioning on both ldap and ldaps (for example ldaps with apache ok)
ProFTP Server:
- The ProFTP Server IP (say) 5.6.7.8
- I have created a certificate for the ProFTP server (ftp2.pem, ftp2.key)
- I have copied locally the certificates of the LDAP server (slapd.pem, slapd.key)
This is the ProFTP configuration (mod_tls and mod_ldap parts)
Code:
<IfModule mod_tls.c>
TLSEngine on
TLSLog /ftp2/logs/tls.log
TLSProtocol SSLv23
TLSOptions NoCertRequest
TLSRSACertificateFile /ftp2/conf/ssl_certs/ftp2.pem
TLSRSACertificateKeyFile /ftp2/conf/ssl_certs/ftp2.key
TLSCACertificateFile /ftp2/conf/ssl_certs/ftp2.pem
TLSVerifyClient off
TLSRequired on
TLSRenegotiate required off
</IfModule>
<IfModule mod_ldap.c>
#LDAPServer 1.2.3.4:389
LDAPUseTLS on
LDAPServer 1.2.3.4:636
LDAPDoAuth on "ou=bbb,dc=aaa,dc=de" "(&(uid=%v)(objectclass=posixAccount))"
LDAPDNInfo "uid=1234,dc=aaa,dc=de" root
## Require that an incoming user can successfully bind to the LDAPServer.
LDAPAuthBinds on
LDAPDoUIDLookups on "ou=bbb,dc=aaa,dc=de"
LDAPSearchScope subtree
</IfModule>
Both LDAP server and ProFTP (proftp-ldap) server are:
Code:
Linux version 2.6.18-6-amd64 (Debian 2.6.18.dfsg.1-18etch1) (waldi@debian.org) (gcc version 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)) #1 SMP Sun Feb 10 17:50:19 UTC 2008
OpenLDAP server (slapd)
Code:
dpkg -l | grep slapd
ii slapd 2.3.30-5+etch1
I have used the ProFTP with precompiled LDAP (proftp-ldap)
Code:
dpkg -l | grep proftp
ii proftpd 1.3.0-19 Versatile, virtual-hosting FTP daemon
ii proftpd-ldap 1.3.0-19 Versatile, virtual-hosting FTP daemon
Error in /var/log/syslog from slapd
Code:
May 27 10:54:05 ftp1test slapd[7323]: daemon: activity on 1 descriptor
May 27 10:54:05 ftp1test slapd[7323]: daemon: listen=9, new connection on 19
May 27 10:54:05 ftp1test slapd[7323]: daemon: added 19r (active) listener=(nil)
May 27 10:54:05 ftp1test slapd[7323]: conn=106 fd=19 ACCEPT from IP=5.6.7.8:42564 (IP=0.0.0.0:636)
May 27 10:54:05 ftp1test slapd[7323]: daemon: select: listen=6 active_threads=0 tvp=NULL
May 27 10:54:05 ftp1test slapd[7323]: daemon: select: listen=7 active_threads=0 tvp=NULL
May 27 10:54:05 ftp1test slapd[7323]: daemon: select: listen=8 active_threads=0 tvp=NULL
May 27 10:54:05 ftp1test slapd[7323]: daemon: select: listen=9 active_threads=0 tvp=NULL
May 27 10:54:05 ftp1test slapd[7323]: daemon: activity on 1 descriptor
May 27 10:54:05 ftp1test slapd[7323]: daemon: activity on:
May 27 10:54:05 ftp1test slapd[7323]: 19r
May 27 10:54:05 ftp1test slapd[7323]:
May 27 10:54:05 ftp1test slapd[7323]: daemon: read activity on 19
May 27 10:54:05 ftp1test slapd[7323]: daemon: removing 19
May 27 10:54:05 ftp1test slapd[7323]: conn=106 fd=19 closed (TLS negotiation failure)
Please Help I need to close up a project and this is crucial.
Thanks.