ftp : loacl and LDAP users authentication / PAM module
Hi,
we have cent os 6.2 64 bit machine where we have configured ftp server. On the ftp server machine, users are authenticated by using LDAP. We ahve some users that are local. Now we want that some LDAP users and some local users should be authenticated for FTP. LDAP users are getting authenticated for FTP but local users are not. It accepts the username but then fails with "530 Login incorrect. Login failed.". vsftpd in pam.d is as below : ######################################### cat vsftpd #%PAM-1.0 auth required pam_sepermit.so auth sufficient pam_ldap.so nullok try_first_pass auth include password-auth account required pam_nologin.so account sufficient pam_ldap.so account include password-auth password sufficient pam_ldap.so nullok try_first_pass use_authtok password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session sufficient pam_ldap.so session optional pam_keyinit.so force revoke session include password-auth ############################################################ How can both users (LDAP and local) can be authenticated for FTP. Note : allowed users are already added in users_list file for FTP authentication |
My strong recommendation for you is ... make everything LDAP, nothing local, if you are using LDAP at all.
The "local user" could easily become an unknown, unseen, and therefore unmanageable back door to a corporate system that is relying on centrally-managed LDAP authorization/authentication. "Out of sight = out of mind." Use LDAP to authenticate everything, including local logins to the machines. If you / your-company has (wisely ...) chosen to "centrally manage everything," then there should be nothing that is [i]not[i] centrally-managed; nor should there be any capacity to do so. :rolleyes: (Sounds a bit strong and harsh there ... oh well, not intended as such ... just my :twocents: ) |
thanks for the reply, but somehow we have to keep that userlocal. It will be very helpful if something else is also suggested.
|
All times are GMT -5. The time now is 04:17 AM. |