LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   ftp : loacl and LDAP users authentication / PAM module (https://www.linuxquestions.org/questions/linux-software-2/ftp-loacl-and-ldap-users-authentication-pam-module-4175489889/)

pankajd 01-02-2014 06:16 AM
ftp : loacl and LDAP users authentication / PAM module
 
Hi,

we have cent os 6.2 64 bit machine where we have configured ftp server. On the ftp server machine, users are authenticated by using LDAP. We ahve some users that are local. Now we want that some LDAP users and some local users should be authenticated for FTP. LDAP users are getting authenticated for FTP but local users are not. It accepts the username but then fails with "530 Login incorrect. Login failed.".
vsftpd in pam.d is as below :

#########################################
cat vsftpd
#%PAM-1.0
auth required pam_sepermit.so
auth sufficient pam_ldap.so nullok try_first_pass
auth include password-auth
account required pam_nologin.so
account sufficient pam_ldap.so
account include password-auth
password sufficient pam_ldap.so nullok try_first_pass use_authtok
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session sufficient pam_ldap.so
session optional pam_keyinit.so force revoke
session include password-auth
############################################################
How can both users (LDAP and local) can be authenticated for FTP.
Note : allowed users are already added in users_list file for FTP authentication

sundialsvcs 01-02-2014 09:21 AM
My strong recommendation for you is ... make everything LDAP, nothing local, if you are using LDAP at all.

The "local user" could easily become an unknown, unseen, and therefore unmanageable back door to a corporate system that is relying on centrally-managed LDAP authorization/authentication. "Out of sight = out of mind." Use LDAP to authenticate everything, including local logins to the machines. If you / your-company has (wisely ...) chosen to "centrally manage everything," then there should be nothing that is [i]not[i] centrally-managed; nor should there be any capacity to do so.

:rolleyes: (Sounds a bit strong and harsh there ... oh well, not intended as such ... just my :twocents: )

pankajd 01-02-2014 10:39 PM
thanks for the reply, but somehow we have to keep that userlocal. It will be very helpful if something else is also suggested.


All times are GMT -5. The time now is 04:17 AM.