LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 01-02-2014, 06:16 AM   #1
pankajd
Member
 
Registered: Oct 2008
Posts: 54

Rep: Reputation: 15
ftp : loacl and LDAP users authentication / PAM module


Hi,

we have cent os 6.2 64 bit machine where we have configured ftp server. On the ftp server machine, users are authenticated by using LDAP. We ahve some users that are local. Now we want that some LDAP users and some local users should be authenticated for FTP. LDAP users are getting authenticated for FTP but local users are not. It accepts the username but then fails with "530 Login incorrect. Login failed.".
vsftpd in pam.d is as below :

#########################################
cat vsftpd
#%PAM-1.0
auth required pam_sepermit.so
auth sufficient pam_ldap.so nullok try_first_pass
auth include password-auth
account required pam_nologin.so
account sufficient pam_ldap.so
account include password-auth
password sufficient pam_ldap.so nullok try_first_pass use_authtok
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session sufficient pam_ldap.so
session optional pam_keyinit.so force revoke
session include password-auth
############################################################
How can both users (LDAP and local) can be authenticated for FTP.
Note : allowed users are already added in users_list file for FTP authentication
 
Old 01-02-2014, 09:21 AM   #2
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,610
Blog Entries: 4

Rep: Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905Reputation: 3905
My strong recommendation for you is ... make everything LDAP, nothing local, if you are using LDAP at all.

The "local user" could easily become an unknown, unseen, and therefore unmanageable back door to a corporate system that is relying on centrally-managed LDAP authorization/authentication. "Out of sight = out of mind." Use LDAP to authenticate everything, including local logins to the machines. If you / your-company has (wisely ...) chosen to "centrally manage everything," then there should be nothing that is [i]not[i] centrally-managed; nor should there be any capacity to do so.

(Sounds a bit strong and harsh there ... oh well, not intended as such ... just my )

Last edited by sundialsvcs; 01-02-2014 at 09:22 AM.
 
Old 01-02-2014, 10:39 PM   #3
pankajd
Member
 
Registered: Oct 2008
Posts: 54

Original Poster
Rep: Reputation: 15
thanks for the reply, but somehow we have to keep that userlocal. It will be very helpful if something else is also suggested.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LDAP PAM authentication zxtech Linux - Server 1 10-05-2012 02:53 AM
Openssh + PAM + LDAP fails only with LDAP users asimula Linux - Newbie 2 04-01-2010 07:10 AM
LDAP authentication without PAM petr.hoffmann Slackware 1 02-12-2009 04:25 PM
pam ldap authentication brandon@rhiamet.com Linux - Security 2 01-22-2009 07:58 AM
Squid PAM authentication and LDAP redmat Linux - Newbie 1 09-03-2004 07:22 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 06:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration