Debian + ProFTPD + LDAP Incorrect Password Issue

debianftpldapproftpd

I have the LDAP configuration configured for ProFTPD and I have modified the modules.conf file to include the LDAP module. However, every time I login with FileZilla I get 530 Login Incorrect. It does this for all users except those whose passwords are defined locally as well as in LDAP. The exact same setup works fine on my CentOS server and I've already tried re-installing it after purging the configuration files.

Best Answer

Do you have the appropriate /etc/pam.d file for proftpd to tell it to use LDAP?

The directory /usr/share/doc/libpam-ldap/examples/pam.d/ has examples. Normally you can just copy them all over to /etc/pam.d/

However on squeeze you have to change all occurances of "pam_unix_" to "pam_unix" because all /lib/security/pam_unix_ files are gone and it now is just /lib/security/pam_unix.so. If you don't make these changes and log out you can't log back in, neither log in through the console or anything. You'll have to boot a rescue CD and change them that way.

So, for example in /usr/share/doc/libpam-ldap/examples/pam.d/ssh change:

auth       required     /lib/security/pam_unix_auth.so try_first_pass
account    required     /lib/security/pam_unix_acct.so
session    required     /lib/security/pam_unix_session.so

to:

auth       required     /lib/security/pam_unix.so try_first_pass
account    required     /lib/security/pam_unix.so
session    required     /lib/security/pam_unix.so

The file for ftp (/usr/share/doc/libpam-ldap/examples/pam.d/ftp) looks like this:

#%PAM-1.0
auth       required /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed
auth       required /lib/security/pam_shells.so
auth       sufficient   /lib/security/pam_ldap.so
auth       required /lib/security/pam_pwdb.so shadow nullok
account    sufficient   /lib/security/pam_ldap.so
account    required /lib/security/pam_pwdb.so
#session   sufficient   /lib/security/pam_ldap.so
session    required /lib/security/pam_pwdb.so

Related Solutions

Ldap – Mapping User and Group Ownership through LDAP

I was overthinking this. No need to use pam_ldap and sssd. According to the sssd and CentOS lists, generally one uses one or the other.

In the end, I recreated a system from my VM template and used authconfig, which edits the appropriate system files.

authconfig --enableldap --enableldapauth --enablemkhomedir --ldapserver=ldap.mydomain.edu --ldapbasedn="dc=mydomain,dc=com" --update

The only weakness in authconfig is that it doesn't cleanly disable options you use it to enable. So it is far from safe to experiment with since you can easily host your system.

Ldap – issue with master and slave ldap configuration

It looks like you're attempting to use slapd.conf and slurpd.

slapd.conf is depriciated and you ought to be using slapd.d.

However, your main problem is that you're trying to use slurpd, which was completely removed in OpenLDAP 2.4. You should instead setup a syncrepl provider on your master server, and a syncrepl consumer on your "slave" (replica) server.

Best Answer

Related Solutions

Ldap – Mapping User and Group Ownership through LDAP

Ldap – issue with master and slave ldap configuration

Related Topic