mod_ldap
This module is contained in the mod_ldap.c
file for ProFTPD 1.2.x/1.3.x, and is not compiled by default. Installation instructions
are discussed here.
The most current version of mod_ldap
is distributed with the
ProFTPD source code.
Please contact John Morrissey <jwm at horde.net> with any questions, concerns, or suggestions regarding this module.
<VirtualHost>
, <Global>
The LDAPAliasDereference
directive configures how aliases are
handled. The possible values have the following behaviors:
Never dereference aliases
Always dereference aliases
Dereference aliases only when searching
Dereference aliases only when locating the base object for the search
The default is "never", e.g.:
<IfModule mod_ldap.c> LDAPAliasDeference never </IfModule>
<VirtualHost>
, <Global>
The LDAPAttr
directive is used to map, or to associate, a standard
attribute name to a non-standard attribute name. If, for example, your
LDAP directory schema used different names for some of the attributes used
by mod_ldap
, you would use this directive to tell
mod_ldap
what new attribute names to use.
The following LDAP attributes can be renamed in this manner:
uid
uidNumber
gidNumber
homeDirectory
userPassword
loginShell
cn
memberUid
ftpQuota
<VirtualHost>
, <Global>
By default, the DN specified by the
LDAPBindDN
will be used to bind to the
LDAP server to obtain user information, including the userPassword
attribute. If LDAPAuthBinds
is set to on, the DN
specified by LDAPDNInfo
will be used to fetch all user information
except the userPassword
attribute. Then, the
mod_ldap
module will bind to the LDAP server as the user who is
logging in via FTP with the user-supplied password. If this bind succeeds,
the user is considered authenticated and is allowed to log in. This method of
LDAP authentication has the added benefit of supporting any password encryption
scheme that your LDAP server supports.
In versions of mod_ldap
up to 2.7.6, the default for
LDAPAuthBinds
was off. After mod_ldap
2.8,
the default value for LDAPAuthBinds
is on.
<VirtualHost>
, <Global>
The LDAPBindDN
directive configures the DN and the
password that mod_ldap
will use when binding to the LDAP
directory. If this configuration directive is missing, then anonymous binds
are used.
The default is:
<IfModule mod_ldap.c> # Use anonymous binds LDAPBindDN "" "" </IfModule>
See also: LDAPServer
<VirtualHost>
, <Global>
The LDAPDefaultAuthScheme
directive specifies the authentication
scheme used for passwords which have no "{hashname}" prefix in the LDAP
directory. For example, if you are:
userPassword mypassin your directory, you would want to set
LDAPDefaultAuthScheme
to clear.
The default value is crypt.
<VirtualHost>
, <Global>
The LDAPDefaultGID
directive sets the default GID to be used
for users when no gidNumber
attribute is found for that user.
This directive is useful primarily in virtual user environments common in
large-scale ISPs and hosting organizations. If a user does not have an LDAP
gidNumber
attribute, the LDAPDefaultGID
is used.
This allows one to have a large number of users in an LDAP directory without
gidNumber
attributes; setting this configuration directive will
automatically assign those users a single GID.
See also: LDAPDefaultUID
<VirtualHost>
, <Global>
The LDAPDefaultQuota
directive configures a default-quota
to use if a user does not have an ftpQuota
attribute. This
parameter is formatted the same way as the ftpQuota
LDAP attribute.
<VirtualHost>
, <Global>
The LDAPDefaultUID
directive sets the default UID to be used
for users when no uidNumber
attribute is found for that user.
This directive is useful primarily in virtual user environments common in
large-scale ISPs and hosting organizations. If a user does not have an LDAP
uidNumber
attribute, the LDAPDefaultGID
is used.
This allows one to have a large number of users in an LDAP directory without
uidNumber
attributes; setting this configuration directive will
automatically assign those users a single UID.
See also: LDAPDefaultGID
DoAuth
By default, the search filter template used is:
(&(uid=%v)(objectclass=posixAccount))The uid for the the search filter is taken from the
LDAPAttr
directive. Search filter templates are only supported
in versions of mod_ldap
2.7 and later.
See also: LDAPAttr
<VirtualHost>
, <Global>
Even when a LDAPDefaultGID
is
configured, the mod_ldap
module will allow individual users to
have gidNumber
attributes that will override this default GID.
With LDAPForceDefaultGID
directive configured to be on,
all LDAP-authenticated users are given the default GID; GIDs may not be
overridden by gidNumber
attributes.
Even when a LDAPDefaultUID
is
configured, the mod_ldap
module will allow individual users to
have uidNumber
attributes that will override this default UID.
With LDAPForceDefaultUID
directive configured to be on,
all LDAP-authenticated users are given the default UID; UIDs may not be
overridden by uidNumber
attributes.
<VirtualHost>
, <Global>
See also: LDAPGenerateHomedir
, LDAPGenerateHomedirPrefix
, LDAPGenerateHomedirPrefixNoUsername
<VirtualHost>
, <Global>
<VirtualHost>
, <Global>
<VirtualHost>
, <Global>
<VirtualHost>
, <Global>
The LDAPGroups
directive activates LDAP GID-to-name lookups for
directory listings. The first parameter to this directive is the LDAP
base DN to use for GID-to-name lookups. The second through fourth
optional parameters are templates to be used for the search filter;
%v
will be replaced with the GID that is being looked up.
By default, the CN filter template look like this:
(&(LDAPAttr_cn=%v)(objectclass=posixGroup))The
gidNumber
filter template is:
(&(LDAPAttr_gidNumber=%v)(objectclass=posixGroup))and the
memberUid
filter template used is:
(&(LDAPAttr_memberUid=%v)(objectclass=posixGroup))
Note that filter templates are only supported in mod_ldap
version 2.8.3 and later.
The attribute names used in the default search filters are taken from the
LDAPAttr
directive.
<VirtualHost>
, <Global>
The LDAPLog
directive is used to specify a log file for
mod_ldap
's reporting on a per-server basis. The file
parameter given must be the full path to the file to use for logging.
Note that this path must not be to a world-writable directory and,
unless AllowLogSymlinks
is explicitly set to on
(generally a bad idea), the path must not be a symbolic link.
<VirtualHost>
, <Global>
The LDAPProtocolVersion
directive configures the version of
the LDAP protocol that mod_ldap
will use when talking to the
LDAP servers. The default protocol version used is 3.
<VirtualHost>
, <Global>
The LDAPQueryTimeout
directive configures the timeout value,
in seconds, that will be used for LDAP directory queries. The default timeout
value is determined by your LDAP API.
<VirtualHost>
, <Global>
The LDAPSearchScope
directive is used to set the scope used for
LDAP searches. The default setting, subtree, searches for all entries
in the tree from the current level down. Setting this directive to
onelevel searches only one level deep in the LDAP tree.
<VirtualHost>
, <Global>
The LDAPServer
directive allows you to to specify the hostname(s)
and port(s) of the LDAP server(s) to use for LDAP authentication. If no
LDAPServer
configuration directive is present, the default LDAP
servers specified by your LDAP library will be used.
To specify multiple LDAP servers, enclose the entire list of servers in quotation marks. For example:
LDAPServer "host1:port1 host2:port2"
Note that to use LDAPS (LDAP over SSL), use the url format, e.g.:
LDAPServer ldaps://host1:port1 ldaps://host2:port2Alternatively, you can use the
LDAPUseTLS
directive, e.g.:
LDAPServer ldap://host1:port1 ldap://host2:port2 LDAPUseTLS onto tell
mod_ldap
to use LDAP's STARTTLS mechanism.
<VirtualHost>
, <Global>
The LDAPUsers
directive activates LDAP UID-to-name lookups
for directory listings. The first parameter to this directive is the LDAP
base DN to use for UID-to-name lookups. The optional second parameter
is a template to be used for the search filter for the username; %v
will be replaced with the UID that is being looked up. Similarly, an optional
third parameter is also a template, to be used for the search filter for
the UID.
By default, the name search filter template looks like this:
(&(uid=%v)(objectclass=posixAccount))and the UID search filter template looks like this:
(&(LDAPAttr_uidNumber=%v)(objectclass=posixGroup))The uidNumber attribute name used in the search filter comes from the
LDAPAttr
directive.
Note that filter templates are only supported in mod_ldap
version 2.7 and later.
<VirtualHost>
, <Global>
The LDAPUseTLS
directive configures whether mod_ldap
will use SSL/TLS via STARTTLS to protect the connections made to the configured LDAP servers.
By default, the mod_ldap
module connects to the LDAP server via
non-encrypted connections. Enabling this option causes mod_ldap
to use an encrypted (TLS/SSL) connection to the LDAP server. If a secure
connection to the LDAP server fails, mod_ldap
will not
authenticate users; mod_ldap
will not fall back to an
unsecure connection.
./configure --with-modules=mod_ldap make make installYou may need to specify the location of the OpenLDAP header and library files in your
configure command, e.g.:
./configure --with-modules=mod_ldap \
--with-includes=/usr/local/openldap/include \
--with-libraries=/usr/local/openldap/lib
Usage
One mod_ldap
user submitted the following configuration for
allowing mod_ldap
to communicate to a Windows Active Directory
server. Note that this configuration has not been tested; if it works for
you (or not), please let us know:
<IfModule mod_ldap.c>
LDAPServer ldaps://dc.example.org:3268
LDAPUseTLS on
LDAPAuthBinds on
LDAPBindDN "cn=SRV_ACC_SVN_AUTH,ou=special accounts,ou=Sales,dc=example,dc=org" ******************
LDAPUsers ou=Users,ou=Sales,dc=example,dc=org "(&(sAMAccountName=%u)(objectclass=user)(memberOf=cn=Linux Admins,ou=Groups,ou=Sales,dc=example,DC=org))"
LDAPSearchScope subtree
# Assign default IDs
LDAPDefaultUID 106
LDAPDefaultGID 65534
# Create the home directory
LDAPGenerateHomedir on
LDAPGenerateHomedirPrefix /home
# Use different attribute names where necessary
LDAPAttr uid sAMAccountName
LDAPAttr gidNumber primaryGroupID
</IfModule>
Logging
The mod_ldap
module supports trace logging, via the module-specific log channels:
- ldap
- ldap.library
Thus for trace logging, to aid in debugging, you would use the following in
your proftpd.conf
:
TraceLog /path/to/ftpd/trace.log
Trace ldap:20
This trace logging can generate large files; it is intended for debugging use
only, and should be removed from any production configuration.
© Copyright 2013-2015 TJ Saunders
All Rights Reserved