Configure LDAP-certified vsftpd for Fedora and CentOS

Source: Internet
Author: User
The company's internal software R & D does not have an appropriate release method to release the software version to be tested to the testing department. Because the IT department is too local, IT is not very easy to build a complex continuous integration system, we had to use an ftp server to release the software to be tested. Currently, the software R & D department has an internal server. I applied to IT for a Fedora14 In the VMware Virtual Server. The vsftpd service has been installed on IT, the company's intranet also has a ready-made LDAP authentication server, but the configuration is very simple. Now the requirement is in this Fedora

The company's internal software R & D does not have an appropriate release method to release the software version to be tested to the testing department. Because the IT department is too local, IT is not very easy to build a complex continuous integration system, we had to use an ftp server to release the software to be tested. Currently, the software R & D department has an internal server. I applied to IT for a Fedora14 In the VMware Virtual Server. The vsftpd service has been installed on IT, the company's intranet also has a ready-made LDAP authentication server, but the configuration is very simple.

Now we need to configure vsftpd on this Fedora to allow users to log on using windows domain accounts and manage different permissions in different directories. I don't know much about LDAP authentication. I only know that during my previous internship, Intel used Microsoft's integrated collaboration system for internal office work, which was super nice to use, several attempts have been made to replace the Notes mail client in the company with thunderbird. In order to facilitate contact management, the LDAP server has been successfully added as the contact address book.

Now we need to make vsftpd use this thing for authentication. I have no clue. I first searched the internet. The general result is that 70% of the search results do not match the title, and it is useless; the remaining 20% of the content is basically a strange error encountered by the author during the attempt, resulting in unsuccessful authentication, which is a help post, so the posted configuration has no reference value; in the end, the author was quite certain about the 10% content. Without saying anything wrong, he directly posted the content of the configuration file to describe the services to be configured. The worst thing is that these configurations are basically completed on Ubuntu, and fedora won't be able to use them repeatedly --#

The keyword fedora is added during the search, and the result is even worse. Everyone says that the configuration on fedora is not available. Accidentally, the system cannot log on ...... I went there, so horrible. Let's look back and think about it. It's a virtual machine, so I went to the experiment according to the unbuntu step. The consequence was really serious. After half a day of ftp authentication failure, the network was broken once, log On again. I wiped it, and all the authentication for the local account was rejected. Sorry, this is a drama ......

Fortunately, IT was a virtual machine. I went to IT to open the VMware console and checked the log with my own account. I found the cause because I read the online post, configure an nsswitch during authentication. Even if you don't know what it is, configure it. Later, you will find that it is the ghost of this thing, the purpose of the configuration is to use LDAP authentication for the local account, but the LDAP configuration for the local account has not been written yet. This is a tragedy. After the psychological preparations for reinstalling the virtual machine, I suddenly found that a previously opened ssh connection had never been connected to a successful login, but I did not say that I could not connect to it, I didn't care about him. I used to try to authenticate LDAP, and then I tried the authentication method specified in the respective configuration files. Then I finally failover to the local account passwd file for authentication, so I successfully logged on to the system and changed the wrong configurations ...... A false surprise

In order not to discard the wiki on the server, I had to install a CentOS first, so I had to install a virtual machine myself. after repeated attempts, I filtered the configurations on the Internet one by one, continuously turn on and off a configuration item, delete useless configuration, and finally obtain the configuration method that can pass authentication after the system is installed and the minimum modification under the default configuration. If any error occurs, try to record the failure, such as/var/log/messages,/var/log/secure, and so on. If the logon authentication fails, it is usually recorded in the secure file. If the logon operation fails, you can view the message,/var/log/vsftpd, or other log Files specified by your ftp server.

The configuration method is as follows.

First of all, the authentication method of the vsftpd server can use a third-party authentication plug-in to replace the built-in mechanism. Here the PAM module is used, so you need to configure vsftpd to adopt PAM Authentication.

Second, because PAM authentication is a plug-in mode, it supports third-party authentication for many software, so its configuration file corresponds to the software that calls PAM to initiate authentication, for different needs of each software, specify different subsequent authentication methods for the PAM plug-in. Here, the PAM vsftpd configuration must be set to LDAP, which means that when the vsftpd server initiates authentication, PAM should use the ftp server to pass your account information for LDAP authentication.

Third, as far as I know, the LDAP authentication method is unique in the system. www.linuxidc.com means that no matter who needs to perform LDAP authentication on the system, only one configuration can be specified, one LDAP server, I am not sure whether I can specify different LDAP servers for different services. After the LDAP server configuration is specified here, the LDAP authentication initiated by PAM will come to LDAP, the related software will query the authentication information on the LDAP server (openldap is used here)

The following configuration verification systems: Fedora14 and above, Centos6.0 and above

1. Complete the software components required for configuration

Install vsftpd and pam_ldap.so on the basis of the minimum installation system, or select the specified component when installing the system:

Base System -> Directory Client -> pam_ldapServers -> Ftp Server
2. Disable the firewall to simplify Configuration

After the installation is complete, enter the system. For convenience, first disable the firewall. After the configuration is complete, modify the firewall configuration as needed and then start the firewall.

service iptables stop #effective immediatelychkconfig iptables off #maintain off
3. Disable SElinux to simplify Configuration

If SElinux is installed and you do not understand the configuration, we recommend that you disable it. The method is to modify/Etc/selinux/configFile Content

SELINUX=disabled #effective after restart
4. Configure the LDAP authentication parameters of PAM

Configure and modify the ldap authentication of pam/Etc/pam_ldap.confFile, www.linuxidc.com set the following parameters

host 10.0.1.1base cn=users,dc=server,dc=embedway,dc=combinddn cn=ldap,cn=users,dc=server,dc=embedway,dc=combindpw 123456@Epam_login_attribute sAMAccountName
5. Configure vsftpd service to use PAM

Set and modify the pam Authentication configuration of vsftpd/Etc/pam. d/vsftpd, Add the following two rows

auth    sufficient pam_ldap.so #keep this as the first 'auth' itemaccount sufficient pam_ldap.so #keep this as the first 'account' item
6. Configure the vsftpd service

Set vsftpd to enable guest users for ldap authentication. In/Etc/vsftpd. confAdd the following content at the bottom of the file (if it is not a newly installed system, you may need to modify other options as appropriate)

The premise is that your default vsftpd configuration file already contains a"Pam_service_name = vsftpd"

guest_enable=YESguest_username=ftp
7. Start the ftp service

Run the following command to start the ftp server:

Service vsftpd start# Effective immediatelyChkconfig vsftpd on# Autostart after system bootup

So far, all configurations have been completed ~

For more information about Fedora, see Fedora topics page http://www.linuxidc.com/topicnews.aspx? Tid = 5

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.