Anonymous_User Absent Member.
Absent Member.
2080 views

LUM for VSFTPD

I am an administrator on a 100 computer/8 Server Novell network. We are
trying to implement our first OES linux server with Edirectory and NSS
running FTP services.

We installed OES linux and joined our existing test tree. VSFTPD is loaded
and working when connecting with local linux users accounts (root, admin,
etc)… we are hung up on using PAM -> LUM -> EDirectory for user
authentication. Ultimately we would like to use an EDirectory user for all
incoming FTP connections (all outside clients share the same account for
simplicity) and [more importantly] have the FTP directory/account home
directory on an NSS volume.

From IManager, we configured LUM properly (per instructions from novell)
and converted our Edirectory users to LUM users (LUM enabled them).
IManager reports back “successful”. We configured LDAP properly, and LUM
enabled all available PAM-aware services in IManager. We have the following
vsftpd pam file in the /etc/pam.d directory. Again, local users can log in
thru ftp, put files, etc. Edirectory users that I KNOW are LUM enabled
cannot authenticate. "incorrect password", and nothing in the VSFTPD.log file.


Questions:

• What are we missing?
• IManager only lets you enable “FTP” services for use with LUM. Does this
cover all FTP programs, or would I specifically have to enable the VSFTPD
program somehow?
• What about the PAM user name variable in my vsftpd.conf file (see below –
I don’t understand this at all – does PAM query LDAP, and if so, how do I
configure the authentication)

write_enable=YES
dirmessage_enable=YES
local_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
pam_service_name=vsftpd
anonymous_enable=NO
local_umask=000



Any clues would be greatly appreciated.


Labels (2)
0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: LUM for VSFTPD

tbaumann@planningcenter.com,

vsftpd works here just out of the box. I had to set it up after realizing
that LUM doesn't support pureftp, which I was using previously.
My config file looks pretty much the same, except I have the umask set to
022, chroot the users and I have a different banner 😉

Do you launch vsftpd in standalone mode or through xinetd? I have it started
through xinetd.

Uwe

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LUM for VSFTPD

> Questions:
>
> • What are we missing?


Does getent passwd return the names of your eDirectory users? If not,
then they either aren't LUM-enabled or you don't have PAM/NSS set up
correctly.

Did you go to the individual server and run the Yast2 Linux User
Management module? This will set up PAM to use pam_nam (which does the
eDirectory authentication). Once that's done, vsftp should work out of
the box, as it just sees eDirectory users as normal Linux users, just as
if they were in /etc/passwd.

> • IManager only lets you enable “FTP” services for use with LUM. Does this
> cover all FTP programs, or would I specifically have to enable the VSFTPD
> program somehow?


Not sure what you're talking about here. In any event, you shouldn't
have to enable it if your PAM config (/etc/pam.d) is correct. My guess
is that the FTP section is to add schema and extended attributes to
users for FTP programs that natively use LDAP. When you go through PAM,
this isn't an issue however.

> • What about the PAM user name variable in my vsftpd.conf file (see below –
> I don’t understand this at all – does PAM query LDAP, and if so, how do I
> configure the authentication)
> •
> write_enable=YES
> dirmessage_enable=YES
> local_enable=YES
> xferlog_enable=YES
> connect_from_port_20=YES
> pam_service_name=vsftpd
> anonymous_enable=NO
> local_umask=000


Looks fine to me. pam-service-name tells PAM which config to run in
/etc/pam.d. Generally you only change thsi if you're running multiple
VSFTPd's on the same machine with different authentication requirements.


--
Justin Grote
Network Architect
JWG Networks
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.