Anonymous_User Absent Member.
Absent Member.
10564 views

getting ldap, pure-ftpd and apache2 working together on OES2

My goal is to allow a LUM-enabled user to ftp files to their home directory
public_html and make that availabe as a website on the OES2/linux server.

I think that my first hurdle is to correct some problem with ldap. When I
try to login with ftp, I get this:


ftp> user .gan.empire.bc
331 User .gan.empire.bc OK. Password required
Password:
530 Authentication failed, sorry
Login failed.


The /var/log/messages shows:

Jul 22 15:27:20 empire pure-ftpd: pam_ldap: ldap_search_s No such object
Jul 22 15:27:20 empire pure-ftpd: (?@172.16.4.80) [WARNING] Authentication
failed for user [.gan.empire.bc]


Where do I start?


Labels (2)
0 Likes
24 Replies
Anonymous_User Absent Member.
Absent Member.

Re: getting ldap, pure-ftpd and apache2 working together on OES2

I've followed suggestions to edit the /etc/pam.d/pure-ftpd

I still appear to have an ldap problem preventing login - but the error
message has changed:

Jul 23 13:15:02 empire pure-ftpd: (?@172.16.4.80) [INFO] New connection from
172.16.4.80
Jul 23 13:15:09 empire /usr/sbin/namcd[4306]: findUserWithoutUIDAndGID:
Return code from the search: [32]
Jul 23 13:15:09 empire pure-ftpd: PAM_NAM: User gan.empire.bc unknown to the
authentication module
Jul 23 13:15:09 empire pure-ftpd: (?@172.16.4.80) [WARNING] Authentication
failed for user [gan.empire.bc]
Jul 23 13:27:05 empire /usr/sbin/namcd[4306]: findUserWithoutUIDAndGID:
Return code from the search: [32]
Jul 23 13:27:05 empire pure-ftpd: PAM_NAM: User .gan.empire.bc unknown to
the authentication module
Jul 23 13:27:05 empire pure-ftpd: (?@172.16.4.80) [WARNING] Authentication
failed for user [.gan.empire.bc]
Jul 23 13:27:20 empire pure-ftpd: pam_ldap_init(): ldap handle is NULL from
ldapssl_init
Jul 23 13:27:20 empire pure-ftpd: _nds_ldap_init: pam_ldap_init() failed,
trying to connect to the alternative LDAP server
Jul 23 13:27:20 empire pure-ftpd: _nds_ldap_init: Unable to get list of
alternative LDAP servers from the config file, error [2]
Jul 23 13:27:20 empire pure-ftpd: PAM_NAM:_nds_loginUser():_nds_ldap_init
failed
Jul 23 13:27:20 empire pure-ftpd: ldapmapstatus():pam_get_data() failed
Jul 23 13:27:20 empire pure-ftpd: PAM_NAM:_nds_clear_and_exit() could not
return ldap handle
Jul 23 13:27:20 empire pure-ftpd: PAM_NAM : NDS Login failed
Jul 23 13:27:20 empire pure-ftpd: (?@172.16.4.80) [WARNING] Authentication
failed for user [gan]


Maybe I should take this question to the linux.web-services forum?


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: getting ldap, pure-ftpd and apache2 working together on OES2

Gregg Nicholas wrote:
> My goal is to allow a LUM-enabled user to ftp files to their home directory
> public_html and make that availabe as a website on the OES2/linux server.
>
> I think that my first hurdle is to correct some problem with ldap. When I
> try to login with ftp, I get this:
>
>
> ftp> user .gan.empire.bc
> 331 User .gan.empire.bc OK. Password required
> Password:
> 530 Authentication failed, sorry
> Login failed.
>
>
> The /var/log/messages shows:
>
> Jul 22 15:27:20 empire pure-ftpd: pam_ldap: ldap_search_s No such object
> Jul 22 15:27:20 empire pure-ftpd: (?@172.16.4.80) [WARNING] Authentication
> failed for user [.gan.empire.bc]
>
>
> Where do I start?
>
>


Try this for starters...


Pure FTP

A few things ...
1) LUM enable your users.
2) Go to YAST and in the System Section run System Services and ENABLE
the Pure FTP server
3) Test the server for anonymous ;login -- if that works...
4) Go to the following link...
http://forums.novell.com/novell-product-support-forums/suse-linux-enterprise-server-sles/sles-configure-administer/280149-pureftp-oes2.html

5) go to the /etc/pam.d dir and look for the pureFTP config file
6) comment out the current stuff (# char in first position)
7) Enter the following lines instead as per the above link

auth sufficient pam_nam.so
account sufficient pam_nam.so
password sufficient pam_nam.so
session optional pam_nam.so

😎 restart the server -- you can use system services to switch it on and
off if you are lazy like me -- or the
restart pure-ftpd command as follows -- rcpure-ftpd restart.

That summarizes advice I have found and it works for my login. I have
not tested the others yet and checked for LUM enable users. But I will
shortly


--
Will R
PMC Consulting
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: getting ldap, pure-ftpd and apache2 working together on OES2

Thanks for the suggstion Will R.

I think that change has brought me closer to an answer. But I still can't
login - perhaps I've got something wrong with my LDAP config?

Here's the /var/log/messages for my most recent attempt:



Jul 23 15:43:16 empire pure-ftpd: (?@172.16.4.80) [INFO] New connection from
172.16.4.80
Jul 23 15:43:23 empire /usr/sbin/namcd[4306]: findUserWithoutUIDAndGID:
Return code from the search: [32]
Jul 23 15:43:23 empire pure-ftpd: PAM_NAM: User .gan.empire.bc unknown to
the authentication module
Jul 23 15:43:23 empire pure-ftpd: (?@172.16.4.80) [WARNING] Authentication
failed for user [.gan.empire.bc]





"WillR" <willrLESSthe@SPAMMMpmccl.com> wrote in message
news:8LLhk.10943$g35.1155@kovat.provo.novell.com...
> Gregg Nicholas wrote:
> > My goal is to allow a LUM-enabled user to ftp files to their home

directory
> > public_html and make that availabe as a website on the OES2/linux

server.
> >
> > I think that my first hurdle is to correct some problem with ldap. When

I
> > try to login with ftp, I get this:
> >
> >
> > ftp> user .gan.empire.bc
> > 331 User .gan.empire.bc OK. Password required
> > Password:
> > 530 Authentication failed, sorry
> > Login failed.
> >
> >
> > The /var/log/messages shows:
> >
> > Jul 22 15:27:20 empire pure-ftpd: pam_ldap: ldap_search_s No such object
> > Jul 22 15:27:20 empire pure-ftpd: (?@172.16.4.80) [WARNING]

Authentication
> > failed for user [.gan.empire.bc]
> >
> >
> > Where do I start?
> >
> >

>
> Try this for starters...
>
>
> Pure FTP
>
> A few things ...
> 1) LUM enable your users.
> 2) Go to YAST and in the System Section run System Services and ENABLE
> the Pure FTP server
> 3) Test the server for anonymous ;login -- if that works...
> 4) Go to the following link...
>

http://forums.novell.com/novell-product-support-forums/suse-linux-enterprise-server-sles/sles-configure-administer/280149-pureftp-oes2.html
>
> 5) go to the /etc/pam.d dir and look for the pureFTP config file
> 6) comment out the current stuff (# char in first position)
> 7) Enter the following lines instead as per the above link
>
> auth sufficient pam_nam.so
> account sufficient pam_nam.so
> password sufficient pam_nam.so
> session optional pam_nam.so
>
> 😎 restart the server -- you can use system services to switch it on and
> off if you are lazy like me -- or the
> restart pure-ftpd command as follows -- rcpure-ftpd restart.
>
> That summarizes advice I have found and it works for my login. I have
> not tested the others yet and checked for LUM enable users. But I will
> shortly
>
>
> --
> Will R
> PMC Consulting



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: getting ldap, pure-ftpd and apache2 working together on OES2

Hi Will R,

after further testing, I realized that I need to use the common name - not
the fully qualified user name. Still looks like I have something wrong with
LDAP, but perhaps these error messages will be more enlightening:

I've still got something wrong...


empire:/etc/pam.d # id gan
uid=619(GAN) gid=610(LUM-Group) groups=610(LUM-Group)


Jul 23 15:50:21 empire pure-ftpd: pam_ldap_init(): ldap handle is NULL from
ldapssl_init
Jul 23 15:50:21 empire pure-ftpd: _nds_ldap_init: pam_ldap_init() failed,
trying to connect to the alternative LDAP server
Jul 23 15:50:21 empire pure-ftpd: _nds_ldap_init: Unable to get list of
alternative LDAP servers from the config file, error [2]
Jul 23 15:50:21 empire pure-ftpd: PAM_NAM:_nds_loginUser():_nds_ldap_init
failed
Jul 23 15:50:21 empire pure-ftpd: ldapmapstatus():pam_get_data() failed
Jul 23 15:50:21 empire pure-ftpd: PAM_NAM:_nds_clear_and_exit() could not
return ldap handle
Jul 23 15:50:21 empire pure-ftpd: PAM_NAM : NDS Login failed
Jul 23 15:50:21 empire pure-ftpd: (?@172.16.4.80) [WARNING] Authentication
failed for user [gan]



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: getting ldap, pure-ftpd and apache2 working together on OES2

Gregg Nicholas wrote:
> Thanks for the suggstion Will R.
>
> I think that change has brought me closer to an answer. But I still can't
> login - perhaps I've got something wrong with my LDAP config?
>
> Here's the /var/log/messages for my most recent attempt:
>
>
>
> Jul 23 15:43:16 empire pure-ftpd: (?@172.16.4.80) [INFO] New connection from
> 172.16.4.80
> Jul 23 15:43:23 empire /usr/sbin/namcd[4306]: findUserWithoutUIDAndGID:
> Return code from the search: [32]
> Jul 23 15:43:23 empire pure-ftpd: PAM_NAM: User .gan.empire.bc unknown to
> the authentication module
> Jul 23 15:43:23 empire pure-ftpd: (?@172.16.4.80) [WARNING] Authentication
> failed for user [.gan.empire.bc]
>


********************************************************
Jul 23 12:01:52 linuxAMD64 syslog-ng[2496]: STATS: dropped 0
Jul 23 13:01:53 linuxAMD64 syslog-ng[2496]: STATS: dropped 0
Jul 23 13:50:29 linuxAMD64 pure-ftpd: (?@192.168.1.100) [INFO] New
connection from 192.168.1.100
Jul 23 13:50:29 linuxAMD64 pure-ftpd: pam_ldap_init(): ldap handle is
NULL from ldapssl_init
Jul 23 13:50:29 linuxAMD64 pure-ftpd: _nds_ldap_init: pam_ldap_init()
failed, trying to connect to the alternative LDAP server
Jul 23 13:50:29 linuxAMD64 pure-ftpd: _nds_ldap_init: Unable to get list
of alternative LDAP servers from the config file, error [2]
Jul 23 13:50:29 linuxAMD64 pure-ftpd:
PAM_NAM:_nds_loginUser():_nds_ldap_init failed
Jul 23 13:50:29 linuxAMD64 pure-ftpd: ldapmapstatus():pam_get_data() failed
Jul 23 13:50:29 linuxAMD64 pure-ftpd: PAM_NAM:_nds_clear_and_exit()
could not return ldap handle
Jul 23 13:50:29 linuxAMD64 pure-ftpd: (?@192.168.1.100) [INFO] dave is
now logged in
Jul 23 19:50:29 linuxAMD64 pure-ftpd: (dave@192.168.1.100) [INFO] Can't
change directory to /home/dave: No such file or directory

****************************************************************************

What is interesting is that it does find the proper home directory -- I
just checked.

Now I did notice the "." in front of the name. Why is that?


Here is the CONF file -- with some changes I made today -- marked...

------------------------------------


############################################################
# #
# Configuration file for pure-ftpd wrappers #
# #
############################################################

# If you want to run Pure-FTPd with this configuration
# instead of command-line options, please run the
# following command :
#
# /usr/sbin/pure-config.pl /usr/etc/pure-ftpd.conf
#
# Please don't forget to have a look at documentation at
# http://www.pureftpd.org/documentation.shtml for a complete list of
# options.

# Cage in every user in his home directory
# changed to no by dwr july 23 2008

ChrootEveryone no



# If the previous option is set to "no", members of the following group
# won't be caged. Others will be. If you don't want chroot()ing anyone,
# just comment out ChrootEveryone and TrustedGID.


# TrustedGID 100



# Turn on compatibility hacks for broken clients

BrokenClientsCompatibility no



# Maximum number of simultaneous users

MaxClientsNumber 10



# Fork in background

Daemonize yes



# Maximum number of sim clients with the same IP address

MaxClientsPerIP 3



# If you want to log all client commands, set this to "yes".
# This directive can be duplicated to also log server responses.

VerboseLog no


# Allow dot-files
AllowDotFiles yes


# List dot-files even when the client doesn't send "-a".

DisplayDotFiles yes



# Don't allow authenticated users - have a public anonymous FTP only.
* CHnged next
AnonymousOnly no



# Disallow anonymous connections. Only allow authenticated users.
* CHanged Next dwr 01/06/2008
NoAnonymous no



# Syslog facility (auth, authpriv, daemon, ftp, security, user, local*)
# The default facility is "ftp". "none" disables logging.

SyslogFacility ftp



# Display fortune cookies

# FortunesFile /usr/share/fortune/zippy



# Don't resolve host names in log files. Logs are less verbose, but
# it uses less bandwidth. Set this to "yes" on very busy servers or
# if you don't have a working DNS.

DontResolve yes



# Maximum idle time in minutes (default = 15 minutes)

MaxIdleTime 15



# LDAP configuration file (see README.LDAP)

# LDAPConfigFile /etc/pure-ftpd/pureftpd-ldap.conf



# MySQL configuration file (see README.MySQL)

# MySQLConfigFile /etc/pure-ftpd/pureftpd-mysql.conf


# Postgres configuration file (see README.PGSQL)

# PGSQLConfigFile /etc/pure-ftpd/pureftpd-pgsql.conf


# PureDB user database (see README.Virtual-Users)

# PureDB /etc/pure-ftpd/pureftpd.pdb


# Path to pure-authd socket (see README.Authentication-Modules)

# ExtAuth /var/run/ftpd.sock



# If you want to enable PAM authentication, uncomment the following line

PAMAuthentication yes



# If you want simple Unix (/etc/passwd) authentication, uncomment this

UnixAuthentication yes



# Please note that LDAPConfigFile, MySQLConfigFile, PAMAuthentication and
# UnixAuthentication can be used only once, but they can be combined
# together. For instance, if you use MySQLConfigFile, then
UnixAuthentication,
# the SQL server will be asked. If the SQL authentication fails because the
# user wasn't found, another try # will be done with /etc/passwd and
# /etc/shadow. If the SQL authentication fails because the password was
wrong,
# the authentication chain stops here. Authentication methods are chained in
# the order they are given.



# 'ls' recursion limits. The first argument is the maximum number of
# files to be displayed. The second one is the max subdirectories depth

LimitRecursion 2000 8



# Are anonymous users allowed to create new directories ?

AnonymousCanCreateDirs no



# If the system is more loaded than the following value,
# anonymous users aren't allowed to download.

MaxLoad 4



# Port range for passive connections replies. - for firewalling.

# PassivePortRange 30000 50000



# Force an IP address in PASV/EPSV/SPSV replies. - for NAT.
# Symbolic host names are also accepted for gateways with dynamic IP
# addresses.

# ForcePassiveIP 192.168.0.1



# Upload/download ratio for anonymous users.

# AnonymousRatio 1 10



# Upload/download ratio for all users.
# This directive superscedes the previous one.

# UserRatio 1 10



# Disallow downloading of files owned by "ftp", ie.
# files that were uploaded but not validated by a local admin.

AntiWarez yes



# IP address/port to listen to (default=all IP and port 21).

# Bind 127.0.0.1,21



# Maximum bandwidth for anonymous users in KB/s

# AnonymousBandwidth 8



# Maximum bandwidth for *all* users (including anonymous) in KB/s
# Use AnonymousBandwidth *or* UserBandwidth, both makes no sense.

# UserBandwidth 8



# File creation mask. <umask for files>:<umask for dirs> .
# 177:077 if you feel paranoid.

Umask 177:077



# Minimum UID for an authenticated user to log in.

MinUID 40



# Allow FXP transfers for authenticated users.

AllowUserFXP no



# Allow anonymous FXP for anonymous and non-anonymous users.

AllowAnonymousFXP no



# Users can't delete/write files beginning with a dot ('.')
# even if they own them. If TrustedGID is enabled, this group
# will have access to dot-files, though.

ProhibitDotFilesWrite yes



# Prohibit *reading* of files beginning with a dot (.history, .ssh...)

ProhibitDotFilesRead no



# Never overwrite files. When a file whoose name already exist is uploaded,
# it get automatically renamed to file.1, file.2, file.3, ...
# changed to no till I turn on hardlinks for nss volumes...
# see web-servise forum -- use pure for kwd.

AutoRename no



# Disallow anonymous users to upload new files (no = upload is allowed)

AnonymousCantUpload yes



# Only connections to this specific IP address are allowed to be
# non-anonymous. You can use this directive to open several public IPs for
# anonymous FTP, and keep a private firewalled IP for remote administration.
# You can also only allow a non-routable local IP (like 10.x.x.x) to
# authenticate, and keep a public anon-only FTP server on another IP.

#TrustedIP 10.1.1.1



# If you want to add the PID to every logged line, uncomment the following
# line.

#LogPID yes



# Create an additional log file with transfers logged in a Apache-like
format :
# fw.c9x.org - jedi [13/Dec/1975:19:36:39] "GET /ftp/linux.tar.bz2" 200
21809338
# This log file can then be processed by www traffic analyzers.

# AltLog clf:/var/log/pureftpd.log



# Create an additional log file with transfers logged in a format optimized
# for statistic reports.

# AltLog stats:/var/log/pureftpd.log



# Create an additional log file with transfers logged in the standard W3C
# format (compatible with most commercial log analyzers)

# AltLog w3c:/var/log/pureftpd.log



# Disallow the CHMOD command. Users can't change perms of their files.

#NoChmod yes



# Allow users to resume and upload files, but *NOT* to delete them.

#KeepAllFiles yes



# Automatically create home directories if they are missing

#CreateHomeDir yes



# Enable virtual quotas. The first number is the max number of files.
# The second number is the max size of megabytes.
# So 1000:10 limits every user to 1000 files and 10 Mb.

#Quota 1000:10



# If your pure-ftpd has been compiled with standalone support, you can
change
# the location of the pid file. The default is /var/run/pure-ftpd.pid

#PIDFile /var/run/pure-ftpd.pid



# If your pure-ftpd has been compiled with pure-uploadscript support,
# this will make pure-ftpd write info about new uploads to
# /var/run/pure-ftpd.upload.pipe so pure-uploadscript can read it and
# spawn a script to handle the upload.

#CallUploadScript yes



# This option is useful with servers where anonymous upload is
# allowed. As /var/ftp is in /var, it save some space and protect
# the log files. When the partition is more that X percent full,
# new uploads are disallowed.

MaxDiskUsage 99



# Set to 'yes' if you don't want your users to rename files.

NoRename yes



# Be 'customer proof' : workaround against common customer mistakes like
# 'chmod 0 public_html', that are valid, but that could cause ignorant
# customers to lock their files, and then keep your technical support busy
# with silly issues. If you're sure all your users have some basic Unix
# knowledge, this feature is useless. If you're a hosting service,
enable it.

CustomerProof yes



# Per-user concurrency limits. It will only work if the FTP server has
# been compiled with --with-peruserlimits (and this is the case on
# most binary distributions) .
# The format is : <max sessions per user>:<max anonymous sessions>
# For instance, 3:20 means that the same authenticated user can have 3
active
# sessions max. And there are 20 anonymous sessions max.

# PerUserLimits 3:20



# When a file is uploaded and there is already a previous version of the
file
# with the same name, the old file will neither get removed nor truncated.
# Upload will take place in a temporary file and once the upload is
complete,
# the switch to the new version will be atomic. For instance, when a
large PHP
# script is being uploaded, the web server will still serve the old
version and
# immediatly switch to the new one as soon as the full file will have been
# transfered. This option is incompatible with virtual quotas.

# NoTruncate yes



# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
# including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

# TLS 1



# Listen only to IPv4 addresses in standalone mode (ie. disable IPv6)
# By default, both IPv4 and IPv6 are enabled.

# IPV4Only yes



# Listen only to IPv6 addresses in standalone mode (ie. disable IPv4)
# By default, both IPv4 and IPv6 are enabled.

# IPV6Only yes


-------------------------------------




>
>
>
>
> "WillR" <willrLESSthe@SPAMMMpmccl.com> wrote in message
> news:8LLhk.10943$g35.1155@kovat.provo.novell.com...
>> Gregg Nicholas wrote:
>>> My goal is to allow a LUM-enabled user to ftp files to their home

> directory
>>> public_html and make that availabe as a website on the OES2/linux

> server.
>>> I think that my first hurdle is to correct some problem with ldap. When

> I
>>> try to login with ftp, I get this:
>>>
>>>
>>> ftp> user .gan.empire.bc
>>> 331 User .gan.empire.bc OK. Password required
>>> Password:
>>> 530 Authentication failed, sorry
>>> Login failed.
>>>
>>>
>>> The /var/log/messages shows:
>>>
>>> Jul 22 15:27:20 empire pure-ftpd: pam_ldap: ldap_search_s No such object
>>> Jul 22 15:27:20 empire pure-ftpd: (?@172.16.4.80) [WARNING]

> Authentication
>>> failed for user [.gan.empire.bc]
>>>
>>>
>>> Where do I start?
>>>
>>>

>> Try this for starters...
>>
>>
>> Pure FTP
>>
>> A few things ...
>> 1) LUM enable your users.
>> 2) Go to YAST and in the System Section run System Services and ENABLE
>> the Pure FTP server
>> 3) Test the server for anonymous ;login -- if that works...
>> 4) Go to the following link...
>>

> http://forums.novell.com/novell-product-support-forums/suse-linux-enterprise-server-sles/sles-configure-administer/280149-pureftp-oes2.html
>> 5) go to the /etc/pam.d dir and look for the pureFTP config file
>> 6) comment out the current stuff (# char in first position)
>> 7) Enter the following lines instead as per the above link
>>
>> auth sufficient pam_nam.so
>> account sufficient pam_nam.so
>> password sufficient pam_nam.so
>> session optional pam_nam.so
>>
>> 😎 restart the server -- you can use system services to switch it on and
>> off if you are lazy like me -- or the
>> restart pure-ftpd command as follows -- rcpure-ftpd restart.
>>
>> That summarizes advice I have found and it works for my login. I have
>> not tested the others yet and checked for LUM enable users. But I will
>> shortly
>>
>>
>> --
>> Will R
>> PMC Consulting

>
>



--
Will R
PMC Consulting
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: getting ldap, pure-ftpd and apache2 working together on OES2

Gregg:

One more thing -- I think you have to be logged in as the user you are
testing -- think of the authentication method...



Gregg Nicholas wrote:
> Hi Will R,
>
> after further testing, I realized that I need to use the common name - not
> the fully qualified user name. Still looks like I have something wrong with
> LDAP, but perhaps these error messages will be more enlightening:
>
> I've still got something wrong...
>
>
> empire:/etc/pam.d # id gan
> uid=619(GAN) gid=610(LUM-Group) groups=610(LUM-Group)
>
>
> Jul 23 15:50:21 empire pure-ftpd: pam_ldap_init(): ldap handle is NULL from
> ldapssl_init
> Jul 23 15:50:21 empire pure-ftpd: _nds_ldap_init: pam_ldap_init() failed,
> trying to connect to the alternative LDAP server
> Jul 23 15:50:21 empire pure-ftpd: _nds_ldap_init: Unable to get list of
> alternative LDAP servers from the config file, error [2]
> Jul 23 15:50:21 empire pure-ftpd: PAM_NAM:_nds_loginUser():_nds_ldap_init
> failed
> Jul 23 15:50:21 empire pure-ftpd: ldapmapstatus():pam_get_data() failed
> Jul 23 15:50:21 empire pure-ftpd: PAM_NAM:_nds_clear_and_exit() could not
> return ldap handle
> Jul 23 15:50:21 empire pure-ftpd: PAM_NAM : NDS Login failed
> Jul 23 15:50:21 empire pure-ftpd: (?@172.16.4.80) [WARNING] Authentication
> failed for user [gan]
>
>
>



--
Will R
PMC Consulting
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: getting ldap, pure-ftpd and apache2 working together on OES2

I changed my pure-ftpd.conf to match yours. Still can't authenticate to my
nds user object. I still think I've got something wrong with my ldap
config. Doesn't seem to make sense that the client workstation would
already need to be logged into Netware as the intended ftp user - isn't that
what the username/password ftp login is for?

.....Gregg

C:\>ftp 192.168.5.4
Connected to 192.168.5.4.
220-Welcome to Pure-FTPd.
220-You are user number 1 of 10 allowed.
220 You will be disconnected after 15 minutes of inactivity.
User (192.168.5.4:(none)): gan
331 User gan OK. Password required
Password:
530 Authentication failed, sorry
Login failed.
ftp>

Jul 23 16:46:56 empire pure-ftpd: (?@172.16.4.80) [INFO] New connection from
172.16.4.80
Jul 23 16:46:58 empire pure-ftpd: pam_ldap_init(): ldap handle is NULL from
ldapssl_init
Jul 23 16:46:58 empire pure-ftpd: _nds_ldap_init: pam_ldap_init() failed,
trying to connect to the alternative LDAP server
Jul 23 16:46:58 empire pure-ftpd: _nds_ldap_init: Unable to get list of
alternative LDAP servers from the config file, error [2]
Jul 23 16:46:58 empire pure-ftpd: PAM_NAM:_nds_loginUser():_nds_ldap_init
failed
Jul 23 16:46:58 empire pure-ftpd: ldapmapstatus():pam_get_data() failed
Jul 23 16:46:58 empire pure-ftpd: PAM_NAM:_nds_clear_and_exit() could not
return ldap handle
Jul 23 16:46:58 empire pure-ftpd: PAM_NAM : NDS Login failed
Jul 23 16:46:58 empire pure-ftpd: (?@172.16.4.80) [WARNING] Authentication
failed for user [gan]



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: getting ldap, pure-ftpd and apache2 working together on OES2

Gregg Nicholas wrote:
> I changed my pure-ftpd.conf to match yours. Still can't authenticate to my
> nds user object. I still think I've got something wrong with my ldap
> config. Doesn't seem to make sense that the client workstation would
> already need to be logged into Netware as the intended ftp user - isn't that
> what the username/password ftp login is for?
>
> ....Gregg
>
> C:\>ftp 192.168.5.4
> Connected to 192.168.5.4.
> 220-Welcome to Pure-FTPd.
> 220-You are user number 1 of 10 allowed.
> 220 You will be disconnected after 15 minutes of inactivity.
> User (192.168.5.4:(none)): gan
> 331 User gan OK. Password required
> Password:
> 530 Authentication failed, sorry
> Login failed.
> ftp>
>
> Jul 23 16:46:56 empire pure-ftpd: (?@172.16.4.80) [INFO] New connection from
> 172.16.4.80
> Jul 23 16:46:58 empire pure-ftpd: pam_ldap_init(): ldap handle is NULL from
> ldapssl_init
> Jul 23 16:46:58 empire pure-ftpd: _nds_ldap_init: pam_ldap_init() failed,
> trying to connect to the alternative LDAP server
> Jul 23 16:46:58 empire pure-ftpd: _nds_ldap_init: Unable to get list of
> alternative LDAP servers from the config file, error [2]
> Jul 23 16:46:58 empire pure-ftpd: PAM_NAM:_nds_loginUser():_nds_ldap_init
> failed
> Jul 23 16:46:58 empire pure-ftpd: ldapmapstatus():pam_get_data() failed
> Jul 23 16:46:58 empire pure-ftpd: PAM_NAM:_nds_clear_and_exit() could not
> return ldap handle
> Jul 23 16:46:58 empire pure-ftpd: PAM_NAM : NDS Login failed
> Jul 23 16:46:58 empire pure-ftpd: (?@172.16.4.80) [WARNING] Authentication
> failed for user [gan]
>
>
>


I was thinking of authentication. Ours works with only /user/pass -- for
at least one user. 🙂

My user name is working -- others on our system are not. Not sure of
what the issue is.

We have anonymous authentication working. SO that is ok.

That is the same error I am getting for some of my users. I want to
solve this as well. This has to be a user configuration issue -- not an
LDAP issue.

Later today I will work on it.


--
Will R
PMC Consulting
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: getting ldap, pure-ftpd and apache2 working together on OES2

Gregg Nicholas wrote:
> My goal is to allow a LUM-enabled user to ftp files to their home directory
> public_html and make that availabe as a website on the OES2/linux server.
>
> I think that my first hurdle is to correct some problem with ldap. When I
> try to login with ftp, I get this:
>
>
> ftp> user .gan.empire.bc
> 331 User .gan.empire.bc OK. Password required
> Password:
> 530 Authentication failed, sorry
> Login failed.
>
>
> The /var/log/messages shows:
>
> Jul 22 15:27:20 empire pure-ftpd: pam_ldap: ldap_search_s No such object
> Jul 22 15:27:20 empire pure-ftpd: (?@172.16.4.80) [WARNING] Authentication
> failed for user [.gan.empire.bc]
>
>
> Where do I start?
>
>



Found this as well in a previous post ...
http://www.novell.com/coolsolutions/appnote/14511.html


--
Will R
PMC Consulting
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: getting ldap, pure-ftpd and apache2 working together on OES2

> Found this as well in a previous post ...
> http://www.novell.com/coolsolutions/appnote/14511.html
>


That appnote isn't very clear. Normally, I'm very fond of the way that
linux gives us multiple options and choices on how to configure things - but
I think we need some focus here. Since we're not dealing with generic
linux, we're trying to integrate with eDirectory user objects, there should
be clear instructions on how to configure PAM for basic functions like ftp
and ssh.

Some of the files mentioned in that appnote don't even exist on OES2. I'm
afraid that it is over 3 years old and doesn't apply anymore.

when I perform an 'id' command on the user object, it seems fine:
# id gan
uid=619(GAN) gid=610(LUM-Group) groups=610(LUM-Group)

however, ftp login attempts fail.

/var/log/messages gives me some hints about the problem, but I don't know
how to fix it.

Jul 30 10:08:03 empire pure-ftpd: pam_ldap_init(): ldap handle is NULL from
ldapssl_init
Jul 30 10:08:03 empire pure-ftpd: _nds_ldap_init: pam_ldap_init() failed,
trying to connect to the alternative LDAP server
Jul 30 10:08:03 empire pure-ftpd: _nds_ldap_init: Unable to get list of
alternative LDAP servers from the config file, error [2]
Jul 30 10:08:03 empire pure-ftpd: PAM_NAM:_nds_loginUser():_nds_ldap_init
failed
Jul 30 10:08:03 empire pure-ftpd: ldapmapstatus():pam_get_data() failed
Jul 30 10:08:03 empire pure-ftpd: PAM_NAM:_nds_clear_and_exit() could not
return ldap handle
Jul 30 10:08:03 empire pure-ftpd: PAM_NAM : NDS Login failed
Jul 30 10:08:03 empire pure-ftpd: (?@172.16.4.80) [WARNING] Authentication
failed for user [gan]


Guess I'll try posting my questions in the web-services group.
.....Gregg


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: getting ldap, pure-ftpd and apache2 working together on OES2

Gregg Nicholas wrote:
>> Found this as well in a previous post ...
>> http://www.novell.com/coolsolutions/appnote/14511.html
>>

>
> That appnote isn't very clear. Normally, I'm very fond of the way that
> linux gives us multiple options and choices on how to configure things - but
> I think we need some focus here. Since we're not dealing with generic
> linux, we're trying to integrate with eDirectory user objects, there should
> be clear instructions on how to configure PAM for basic functions like ftp
> and ssh.
>
> Some of the files mentioned in that appnote don't even exist on OES2. I'm
> afraid that it is over 3 years old and doesn't apply anymore.
>
> when I perform an 'id' command on the user object, it seems fine:
> # id gan
> uid=619(GAN) gid=610(LUM-Group) groups=610(LUM-Group)
>
> however, ftp login attempts fail.
>
> /var/log/messages gives me some hints about the problem, but I don't know
> how to fix it.
>
> Jul 30 10:08:03 empire pure-ftpd: pam_ldap_init(): ldap handle is NULL from
> ldapssl_init
> Jul 30 10:08:03 empire pure-ftpd: _nds_ldap_init: pam_ldap_init() failed,
> trying to connect to the alternative LDAP server
> Jul 30 10:08:03 empire pure-ftpd: _nds_ldap_init: Unable to get list of
> alternative LDAP servers from the config file, error [2]
> Jul 30 10:08:03 empire pure-ftpd: PAM_NAM:_nds_loginUser():_nds_ldap_init
> failed
> Jul 30 10:08:03 empire pure-ftpd: ldapmapstatus():pam_get_data() failed
> Jul 30 10:08:03 empire pure-ftpd: PAM_NAM:_nds_clear_and_exit() could not
> return ldap handle
> Jul 30 10:08:03 empire pure-ftpd: PAM_NAM : NDS Login failed
> Jul 30 10:08:03 empire pure-ftpd: (?@172.16.4.80) [WARNING] Authentication
> failed for user [gan]
>
>
> Guess I'll try posting my questions in the web-services group.
> ....Gregg
>
>


My sentiments exactly.

I am still struggling with this issue as well.

Admin and my login works -- others don't. Pretty frustrating.


--
Will R
PMC Consulting
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: getting ldap, pure-ftpd and apache2 working together on OES2

Gregg Nicholas wrote:
> My goal is to allow a LUM-enabled user to ftp files to their home directory
> public_html and make that availabe as a website on the OES2/linux server.
>
> I think that my first hurdle is to correct some problem with ldap. When I
> try to login with ftp, I get this:
>
>
> ftp> user .gan.empire.bc
> 331 User .gan.empire.bc OK. Password required
> Password:
> 530 Authentication failed, sorry
> Login failed.
>
>
> The /var/log/messages shows:
>
> Jul 22 15:27:20 empire pure-ftpd: pam_ldap: ldap_search_s No such object
> Jul 22 15:27:20 empire pure-ftpd: (?@172.16.4.80) [WARNING] Authentication
> failed for user [.gan.empire.bc]
>
>
> Where do I start?
>
>



Did you see this note? See workaround...

http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=3737378&sliceId=1&docTypeID=DT_TID_1_1&dialogID=48515951&stateId=0%200%2048519542


--
Will R
PMC Consulting
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: getting ldap, pure-ftpd and apache2 working together on OES2

WillR wrote:
> Gregg Nicholas wrote:
>> My goal is to allow a LUM-enabled user to ftp files to their home
>> directory
>> public_html and make that availabe as a website on the OES2/linux server.
>>
>> I think that my first hurdle is to correct some problem with ldap.
>> When I
>> try to login with ftp, I get this:
>>
>>
>> ftp> user .gan.empire.bc
>> 331 User .gan.empire.bc OK. Password required
>> Password:
>> 530 Authentication failed, sorry
>> Login failed.
>>
>>
>> The /var/log/messages shows:
>>
>> Jul 22 15:27:20 empire pure-ftpd: pam_ldap: ldap_search_s No such object
>> Jul 22 15:27:20 empire pure-ftpd: (?@172.16.4.80) [WARNING]
>> Authentication
>> failed for user [.gan.empire.bc]
>>
>>
>> Where do I start?
>>
>>

>
>
> Did you see this note? See workaround...
>
> http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=3737378&sliceId=1&docTypeID=DT_TID_1_1&dialogID=48515951&stateId=0%200%2048519542
>
>
>


Should have just copied the note...


Linux User Management (LUM) is installed and configured on the server
Sshd and pure-ftpd services are configured to use LUM (pam_nam.so) in
the /etc/pam.d directory
/etc/pure-ftpd/pure-ftpd.conf is configured to allow users to
authenticate by commenting out the anonymousonly option.
LUM is configured to use persistent cache - /etc/nam.conf contains
enable-persistent-cache=YES
LUM enabled users are able to authenicate to the server
LUM enabled users fail to authenticate to pure-ftpd service
LUM enabled users are able to authenticate to pure-ftpd serivice after
they have authenticated to sshd until LUM's namcd refreshes cache




--
Will R
PMC Consulting
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: getting ldap, pure-ftpd and apache2 working together on OES2

As I was reading the technote, I didn't think that it would help. My LUM
enabled users could login to Netware - but couldn't authenticate to the
server using ssh or ftp.

Tried suggested fix anyway (disabling persistent cache).

*** IT WORKED! ***

Thank You.

..... ssh still doesn't work, but I'll worry about that some other day. My
next step is to get apache2 working for <home>\public-html

I'd like to thank you again for helping me with this problem.
.....Gregg


"WillR" <willrLESSthe@SPAMMMpmccl.com> wrote in message
news:Xm5kk.13122$g35.1538@kovat.provo.novell.com...
> Gregg Nicholas wrote:
> > My goal is to allow a LUM-enabled user to ftp files to their home

directory
> > public_html and make that availabe as a website on the OES2/linux

server.
> >
> > I think that my first hurdle is to correct some problem with ldap. When

I
> > try to login with ftp, I get this:
> >
> >
> > ftp> user .gan.empire.bc
> > 331 User .gan.empire.bc OK. Password required
> > Password:
> > 530 Authentication failed, sorry
> > Login failed.
> >
> >
> > The /var/log/messages shows:
> >
> > Jul 22 15:27:20 empire pure-ftpd: pam_ldap: ldap_search_s No such object
> > Jul 22 15:27:20 empire pure-ftpd: (?@172.16.4.80) [WARNING]

Authentication
> > failed for user [.gan.empire.bc]
> >
> >
> > Where do I start?
> >
> >

>
>
> Did you see this note? See workaround...
>
>

http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=3737378&sliceId=1&docTypeID=DT_TID_1_1&dialogID=48515951&stateId=0%200%2048519542
>
>
> --
> Will R
> PMC Consulting



0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.