Highlighted
Absent Member.
Absent Member.
3678 views

pure-ftpd home directory issue

I'm having an issue with pure-ftpd on a oes 11 SP 1 server. Server is current with patches. Version of pure-ftp is: novell-pure-ftpd Version 1.1.0-5.55

I have LUM enabled users and need to allow them to ftp to the server. They are able to log in just fine but they are always sent to the linux home not to their eDir home directory. I've done an LDAP search and it does show both the homeDirectory and ndsHomeDirectory. What they are getting is the homeDirectory. The ndsHomeDirectory is on a NSS volume on the same server. The problem is the same when connecting by IP address or by url.

I've used the instructions from TID 3503915 and I think I have it set correctly. If I'm reading that correctly I need the following set:

remote_server yes
EnableRemoteHomeDirectory yes

And that is supposed to be what sends the user to their ndsHomeDirectory.

When someone logs in I get the following in the /var/log/messages file:

Sep 30 14:37:51 uval12 pure-ftpd: (?@xx.xx.xx.xx) [INFO] New connection from xx.xx.xx.xx
Sep 30 14:37:53 uval12 pure-ftpd: (?@xx.xx.xx.xx) [DEBUG] Command [user] [Gomer]
Sep 30 14:37:55 uval12 pure-ftpd: (?@xx.xx.xx.xx) [DEBUG] Command [pass] [<*>]
Sep 30 14:37:55 uval12 pure-ftpd: (?@xx.xx.xx.xx) [DEBUG] UserFDNfromUID: User FDN: cn=Gomer,o=Staff, UID: 612
Sep 30 14:37:55 uval12 pure-ftpd: (?@xx.xx.xx.xx) [DEBUG] nwlogin -u cn=Gomer.o=Staff uid 612 context Staff
Sep 30 14:37:56 uval12 pure-ftpd: (?@xx.xx.xx.xx) [DEBUG] Reloading remote server information
Sep 30 14:37:56 uval12 pure-ftpd: (?@xx.xx.xx.xx) [ERROR] Failed to perform LDAP search to get the list of remote servers accessible. Error: Can't contact
LDAP server <-1>
Sep 30 14:37:56 uval12 pure-ftpd: (?@xx.xx.xx.xx) [INFO] Gomer is now logged in
Sep 30 14:37:56 uval12 pure-ftpd: (Gomer@xx.xx.xx.xx) [DEBUG] Command [syst] []
Sep 30 14:37:56 uval12 pure-ftpd: (Gomer@xx.xx.xx.xx) [DEBUG] Command [feat] []
Sep 30 14:37:56 uval12 pure-ftpd: (Gomer@xx.xx.xx.xx) [DEBUG] Command [pwd] []
Sep 30 14:37:58 uval12 pure-ftpd: (Gomer@xx.xx.xx.xx) [DEBUG] Command [epsv] []
Sep 30 14:37:58 uval12 pure-ftpd: (Gomer@xx.xx.xx.xx) [DEBUG] Command
    []


    The login from a openSuse console:

    220-Welcome to Pure-FTPd.
    220-You are user number 1 of 500 allowed.
    220-This is a private system - No anonymous login
    220-IPv6 connections are also welcome on this server.
    220 You will be disconnected after 15 minutes of inactivity.
    Name (xx.xx.xx.xx:chuck): Gomer
    331 User Gomer OK. Password required
    Password:
    230-User Gomer has group access to: everyone
    230-This server supports FXP transfers
    230 OK. Current directory is /home/Gomer
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp>


    Even though in the pure-ftpd.conf file I have "CreateHomeDir no" it automatically creates /home/Gomer

    I've tried this with different users and the directory issue is consistant. id <username> works as expected and ssh works as expected other than putting Gomer in /home/Gomer instead of his ndsHomeDir. With the ftp or ssh logins the user can change directory to the ndsHomeDirectory and has correct rights there. I'm using LDAP for other applications and not having issues with it. I can do ldap searches either with or without SSL with no issues. Pure-ftp is set to use SSL. (edir_ldap_port 636)

    I've tried searches on the LDAP error in the messages log but haven't come up with anything helpful yet.

Labels (2)
0 Likes
5 Replies
Highlighted
Absent Member.
Absent Member.

Re: pure-ftpd home directory issue

I have found a temporary fix. Maybe this was in the docs and I missed it but it seems to be working.

I added the line:

LDAPHomeDirectory ndsHomeDirectory

to the /etc/pure-ftp/pure-ftpd.conf file as the last line. I found the syntax in /usr/share/doc/packages/pure-ftp/pureftpd-ldap.conf.

I still get the "Failed to perform LDAP search to get the list of remote servers accessible." error in /var/log/messages, but it does seem to be working as expected.

I don't consider this fixed, just band-aided until I figure out the real issue.

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: pure-ftpd home directory issue

chuckbuhler;2285336 wrote:
I have found a temporary fix. Maybe this was in the docs and I missed it but it seems to be working.

I added the line:

LDAPHomeDirectory ndsHomeDirectory

to the /etc/pure-ftp/pure-ftpd.conf file as the last line. I found the syntax in /usr/share/doc/packages/pure-ftp/pureftpd-ldap.conf.

I still get the "Failed to perform LDAP search to get the list of remote servers accessible." error in /var/log/messages, but it does seem to be working as expected.

I don't consider this fixed, just band-aided until I figure out the real issue.


This did not work. I had edited the HomeDirectory attribute on my test user (Gomer) and forgot that I had done that. Saw it work once and thought I had it. Tested a couple more users and it really isn't working.

0 Likes
Highlighted
Absent Member.
Absent Member.

Re: pure-ftpd home directory issue

This is certainly an unusual case -- I have only seen one other like it. I think we have to focus on this error and take it rather literally:

Sep 30 14:37:56 uval12 pure-ftpd: (?@xx.xx.xx.xx) [ERROR] Failed to perform LDAP search to get the list of remote servers accessible. Error: Can't contact LDAP server <-1>

Even though you have done other ldap queries that worked, there can still be reasons why some would work and others would fail. For example, Novell FTP uses secure ldap (SSL), and maybe some of your comparison tests are using unsecure ldap. Or those other "working" ldap queries may be directed to a different host name or ip address. In the case I saw, secure ldap queries (executed at the OES server where FTP server was running) directed toward the name "localhost" were working fine, but the same queries to an actual IP addresses of the same machine (whether 127.0.0.1 or it's actual bound network address) were failing. Thus the ldap server was only partially functional, and causing FTP to receive the "Can't Contact LDAP server" error.

To determine what IP address it will use, novell-oes-pure-ftpd uses the command:

/opt/novell/eDirectory/bin/ndsconfig get n4u.server.interfaces | grep n4u.server.interfaces | sed s/[a-zA-Z0-9.]*=//g | sed s/@[a-zA-Z0-9,.]*//g

Execute that command manually at the system which hosts Novell FTP, and see what address it comes up with. Then, if you want to do comparison ldap test queries, do them from the OES server where FTP Server runs, and direct them toward that address, and make sure they are using SSL (sldap instead of ldap). You may want to use "ldapsearch" command so you can control all those things manually (see "man ldapsearch" for switches). Do those kind of queries work?

In the case I saw, there was a problem with the eDir SSL cert used by secure ldap server, and it would only respond when the query used the name "localhost", otherwise the query failed. I fixed that in iManager, Certificate Server, Repair Default Certificates. I marked "force replacement" as part of that. After it repaired the certificates, I then did a "rcndsd restart". Then ldap was working more completely, and ftp stopped getting the error, and was able to identify the user's edir Home Directory.

And just as some side notes about other things that came up in this thread:

>I found the syntax in /usr/share/doc/packages/pure-ftp/pureftpd-ldap.conf.

Pure-ftpd itself (as it exists in Linux before OES enhances it) has some understanding of ldap and can be directed to talk to ldap. However, those "original" pure-ftpd methods WILL NOT be applicable to OES's methods of using eDir, LUM, and LDAP to get work done. In fact, activating pure-ftpd's "original" ldap features could interfere with proper functionality of OES FTP and it's access of eDir / LUM. So, the bottom line is that I'd recommend people never set their OES FTP configuration to have a "LDAPConfigFile" setting, nor to rely on any methods described in pureftpd-ldap.conf or in pure-ftpd's "README.LDAP". Those should be considered off-limits for use of OES FTP.

>Version of pure-ftp is: novell-pure-ftpd Version 1.1.0-5.55

Just FYI, that version number is not from pure-ftpd or novell-oes-pure-ftpd. I'm guessing that came from novell-pure-ftpd-config, which is a package used for altering the configuration, during the install/setup process for OES's "Novell FTP" pattern.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: pure-ftpd home directory issue

/opt/novell/eDirectory/bin/ndsconfig get n4u.server.interfaces | grep n4u.server.interfaces | sed s/[a-zA-Z0-9.]*=//g | sed s/@[a-zA-Z0-9,.]*//g returns the correct ip address of the server.

using ldapsearch on the server itself I do get errors when I use ssl for the search. I had been checking with a ldap browser running on my workstation that must fall back on ldap if sldap doesn't work.

error I get is ldap_result: Can't contact LDAP server (-1)

Looks like it's a LDAP issue for sure.

I did "Repair Default Certificates" and that didn't make a difference.

I'm off to work on LDAP and get that fixed.

Thanks for your input. It looks like I've found where to look for the problem.

0 Likes
Absent Member.
Absent Member.

Re: pure-ftpd home directory issue

I'm not an LDAP expert, but I would at least recommend going to imanager, ldap, ldap options, view ldap servers, select this server, go to the 'connections'
tab. The following settings might be pertinent:

certificate is usually SSL CertificateDNS
require tls for all operations is usually not checked
Enable and require mutual authentication is usually not checked
bind restrictions is usually "none" <-- this one I would be most suspicious of, if it is set another way.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.