Setting up ProFTPd with OpenLDAP Authentication on Debian Wheezy

ProFTPD server with OpenLDAP auth for users.

Software

Software used in this article:

  1. Debian Wheezy
  2. ProFTPD 1.3.4a
  3. OpenLDAP 2.4.31

Before We Begin

You may want to check this article for how to set up OpenLDAP.

We’ll use a passive FTP mode to connect from outside (NAT).

We’ll use DefaultServer on with no additional VirtualHosts.

Installation

Install proftpd (choose standalone version):

# apt-get install proftpd proftpd-mod-ldap
[...]
Run proftpd: standalone
[...]

Configuration

Optional, but highly recommended: familiarise yourself with ProFTPd Configuration Directive List.

We’ll create a new directory for FTP uploads. We will also prevent other users from removing or renaming a file in the directory unless they own the file or the directory:

# mkdir -m 1777 /data/ftp

Double-check permissions:

# ls -ld /data/ftp/
drwxrwxrwt 2 root root 4096 Oct 24 18:49 /data/ftp/

Navigate to the proftpd installation directory:

# cd /etc/proftpd

Backup the default configuration files first:

# cp ./proftpd.conf ./proftpd.conf.$(date +%F)

Open /etc/proftpd/modules.conf and uncomment the following line:

LoadModule mod_ldap.c

proftpd.conf

Here’s our proftpd.conf configuration:

# cat ./proftpd.conf

#######################################################################
# Server Config                                                       #
#######################################################################

Include			/etc/proftpd/modules.conf

ServerName		"Private FTP Server"
ServerType		standalone
ServerAdmin		[email protected]
DefaultServer		on
AccessGrantMsg		"User %u logged in."

AuthOrder		mod_ldap.c

UseReverseDNS		off
RequireValidShell       off

DefaultAddress          localhost
Port			21
PassivePorts            64000 65000

User			proftpd
Group			nogroup

ScoreboardFile		/var/run/proftpd.score

MaxInstances		20

# for passive FTP mode
MasqueradeAddress	54.X.Y.Z

MultilineRFC2228	on
ShowSymlinks		off
UseIPv6			off
DefaultTransferMode	binary

WtmpLog                 off
TransferLog		/var/log/proftpd/xferlog
SystemLog		/var/log/proftpd/proftpd.log

#######################################################################
# Global Config                                                       #
#######################################################################

<Global>
 RootLogin		off
 AuthPAM                off
 DefaultRoot		/data/ftp

 ServerIdent		on "Private FTP Server"
 IdentLookups		off

 DeferWelcome           off
 DisplayLogin		/etc/proftpd/welcome.msg

 TimeoutLogin		120
 TimeoutNoTransfer	300
 TimeoutStalled		3600
 TimeoutIdle		600

 MaxClients 		5 "Sorry, ftp server has reached its maximum user limit (%m)"
 MaxClientsPerUser 	5 "Sorry, no more than %m connections per user."
 
 MaxStoreFileSize       *
 MaxRetrieveFileSize    *

 MaxLoginAttempts	3
 DenyFilter		\*.*/

 Umask			022 
 AllowOverwrite		on
 AllowOverride		off

 AllowRetrieveRestart	on
 AllowStoreRestart	on

 RequireValidShell	off
</Global>

<IfModule mod_delay.c>
 DelayEngine on
</IfModule>

<Limit SITE_CHMOD>
 DenyAll
</Limit>

<IfModule mod_ldap.c>
 LDAPServer localhost
 LDAPBindDN cn=Guest,dc=top passwd
 LDAPUsers ou=Users,dc=lisenet.com,dc=top (uid=%u)
</IfModule>

Restart ProFTPd Daemon

Prevent the ProFTPD file from being world readable:

# chmod 0640  /etc/proftpd/proftpd.conf

And restart the service:

# service proftpd restart

Related Posts

Setting Up ProFTPd on Debian Wheezy with Explicit FTPS and Alternate mod_auth_file File

Install and Configure an OpenLDAP Server with SSL on Debian Wheezy

9 thoughts on “Setting up ProFTPd with OpenLDAP Authentication on Debian Wheezy

  1. Hello. I’ve ridden a proftp server on a virtual machine and the LDAP server is in another virtual machine. My goal is that from the virtual machine proftp server or another machine on the same network that they can enter the realm proft stored LDAP users machine (obviously these two machines are on the same network ) . How do I configure proftp server for this to work ?. NOTE: The machine is properly configured LDAP ) .
    Please answer .
    Thank you very much and I hope your answer

    • If I get it right, you have two standalone servers on a same subnet, one hosting ProFTPD and another one hosting OpenLDAP. If so, you can easily configure ProFTPD to authenticate users against the “remote” OpenLDAP server. Similar lines in the proftpd.conf should do the job:

      LDAPServer 10.1.1.1
      LDAPBindDN cn=Guest,dc=top passwd
      LDAPUsers ou=Users,dc=lisenet.com,dc=top (uid=%u)

      Please note that I’m using my configuration as an example above. I assume that 10.1.1.1 is your remote OpenLDAP server. You need to change the LDAPBindDN and LDAPUsers directives according to your configuration.

  2. Por si sabes español, respondeme en este idioma. El comentario anterior te lo traducí al ingles. Saludos y muchas gracias.

  3. Thank you very much for answering , I’m desperate :( . I’ll try what you tell me to see if I get because I ‘m too saturated, but I will not stop until I get .

    I have another question, when Tomas configure everything as you say , as I try to login with a user ‘s LDAP server from a client on the same network?, because when I try not connect me with the ldap server or the ftp server.

    Thank you very much again.

    • Is your LDAP server configured to allow incoming connections? Can you telnet from the FTP server to the LDAP port 389? Can you post your LDAP log?

  4. Hello, It does not work on Debian Jessie, proftpd 1.3.5 and OpenLDAP 2.4.40. I have one server with OpenLDAP and Samba and it is working properly. I am trying to configure another server to authenticate proftpd users against OpenLDAP. I followed your steps, editing ldap.conf, modules.conf and including both files in proftpd.conf. The login attempt fails and the log messages indicate that no such user was found.

Leave a Reply

Your email address will not be published. Required fields are marked *