Setting up ProFTPd with OpenLDAP Authentication on Debian

ProFTPD server with OpenLDAP auth for users.

Software

Software used in this article:

  1. Debian Wheezy
  2. ProFTPD 1.3.4a
  3. OpenLDAP 2.4.31

Before We Begin

You may want to check this article for how to set up OpenLDAP.

We’ll use a passive FTP mode to connect from outside (NAT).

We’ll use DefaultServer on with no additional VirtualHosts.

Installation

Install proftpd (choose standalone version):

# apt-get install proftpd proftpd-mod-ldap
[...]
Run proftpd: standalone
[...]

Configuration

We’ll create a new directory for FTP uploads. We will also prevent other users from removing or renaming a file in the directory unless they own the file or the directory:

# mkdir -m 1777 /data/ftp

Double-check permissions:

# ls -ld /data/ftp/
drwxrwxrwt 2 root root 4096 Oct 24 18:49 /data/ftp/

Navigate to the proftpd installation directory:

# cd /etc/proftpd

Backup the default configuration files first:

# cp ./proftpd.conf ./proftpd.conf.$(date +%F)

Open /etc/proftpd/modules.conf and uncomment the following line:

LoadModule mod_ldap.c

proftpd.conf

Here’s our proftpd.conf configuration:

# cat ./proftpd.conf

#######################################################################
# Server Config                                                       #
#######################################################################

Include			/etc/proftpd/modules.conf

ServerName		"Private FTP Server"
ServerType		standalone
ServerAdmin		[email protected]
DefaultServer		on
AccessGrantMsg		"User %u logged in."

AuthOrder		mod_ldap.c

UseReverseDNS		off
RequireValidShell       off

DefaultAddress          localhost
Port			21
PassivePorts            64000 65000

User			proftpd
Group			nogroup

ScoreboardFile		/var/run/proftpd.score

MaxInstances		20

# for passive FTP mode
MasqueradeAddress	54.X.Y.Z

MultilineRFC2228	on
ShowSymlinks		off
UseIPv6			off
DefaultTransferMode	binary

WtmpLog                 off
TransferLog		/var/log/proftpd/xferlog
SystemLog		/var/log/proftpd/proftpd.log

#######################################################################
# Global Config                                                       #
#######################################################################

<Global>
 RootLogin		off
 AuthPAM                off
 DefaultRoot		/data/ftp

 ServerIdent		on "Private FTP Server"
 IdentLookups		off

 DeferWelcome           off
 DisplayLogin		/etc/proftpd/welcome.msg

 TimeoutLogin		120
 TimeoutNoTransfer	300
 TimeoutStalled		3600
 TimeoutIdle		600

 MaxClients 		5 "Sorry, ftp server has reached its maximum user limit (%m)"
 MaxClientsPerUser 	5 "Sorry, no more than %m connections per user."
 
 MaxStoreFileSize       *
 MaxRetrieveFileSize    *

 MaxLoginAttempts	3
 DenyFilter		\*.*/

 Umask			022 
 AllowOverwrite		on
 AllowOverride		off

 AllowRetrieveRestart	on
 AllowStoreRestart	on

 RequireValidShell	off
</Global>

<IfModule mod_delay.c>
 DelayEngine on
</IfModule>

<Limit SITE_CHMOD>
 DenyAll
</Limit>

<IfModule mod_ldap.c>
 LDAPServer localhost
 LDAPBindDN cn=Guest,dc=top passwd
 LDAPUsers ou=Users,dc=lisenet.com,dc=top (uid=%u)
</IfModule>

Restart ProFTPd Daemon

Prevent the ProFTPD file from being world readable:

# chmod 0640  /etc/proftpd/proftpd.conf

And restart the service:

# service proftpd restart

Related Posts

Setting Up ProFTPd on Debian Wheezy with Explicit FTPS and Alternate mod_auth_file File

Install and Configure an OpenLDAP Server with SSL on Debian Wheezy

13 thoughts on “Setting up ProFTPd with OpenLDAP Authentication on Debian

  1. Hello. I’ve ridden a proftp server on a virtual machine and the LDAP server is in another virtual machine. My goal is that from the virtual machine proftp server or another machine on the same network that they can enter the realm proft stored LDAP users machine (obviously these two machines are on the same network ) . How do I configure proftp server for this to work ?. NOTE: The machine is properly configured LDAP ) .
    Please answer .
    Thank you very much and I hope your answer

    • If I get it right, you have two standalone servers on a same subnet, one hosting ProFTPD and another one hosting OpenLDAP. If so, you can easily configure ProFTPD to authenticate users against the “remote” OpenLDAP server. Similar lines in the proftpd.conf should do the job:

      LDAPServer 10.1.1.1
      LDAPBindDN cn=Guest,dc=top passwd
      LDAPUsers ou=Users,dc=lisenet.com,dc=top (uid=%u)

      Please note that I’m using my configuration as an example above. I assume that 10.1.1.1 is your remote OpenLDAP server. You need to change the LDAPBindDN and LDAPUsers directives according to your configuration.

  2. Thank you very much for answering , I’m desperate :( . I’ll try what you tell me to see if I get because I ‘m too saturated, but I will not stop until I get .

    I have another question, when Tomas configure everything as you say , as I try to login with a user ‘s LDAP server from a client on the same network?, because when I try not connect me with the ldap server or the ftp server.

    Thank you very much again.

    • Is your LDAP server configured to allow incoming connections? Can you telnet from the FTP server to the LDAP port 389? Can you post your LDAP log?

  3. Hello, It does not work on Debian Jessie, proftpd 1.3.5 and OpenLDAP 2.4.40. I have one server with OpenLDAP and Samba and it is working properly. I am trying to configure another server to authenticate proftpd users against OpenLDAP. I followed your steps, editing ldap.conf, modules.conf and including both files in proftpd.conf. The login attempt fails and the log messages indicate that no such user was found.

  4. Hello thank you for your reply
    What I am trying to do is how to do an integration between openldap and ftp

    • Integration can be achieved by using a mod_ldap module. There article shows a way to configure ProFTPd with OpenLDAP.

    • “Integration can be achieved by using a mod_ldap module.”

      Could you help me with that? Maybe you have some tutorial or something?
      After configuration filezilla show me error: Login incorrect (but when I trying to connect by sftp – port 22 – everything is okay), something is wrong with connection ftp (port 21). Have you got any idea? If it’s possible please send me an email. Thank you for your answer.

    • This very blog post is actually a tutorial on how to configure ProFTPD with OpenLDAP by using the mod_ldap module. Take a look at the proftpd.conf config.

  5. I’m think that I did everything what I should to do.
    But when I’m trying to connect by fileziila (and winscp) I see in proftpd logs:

    2017-05-09 10:36:58,924 sen proftpd[18813] 192.xxx.xxx.xxx (192.x.x.x[192.x.x.x]): FTP session opened.
    2017-05-09 10:36:58,927 sen proftpd[18813] 192.x.x.x (192.x.x.x[192.x.x.x]): USER cctv: no such user found from 192.x.x.x [192.x.x.x] to ::ffff:192.x.x.x:21
    2017-05-09 10:36:58,930 sen proftpd[18813] 192.x.x.x(192.x.x.x[192.x.x.x]): FTP session closed.

    User is correct (i tried for a few users), I can to log using sftp (like user cctv and others).
    Home folder for user cctv is exist.

Leave a Reply

Your email address will not be published. Required fields are marked *