mod_ldap v2.0 ============= mod_ldap is a module that allows proftpd to do user authentication and name/UID lookups against an LDAP database. **Please note:** some of the basic configuration directives have changed in version 2.0 of mod_ldap; please read the Changes section of this file carefully to find out what you will need to update in your proftpd.conf. Sections: 1. How do I set up mod_ldap? 2. Changes in v2.0 3. To-Do 4. Thanks 5. Author ============================ 1. How do I set up mod_ldap? ============================ Currently, mod_ldap has only been heavily tested with recent versions of OpenLDAP-stable, but has been reported to work with Netscape Directory Server without any modification. 1. Add the following schema to your slapd.oc.conf (if it's not already there) and restart slapd: objectclass posixAccount requires objectclass, cn, uid, uidNumber, gidNumber, homeDirectory allows userPassword, loginShell, gecos, description 2. Create an ldif file and add it to your LDAP server by saying: ldapadd -D your-root-dn -w your-root-dn-password < ldif-file A sample ldif is included here: dn: cn=John Morrissey, dc=horde, dc=net cn: John Morrissey uid: jwmsax uidNumber: 2000 gidNumber: 100 homeDirectory: /home/jwm userPassword: {crypt}SosPSqZVHbI5Y loginShell: /bin/bash 3. Read up on the LDAP config-file directives in doc/Configuration.html. At bare minimum, you'll need to have LDAPServer, LDAPDNInfo, and LDAPDoAuth configuration directives in your proftpd.conf. A sample set of LDAP configuration directives is included here: LDAPServer localhost LDAPDNInfo cn=your-dn,dc=horde,dc=net dnpass LDAPDoAuth on "dc=users,dc=horde,dc=net" ================== 2. Changes in v2.0 ================== Please check the web site for previous changelogs. * Config file syntax revamped: LDAPServer localhost LDAPDNInfo cn=your-dn,dc=horde,dc=net dnpass LDAPQueryTimeout 5 LDAPDoAuth on "dc=users,dc=horde,dc=net" LDAPDoUIDLookups on "dc=users,dc=horde,dc=net" LDAPDoGIDLookups on "dc=groups,dc=horde,dc=net" LDAPDefaultUID 35000 LDAPDefaultGID 1000 LDAPNegativeCache on LDAPHomedirOnDemand on LDAPDefaultAuthScheme clear * Configurable LDAP query timeout [Peter Deacon ] * Cleartext password "encryption" scheme ("{clear}mypass") * UID-to-name and GID-to-name lookups in directory listings * Separate prefixes for user and group lookups * Can turn on/off UID-to-name and GID-to-name lookups independently * Default [UG]IDs. Say you want to have a web-toaster type of deal, with all users having the same [UG]IDs. Just don't put [ug]idNumber attrs in your LDAP database for those users, and set these configuration directives. Any user that doesn't have a [UG]ID in the LDAP database will have that info filled in with the default [UG]ID. * mod_ldap is now able to function in a pure virtual-user environment; please note, however, that the loginShell LDAP attr still must be a valid shell. You can turn this check off by saying RequireValidShell off in your proftpd.conf * allowedServices attr: (I broke with objectclass here, couldn't find something that seemed to fit this.) This attribute contains a comma-deliminated list of services to allow this particular user. The string "FTP" corresponds to FTP service. If no allowedServices attr is present, all services will be allowed. * You can have alternate LDAP servers; just specify LDAPServer "host1 host2"; [Peter Deacon ] * LDAPHomedirOnDemand to automatically create home directories in a virtual-user environment. [patch: Bert Vermeulen ] * LDAPDefaultAuthScheme to select the authentication scheme to use when no {prefix} is present in a user's userPassword LDAP attr. [patch: Bert Vermeulen ] * Virtual hosting support may or may not work okay; theoretically, I think adding LDAP configuration directives to a block will work, but this hasn't been tested. New Tested Platforms: * Solaris 2.6 with Netscape Directory Server and the Mozilla LDAP C SDK, available at http://www.mozilla.org/directory/csdk.html. Peter Fabian * Solaris 7 with gcc 2.95.1 and OpenLDAP 1.2.7 Ralf Kruedewagen Please check the web site for the complete list of tested platforms. ======= 3. ToDo ======= * Support for alternate password hash algorithms, such as SHA1. I'm looking at how qmail-ldap does this; it looks like they just "borrowed" the SHA1 source file from OpenBSD. Authenticated binds would also take care of this, as then any encryption scheme supported by your LDAP server would be usable. * different log levels in mod_ldap to log varying debug info * config file directive to not even look up [ug]id attrs if we're using a default [ug]id Peter Deacon 's ideas: * authenticated binds (also Peter Fabian ) * perror()-like error reporting to improve error messages * shadowAccount objectclass stuff - inactive, expiration, etc. ========= 4. Thanks ========= * James for a copy of his LDAP module that he * Krzysztof Dabrowski for some big virtual-user ideas * Peter Deacon for ideas * Peter Fabian for ideas and a tested platform * Ralf Kruedewagen for a tested platform * Scott Murphy for a trouble report * Bert Vermeulen for patches ========= 5. Author ========= John Morrissey, , http://horde.net/~jwm/software/proftpd-ldap Feedback is much appreciated. If you're using mod_ldap successfully, or you're having problems getting mod_ldap up and running at your site, or even have some code improvements or ideas for development, please let me know!