文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >Debian 11 + ProFTPd和LDAPS

Debian 11 + ProFTPd和LDAPS
EN

Server Fault用户
提问于 2023-05-23 13:14:30
回答 1查看 26关注 0票数 0

我试图使用SSL (端口636)上的LDAPS从Active Directory验证FTP用户。

我设法让它在端口389上使用简单的LDAP工作,现在我想增加安全性!

操作系统是Debian 11 x64最新版本

ProFTPd版本:

代码语言:javascript
复制
# dpkg -l | grep proftpd
ii  proftpd-core                   1.3.7a+dfsg-12+deb11u2         amd64        Versatile, virtual-hosting FTP daemon - binaries
ii  proftpd-mod-crypto             1.3.7a+dfsg-12+deb11u2         amd64        Versatile, virtual-hosting FTP daemon - TLS/SSL/SFTP modules
ii  proftpd-mod-ldap               1.3.7a+dfsg-12+deb11u2         amd64        Versatile, virtual-hosting FTP daemon - LDAP module

下面是ldap.conf文件:

代码语言:javascript
复制
<IfModule mod_ldap.c>
    LDAPServer                ldaps://x.x.x.x/??sub
    LDAPAuthBinds             on
    LDAPSearchScope           subtree
    LDAPBindDN                "CN=myuser,CN=Users,DC=domain,DC=local" "password"
    LDAPUsers                 "DC=domain,DC=local" "(&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local))"
    LDAPGenerateHomedir       on 0775
    CreateHome                on 0755
    LDAPGenerateHomedirPrefix /home/ftphome
    LDAPDefaultUID            1111
    LDAPDefaultGID            1111
    LDAPAttr                  uid sAMAccountName
    LDAPAttr                  gidNumber primaryGroupID
    LDAPLog                   /var/log/proftpd/ldap.log
</IfModule>

当服务运行(以proftpd/nogroup的形式运行)时,身份验证不起作用:

代码语言:javascript
复制
2023-05-23 14:54:19,616 mod_ldap/2.9.5[21336]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:54:19,618 mod_ldap/2.9.5[21336]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:54:19,619 mod_ldap/2.9.5[21336]: attempting connection to URL ldaps://x.x.x.x:636/??sub
2023-05-23 14:54:19,620 mod_ldap/2.9.5[21336]: set LDAP protocol version to 3
2023-05-23 14:54:19,629 mod_ldap/2.9.5[21336]: bind as DN 'CN=myuser,CN=Users,DC=domain,DC=local' failed for 'ldaps://x.x.x.x/??sub': Can't contact LDAP server
2023-05-23 14:54:19,631 mod_ldap/2.9.5[21336]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:54:19,632 mod_ldap/2.9.5[21336]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:54:19,632 mod_ldap/2.9.5[21336]: attempting connection to URL ldaps://x.x.x.x:636/??sub
2023-05-23 14:54:19,632 mod_ldap/2.9.5[21336]: set LDAP protocol version to 3
2023-05-23 14:54:19,638 mod_ldap/2.9.5[21336]: bind as DN 'CN=myuser,CN=Users,DC=domain,DC=local' failed for 'ldaps://x.x.x.x/??sub': Can't contact LDAP server

我尝试了调试模式('proftpd -n -d 10'),它正在工作:

代码语言:javascript
复制
2023-05-23 14:56:51,051 mod_ldap/2.9.5[21348]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:56:51,053 mod_ldap/2.9.5[21348]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:56:51,054 mod_ldap/2.9.5[21348]: attempting connection to URL ldaps://x.x.x.x:636/??sub
2023-05-23 14:56:51,055 mod_ldap/2.9.5[21348]: set LDAP protocol version to 3
2023-05-23 14:56:51,065 mod_ldap/2.9.5[21348]: successfully bound as DN 'CN=myuser,CN=Users,DC=domain,DC=local' with password (see config) for 'ldaps://x.x.x.x/??sub'
2023-05-23 14:56:51,067 mod_ldap/2.9.5[21348]: set dereferencing to 0
2023-05-23 14:56:51,067 mod_ldap/2.9.5[21348]: set query timeout to 5 secs
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: searched under base DN DC=domain,DC=local using filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local))
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: fetching values for attribute sAMAccountName
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: fetching values for attribute uidNumber
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: no values for attribute uidNumber, trying defaults
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: using LDAPDefaultUID 1111
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: fetching values for attribute primaryGroupID
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: fetching values for attribute homeDirectory
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: no values for attribute homeDirectory, trying defaults
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: using default homedir /home/domain/ftpuser1
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: fetching values for attribute loginShell
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: no values for attribute loginShell, trying defaults
2023-05-23 14:56:51,195 mod_ldap/2.9.5[21348]: found user ftpuser1, UID 1111, GID 513, homedir /home/domain/ftpuser1, shell
2023-05-23 14:56:51,197 mod_ldap/2.9.5[21348]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:56:51,197 mod_ldap/2.9.5[21348]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:56:51,197 mod_ldap/2.9.5[21348]: attempting connection to URL ldaps://x.x.x.x:636/??sub
2023-05-23 14:56:51,197 mod_ldap/2.9.5[21348]: set LDAP protocol version to 3
2023-05-23 14:56:51,207 mod_ldap/2.9.5[21348]: successfully bound as DN 'CN=myuser,CN=Users,DC=domain,DC=local' with password (see config) for 'ldaps://x.x.x.x/??sub'
2023-05-23 14:56:51,207 mod_ldap/2.9.5[21348]: set dereferencing to 0
2023-05-23 14:56:51,207 mod_ldap/2.9.5[21348]: set query timeout to 5 secs
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: searched under base DN DC=domain,DC=local using filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local))
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: fetching values for attribute sAMAccountName
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: fetching values for attribute uidNumber
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: no values for attribute uidNumber, trying defaults
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: using LDAPDefaultUID 1111
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: fetching values for attribute primaryGroupID
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: fetching values for attribute homeDirectory
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: no values for attribute homeDirectory, trying defaults
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: using default homedir /home/domain/ftpuser1
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: fetching values for attribute loginShell
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: no values for attribute loginShell, trying defaults
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: found user ftpuser1, UID 1111, GID 513, homedir /home/domain/ftpuser1, shell
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: searched under base DN DC=domain,DC=local using filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local))
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: fetching values for attribute sAMAccountName
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: fetching values for attribute uidNumber
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: no values for attribute uidNumber, trying defaults
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: using LDAPDefaultUID 1111
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: fetching values for attribute primaryGroupID
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: fetching values for attribute homeDirectory
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: no values for attribute homeDirectory, trying defaults
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: using default homedir /home/domain/ftpuser1
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: fetching values for attribute loginShell
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: no values for attribute loginShell, trying defaults
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: found user ftpuser1, UID 1111, GID 513, homedir /home/domain/ftpuser1, shell
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: attempting connection to URL ldaps://x.x.x.x:636/??sub
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: set LDAP protocol version to 3
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: set dereferencing to 0
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: set query timeout to 5 secs
2023-05-23 14:56:51,414 mod_ldap/2.9.5[21348]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:56:51,414 mod_ldap/2.9.5[21348]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:56:51,442 mod_ldap/2.9.5[21348]: searched under base DN DC=domain,DC=local using filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local))
2023-05-23 14:56:51,442 mod_ldap/2.9.5[21348]: fetching values for attribute sAMAccountName
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: fetching values for attribute uidNumber
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: no values for attribute uidNumber, trying defaults
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: using LDAPDefaultUID 1111
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: fetching values for attribute primaryGroupID
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: fetching values for attribute homeDirectory
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: no values for attribute homeDirectory, trying defaults
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: using default homedir /home/domain/ftpuser1
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: fetching values for attribute loginShell
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: no values for attribute loginShell, trying defaults
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: found user ftpuser1, UID 1111, GID 513, homedir /home/domain/ftpuser1, shell

我不明白为什么它在调试模式下运行正常,当然我需要它在服务模式下运行!我尝试以root/root的形式运行服务(这很糟糕!)而且也没用。

谢谢你的帮助,因为我真的被困住了。

ldap
proftpd
debian
EN

回答 1

Server Fault用户

回答已采纳

发布于 2023-05-26 08:11:10

我无法找到使LDAP在SSL上工作的方法,但我设法使LDAP在TLS上工作。不是我想要的,而是比不安全的连接更好!

代码语言:javascript
复制
<IfModule mod_ldap.c>
    LDAPServer                ldap://x.x.x.x/??sub ssl-verify:off
    LDAPUseTLS                on
    LDAPTLSRequireCert        off
    LDAPAuthBinds             on
    LDAPSearchScope           subtree
    LDAPBindDN                "CN=myuser,CN=Users,DC=domain,DC=local" "password"
    LDAPUsers                 "DC=domain,DC=local" "(&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,OU=domain,DC=domain,DC=local))"
    LDAPGenerateHomedir       on 0775
    CreateHome                on 0755
    LDAPGenerateHomedirPrefix /home/domain
    LDAPDefaultUID            1111
    LDAPDefaultGID            1111
    LDAPAttr                  uid sAMAccountName
    LDAPAttr                  gidNumber primaryGroupID
    LDAPLog                   /var/log/proftpd/ldap.log
</IfModule>
票数 0
EN
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://serverfault.com/questions/1131741

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档