ProFTPD module mod_ldap



This module is contained in the mod_ldap.c file for ProFTPD 1.2.x/1.3.x, and is not compiled by default. Installation instructions are discussed here.

The most current version of mod_ldap is distributed with the ProFTPD source code.

Author

Please contact John Morrissey <jwm at horde.net> with any questions, concerns, or suggestions regarding this module.

Directives


LDAPAliasDereference

Syntax: LDAPAliasDereference never|always|search|find
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later

The LDAPAliasDereference directive configures how aliases are handled. The possible values have the following behaviors:

The default is "never", e.g.:

  <IfModule mod_ldap.c>
    LDAPAliasDeference never
  </IfModule>


LDAPAttr

Syntax: LDAPAttr old-attr-name new-attr-name
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later

The LDAPAttr directive is used to map, or to associate, a standard attribute name to a non-standard attribute name. If, for example, your LDAP directory schema used different names for some of the attributes used by mod_ldap, you would use this directive to tell mod_ldap what new attribute names to use.

The following LDAP attributes can be renamed in this manner:


LDAPAuthBinds

Syntax: LDAPAuthBinds on|off
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later

By default, the DN specified by the LDAPDNInfo will be used to bind to the LDAP server to obtain user information, including the userPassword attribute. If LDAPAuthBinds is set to on, the DN specified by LDAPDNInfo will be used to fetch all user information except the userPassword attribute. Then, the mod_ldap module will bind to the LDAP server as the user who is logging in via FTP with the user-supplied password. If this bind succeeds, the user is considered authenticated and is allowed to log in. This method of LDAP authentication has the added benefit of supporting any password encryption scheme that your LDAP server supports.

In versions of mod_ldap up to 2.7.6, the default for LDAPAuthBinds was off. After mod_ldap 2.8, the default value for LDAPAuthBinds is on.


LDAPDNInfo

Syntax: LDAPDNInfo dn password
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later

The LDAPDNInfo directive configures the DN and the password that mod_ldap will use when binding to the LDAP directory. If this configuration directive is missing, then anonymous binds are used.

The default is:

  <IfModule mod_ldap.c>
    # Use anonymous binds
    LDAPDNInfo "" ""
  </IfModule>

See also: LDAPServer


LDAPDefaultAuthScheme

Syntax: LDAPDefaultAuthScheme crypt|clear
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later

The LDAPDefaultAuthScheme directive specifies the authentication scheme used for passwords which have no "{hashname}" prefix in the LDAP directory. For example, if you are:

  userPassword mypass
in your directory, you would want to set LDAPDefaultAuthScheme to clear.

The default value is crypt.


LDAPDefaultGID

Syntax: LDAPDefaultGID gid
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later

The LDAPDefaultGID directive sets the default GID to be used for users when no gidNumber attribute is found for that user.

This directive is useful primarily in virtual user environments common in large-scale ISPs and hosting organizations. If a user does not have an LDAP gidNumber attribute, the LDAPDefaultGID is used. This allows one to have a large number of users in an LDAP directory without gidNumber attributes; setting this configuration directive will automatically assign those users a single GID.

See also: LDAPDefaultUID


LDAPDefaultUID

Syntax: LDAPDefaultUID uid
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later

The LDAPDefaultUID directive sets the default UID to be used for users when no uidNumber attribute is found for that user.

This directive is useful primarily in virtual user environments common in large-scale ISPs and hosting organizations. If a user does not have an LDAP uidNumber attribute, the LDAPDefaultGID is used. This allows one to have a large number of users in an LDAP directory without uidNumber attributes; setting this configuration directive will automatically assign those users a single UID.

See also: LDAPDefaultGID


LDAPDoAuth

Syntax: LDAPDoAuth off|on base-dn search-filter-template
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later

The LDAPDoAuth configuration directive activates LDAP authentication. The second parameter to this directive is the LDAP base DN to use for authentication. The third parameter is a template to be used for the search filter; %v will be replaced with the username that is being authenticated.

By default, the search filter template used is:

  (&(uid=%v)(objectclass=posixAccount))
The uid for the the search filter is taken from the LDAPAttr directive. Search filter templates are only supported in versions of mod_ldap 2.7 and later.

See also: LDAPAttr


LDAPDoGIDLookups

Syntax: LDAPDoGIDLookups off|on base-dn cn-filter-template gid-number-filter-template member-uid-filter-template
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later

The LDAPDoGIDLookups directive activates LDAP GID-to-name lookups for directory listings. The second parameter to this directive is the LDAP base DN to use for GID-to-name lookups. The third through fifth parameters are templates to be used for the search filter; %v will be replaced with the GID that is being looked up.

By default, the CN filter template look like this:

  (&(LDAPAttr_cn=%v)(objectclass=posixGroup))
The gidNumber filter template is:
  (&(LDAPAttr_gidNumber=%v)(objectclass=posixGroup))
and the memberUid filter template used is: (&(LDAPAttr_memberUid=%v)(objectclass=posixGroup)) Note that filter templates are only supported in mod_ldap version 2.8.3 and later.

The attribute names used in the default search filters are taken from the LDAPAttr directive.


LDAPDoQuotaLookups

Syntax: LDAPDoQuotaLookups off|on base-dn quota-filter-template default-quota
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later

The LDAPDoQuotaLookups directive enables LDAP quota lookups. The second parameter of this directive is the LDAP base DN to use for quota limit search. The third parameter is a template to be used for the search filter; %v will be replaced with the username that is being authenticated.

By default, the search filter template is:

  (&(LDAPAttr_uid=%v)(objectclass=posixAccount))
The uid for the the search filter is taken from the LDAPAttr directive. Note that search filter templates are only supported in mod_ldap version 2.7 and later.

If specified, the default-quota parameter indicates the quota limits to use if a user does not have an ftpQuota attribute. This parameter is formatted the same way as the ftpQuota LDAP attribute.


LDAPDoUIDLookups

Syntax: LDAPDoUIDLookups off|on base-dn uid-filter-template
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later

The LDAPDoUIDLookups directive activates LDAP UID-to-name lookups for directory listings. The second parameter to this directive is the LDAP base DN to use for UID-to-name lookups. The third parameter is a template to be used for the search filter; %v will be replaced with the UID that is being looked up.

By default, the search filter template looks like this:

  (&(LDAPAttr_uidNumber=%v)(objectclass=posixGroup))
The uidNumber attribute name used in the search filter comes from the LDAPAttr directive. Note that filter templates are only supported in mod_ldap version 2.7 and later.


LDAPForceDefaultGID

Syntax: LDAPForceDefaultGID on|off
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later

Even when a LDAPDefaultGID is configured, the mod_ldap module will allow individual users to have gidNumber attributes that will override this default GID. With LDAPForceDefaultGID directive configured to be on, all LDAP-authenticated users are given the default GID; GIDs may not be overridden by gidNumber attributes.


LDAPForceDefaultUID

Syntax: LDAPForceDefaultUID on|off
Default: None
Context: server config
Module: mod_ldap
Compatibility: 1.2.7rc1 and later

Even when a LDAPDefaultUID is configured, the mod_ldap module will allow individual users to have uidNumber attributes that will override this default UID. With LDAPForceDefaultUID directive configured to be on, all LDAP-authenticated users are given the default UID; UIDs may not be overridden by uidNumber attributes.


LDAPForceGeneratedHomedir

Syntax: LDAPForceGeneratedHomedir off|on directory-mode
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later

See also: LDAPGenerateHomedir, LDAPGenerateHomedirPrefix, LDAPGenerateHomedirPrefixNoUsername


LDAPGenerateHomedir

Syntax: LDAPGenerateHomedir on|off
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later


LDAPGenerateHomedirPrefix

Syntax: LDAPGenerateHomedirPrefix prefix
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later


LDAPGenerateHomedirPrefixNoUsername

Syntax: LDAPGenerateHomedirPrefixNoUsername on|off
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later


LDAPLog

Syntax: LDAPLog file|"none"
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.3.5rc4 and later

The LDAPLog directive is used to specify a log file for mod_ldap's reporting on a per-server basis. The file parameter given must be the full path to the file to use for logging.

Note that this path must not be to a world-writable directory and, unless AllowLogSymlinks is explicitly set to on (generally a bad idea), the path must not be a symbolic link.


LDAPNegativeCache

Syntax: LDAPNegativeCache on|off
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later

The LDAPNegativeCache directive specifies whether or not to cache negative responses from the LDAP server when using LDAP for UID/GID lookups. This option is useful if you also use/are in transition from another authentication system; if there are many users in your old authentication system that aren't in the LDAP database, there can be a significant delay when a directory listing is performed as the UIDs not in the LDAP database are repeatedly looked up in an attempt to present usernames instead of UIDs in directory listings. With LDAPNegativeCache set to on, negative ("not found") responses from the LDAP server will be cached and speed will improve on directory listings that contain many users not present in the LDAP database.


LDAPProtocolVersion

Syntax: LDAPProtocolVersion 2|3
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later

The LDAPProtocolVersion directive configures the version of the LDAP protocol that mod_ldap will use when talking to the LDAP servers. The default protocol version used is 3.


LDAPQueryTimeout

Syntax: LDAPQueryTimeout secs
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later

The LDAPQueryTimeout directive configures the timeout value, in seconds, that will be used for LDAP directory queries. The default timeout value is determined by your LDAP API.


LDAPSearchScope

Syntax: LDAPSearchScope onelevel|subtree
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later

The LDAPSearchScope directive is used to set the scope used for LDAP searches. The default setting, subtree, searches for all entries in the tree from the current level down. Setting this directive to onelevel searches only one level deep in the LDAP tree.


LDAPServer

Syntax: LDAPServer "host1:port1 host2:port2"
Default: None
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later

The LDAPServer directive allows you to to specify the hostname(s) and port(s) of the LDAP server(s) to use for LDAP authentication. If no LDAPServer configuration directive is present, the default LDAP servers specified by your LDAP library will be used.

To specify multiple LDAP servers, enclose the entire list of servers in quotation marks. For example:

  LDAPServer "host1:port1 host2:port2"


LDAPUseSSL

Syntax: LDAPUseSSL on|off
Default: off
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.3.1rc1 and later


LDAPUseTLS

Syntax: LDAPUseTLS on|off
Default: off
Context: server config, <VirtualHost>, <Global>
Module: mod_ldap
Compatibility: 1.2.7rc1 and later

The LDAPUseTLS directive configures whether mod_ldap will use SSL/TLS to protect the connections made to the configured LDAP servers.

By default, the mod_ldap module connects to the LDAP server via non-encrypted connections. Enabling this option causes mod_ldap to use an encrypted (TLS/SSL) connection to the LDAP server. If a secure connection to the LDAP server fails, mod_ldap will not authenticate users; mod_ldap will not fall back to an unsecure connection.



Usage



Installation

Follow the normal steps for using third-party modules in proftpd:
  ./configure --with-modules=mod_ldap
  make
  make install
You may need to specify the location of the OpenLDAP header and library files in your configure command, e.g.:
 ./configure --with-modules=mod_ldap \
    --with-includes=/usr/local/openldap/include \
    --with-libraries=/usr/local/openldap/lib



Usage

One mod_ldap user submitted the following configuration for allowing mod_ldap to communicate to a Windows Active Directory server. Note that this configuration has not been tested; if it works for you (or not), please let us know:

  <IfModule mod_ldap.c>
    LDAPServer dc.example.org:3268
    LDAPUseTLS on
    LDAPAuthBinds on
    LDAPDNInfo "cn=SRV_ACC_SVN_AUTH,ou=special accounts,ou=Sales,dc=example,dc=org" ******************

    LDAPDoAuth on ou=Users,ou=Sales,dc=example,dc=org "(&(sAMAccountName=%u)(objectclass=user)(memberOf=cn=Linux Admins,ou=Groups,ou=Sales,dc=example,DC=org))"
    LDAPSearchScope subtree

    # Assign default IDs
    LDAPDefaultUID 106
    LDAPDefaultGID 65534

    # Create the home directory
    LDAPGenerateHomedir on
    LDAPGenerateHomedirPrefix /home

    # Use different attribute names where necessary
    LDAPAttr uid sAMAccountName
    LDAPAttr gidNumber primaryGroupID

  </IfModule>



Author: $Author: castaglia $
Last Updated: $Date: 2014/01/21 22:11:45 $


© Copyright 2013-2014 TJ Saunders
All Rights Reserved