Debian 11 + ProFTPd and LDAPS

Question

Score:1

Server

Debian 11 + ProFTPd and LDAPS

Cool34

5/23/24, 1:14 PM

I'm trying to authenticate my FTP users from Active Directory using LDAPS over SSL (port 636).

I managed to get it working using simple LDAP on port 389 and now I would like to increase security!

OS is Debian 11 x64 up to date

ProFTPd version :

# dpkg -l | grep proftpd
ii  proftpd-core                   1.3.7a+dfsg-12+deb11u2         amd64        Versatile, virtual-hosting FTP daemon - binaries
ii  proftpd-mod-crypto             1.3.7a+dfsg-12+deb11u2         amd64        Versatile, virtual-hosting FTP daemon - TLS/SSL/SFTP modules
ii  proftpd-mod-ldap               1.3.7a+dfsg-12+deb11u2         amd64        Versatile, virtual-hosting FTP daemon - LDAP module

Here's the ldap.conf file:

<IfModule mod_ldap.c>
    LDAPServer                ldaps://x.x.x.x/??sub
    LDAPAuthBinds             on
    LDAPSearchScope           subtree
    LDAPBindDN                "CN=myuser,CN=Users,DC=domain,DC=local" "password"
    LDAPUsers                 "DC=domain,DC=local" "(&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local))"
    LDAPGenerateHomedir       on 0775
    CreateHome                on 0755
    LDAPGenerateHomedirPrefix /home/ftphome
    LDAPDefaultUID            1111
    LDAPDefaultGID            1111
    LDAPAttr                  uid sAMAccountName
    LDAPAttr                  gidNumber primaryGroupID
    LDAPLog                   /var/log/proftpd/ldap.log
</IfModule>

When service is running (running as proftpd/nogroup), authentication is not working:

2023-05-23 14:54:19,616 mod_ldap/2.9.5[21336]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:54:19,618 mod_ldap/2.9.5[21336]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:54:19,619 mod_ldap/2.9.5[21336]: attempting connection to URL ldaps://x.x.x.x:636/??sub
2023-05-23 14:54:19,620 mod_ldap/2.9.5[21336]: set LDAP protocol version to 3
2023-05-23 14:54:19,629 mod_ldap/2.9.5[21336]: bind as DN 'CN=myuser,CN=Users,DC=domain,DC=local' failed for 'ldaps://x.x.x.x/??sub': Can't contact LDAP server
2023-05-23 14:54:19,631 mod_ldap/2.9.5[21336]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:54:19,632 mod_ldap/2.9.5[21336]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:54:19,632 mod_ldap/2.9.5[21336]: attempting connection to URL ldaps://x.x.x.x:636/??sub
2023-05-23 14:54:19,632 mod_ldap/2.9.5[21336]: set LDAP protocol version to 3
2023-05-23 14:54:19,638 mod_ldap/2.9.5[21336]: bind as DN 'CN=myuser,CN=Users,DC=domain,DC=local' failed for 'ldaps://x.x.x.x/??sub': Can't contact LDAP server

I tried the debug mode ('proftpd -n -d 10') and it's working:

2023-05-23 14:56:51,051 mod_ldap/2.9.5[21348]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:56:51,053 mod_ldap/2.9.5[21348]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:56:51,054 mod_ldap/2.9.5[21348]: attempting connection to URL ldaps://x.x.x.x:636/??sub
2023-05-23 14:56:51,055 mod_ldap/2.9.5[21348]: set LDAP protocol version to 3
2023-05-23 14:56:51,065 mod_ldap/2.9.5[21348]: successfully bound as DN 'CN=myuser,CN=Users,DC=domain,DC=local' with password (see config) for 'ldaps://x.x.x.x/??sub'
2023-05-23 14:56:51,067 mod_ldap/2.9.5[21348]: set dereferencing to 0
2023-05-23 14:56:51,067 mod_ldap/2.9.5[21348]: set query timeout to 5 secs
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: searched under base DN DC=domain,DC=local using filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local))
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: fetching values for attribute sAMAccountName
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: fetching values for attribute uidNumber
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: no values for attribute uidNumber, trying defaults
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: using LDAPDefaultUID 1111
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: fetching values for attribute primaryGroupID
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: fetching values for attribute homeDirectory
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: no values for attribute homeDirectory, trying defaults
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: using default homedir /home/domain/ftpuser1
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: fetching values for attribute loginShell
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: no values for attribute loginShell, trying defaults
2023-05-23 14:56:51,195 mod_ldap/2.9.5[21348]: found user ftpuser1, UID 1111, GID 513, homedir /home/domain/ftpuser1, shell
2023-05-23 14:56:51,197 mod_ldap/2.9.5[21348]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:56:51,197 mod_ldap/2.9.5[21348]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:56:51,197 mod_ldap/2.9.5[21348]: attempting connection to URL ldaps://x.x.x.x:636/??sub
2023-05-23 14:56:51,197 mod_ldap/2.9.5[21348]: set LDAP protocol version to 3
2023-05-23 14:56:51,207 mod_ldap/2.9.5[21348]: successfully bound as DN 'CN=myuser,CN=Users,DC=domain,DC=local' with password (see config) for 'ldaps://x.x.x.x/??sub'
2023-05-23 14:56:51,207 mod_ldap/2.9.5[21348]: set dereferencing to 0
2023-05-23 14:56:51,207 mod_ldap/2.9.5[21348]: set query timeout to 5 secs
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: searched under base DN DC=domain,DC=local using filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local))
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: fetching values for attribute sAMAccountName
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: fetching values for attribute uidNumber
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: no values for attribute uidNumber, trying defaults
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: using LDAPDefaultUID 1111
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: fetching values for attribute primaryGroupID
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: fetching values for attribute homeDirectory
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: no values for attribute homeDirectory, trying defaults
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: using default homedir /home/domain/ftpuser1
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: fetching values for attribute loginShell
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: no values for attribute loginShell, trying defaults
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: found user ftpuser1, UID 1111, GID 513, homedir /home/domain/ftpuser1, shell
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: searched under base DN DC=domain,DC=local using filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local))
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: fetching values for attribute sAMAccountName
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: fetching values for attribute uidNumber
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: no values for attribute uidNumber, trying defaults
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: using LDAPDefaultUID 1111
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: fetching values for attribute primaryGroupID
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: fetching values for attribute homeDirectory
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: no values for attribute homeDirectory, trying defaults
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: using default homedir /home/domain/ftpuser1
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: fetching values for attribute loginShell
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: no values for attribute loginShell, trying defaults
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: found user ftpuser1, UID 1111, GID 513, homedir /home/domain/ftpuser1, shell
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: attempting connection to URL ldaps://x.x.x.x:636/??sub
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: set LDAP protocol version to 3
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: set dereferencing to 0
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: set query timeout to 5 secs
2023-05-23 14:56:51,414 mod_ldap/2.9.5[21348]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:56:51,414 mod_ldap/2.9.5[21348]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:56:51,442 mod_ldap/2.9.5[21348]: searched under base DN DC=domain,DC=local using filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local))
2023-05-23 14:56:51,442 mod_ldap/2.9.5[21348]: fetching values for attribute sAMAccountName
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: fetching values for attribute uidNumber
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: no values for attribute uidNumber, trying defaults
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: using LDAPDefaultUID 1111
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: fetching values for attribute primaryGroupID
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: fetching values for attribute homeDirectory
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: no values for attribute homeDirectory, trying defaults
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: using default homedir /home/domain/ftpuser1
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: fetching values for attribute loginShell
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: no values for attribute loginShell, trying defaults
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: found user ftpuser1, UID 1111, GID 513, homedir /home/domain/ftpuser1, shell

I don't understand why it runs OK in debug mode and of course I need it to run in service mode! I tried running the service as root/root (which is bad!) and it's not working either.

Thanks for any help because I'm really stuck.

91

1 + 0

debian

ldap

proftpd

Debian 11 + ProFTPd and LDAPS

Post an answer