Re: GLUG: LDAP enabled FTP - ?

[Michael-John Turner <mj@xxxxxxxxxxxxxxxxxxx>]

On Fri, Dec 03, 1999 at 10:03:47AM +0100, Graham Leggett wrote:
> PAM still requires Posix accounts, which creates an extra administrative
> burden on us to make sure our LDAP database has user accounts with
> proper posix user and group numbers, etc. A real huge pain in the ass,
> just for ftp. In addition to this it becomes a real burden making sure
> the system is configured not to give any more than ftp access to anyone
> who might poison the LDAP database. It's very to easy to misconfigure
> enormous security holes into the system and be oblivious to their
> presence.

(Stricly speaking) PAM doesn't require Posix accounts on the box - I have
Cyrus authing via PAM and it auths users from a text file with
username:passwd pairs (using pam_pwdfile). None of the mail users have
accounts on the machine.  If one uses the (default) pam_unix module, which
interfaces to NSS, one would need a Posix account.

I had another quick look through the ProFTPD docs and it appears that what
you can probably do is configure it to auth via PAM and have all the users
logging in share one Posix uid/gid. Alternatively, instead of using PAM and
LDAP, extract usernames and passwords from the LDAP server and dump those
into a text file for ProFTPD to use with its AuthUserFile and AuthGroupFile
options. I don't know how this affects the chroot tho'

-mj
-- 
Michael-John Turner          | http://www.edr.uct.ac.za/~mj/
mj@xxxxxxxxxxxxxxxxxxxxx     | Linux @ UCT -> http://www.leg.uct.ac.za/
mj@xxxxxxxxxx, mj@xxxxxxxxxx | PGP key via mail, WWW or finger @phantom