<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 11/03/2013 02:12 AM, Fred van Zwieten wrote:
<blockquote
cite="mid:CALVifsZNh4a-__d3hNh3BxY3ao8BkFZR8Huh29EtYiGm_zXtzw@mail.gmail.com"
type="cite">
<div dir="ltr">Hi there,
<div><br>
</div>
<div>I have a question. We have a vsftpd service running which
authenticates it's virtual users against an application level
openldap database. No IPA involved here. It works using
pam_ldap. The virtual users are mapped to a local user thru
the "guest_user=<user>" directive in vsftpd.conf. As the
vsftpd service is running on a IPA client (RHEL6), I was kind
of hoping this "local user" would in fact be a IPA user. Nope.
He must currently live in /etc/passwd. This is, I suspect,
because we have a different pam file for vsftpd to be able to
communicate with the application openldap, making it
impossible to also use IPA.</div>
<div><br>
</div>
<div>I there a way to have the vsftpd check (and use) with IPA
for it's local users and the application level openldap
service for it's virtual users?</div>
<div><br>
</div>
<div>This is the pam file vsftpd came with originally:</div>
<div><br>
</div>
<div>
<div>#%PAM-1.0<br>
</div>
<div>session optional pam_keyinit.so force revoke</div>
<div>auth required<span class="" style="white-space:pre">
</span>pam_listfile.so item=user sense=deny
file=/etc/vsftpd/ftpusers onerr=succeed</div>
<div>auth required<span class="" style="white-space:pre">
</span>pam_shells.so</div>
<div>auth include<span class="" style="white-space:pre">
</span>password-auth</div>
<div>account include<span class="" style="white-space:pre">
</span>password-auth</div>
<div>session required pam_loginuid.so</div>
<div>session include<span class="" style="white-space:pre">
</span>password-auth</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>And this is the pam file we now use:</div>
<div><br>
</div>
<div>
<div>#%PAM-1.0<br>
</div>
<div>auth<span class="" style="white-space:pre"> </span>
required<span class="" style="white-space:pre"> </span>/lib64/security/pam_ldap.so<br>
</div>
<div>account<span class="" style="white-space:pre"> </span>
required<span class="" style="white-space:pre"> </span>/lib64/security/pam_ldap.so</div>
<div>session required <span class="" style="white-space:pre">
</span>/lib64/security/pam_ldap.so </div>
<div>password required <span class="" style="white-space:pre">
</span>/lib64/security/pam_ldap.so</div>
</div>
<div><br>
</div>
<div>Thanks for any answer.</div>
<div><br>
</div>
<div>Cheers,</div>
<div><br>
</div>
<div>Fred</div>
<div><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
If you configure SSSD with 2 domains one IPA another LDAP and then
tell vsftpd to use pam_sss in pam stack instead of the pam_ldap you
will be able to authenticate users coming from both sources.<br>
Effectively you need to take your pam_ldap configuration translate
it into sssd.conf settings for the second domain (do not touch the
one that you already have, just add another one) and then switch the
pam config for vsftpd. This should result in what you are looking
for.<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>