[Freeipa-users] vsftpd and IPA and openldap

Dmitri Pal dpal at redhat.com
Mon Nov 4 20:09:31 UTC 2013 

On 11/03/2013 02:12 AM, Fred van Zwieten wrote:
> Hi there,
>
> I have a question. We have a vsftpd service running which
> authenticates it's virtual users against an application level openldap
> database. No IPA involved here. It works using pam_ldap. The virtual
> users are mapped to a local user thru the "guest_user=<user>"
> directive in vsftpd.conf. As the vsftpd service is running on a IPA
> client (RHEL6), I was kind of hoping this "local user" would in fact
> be a IPA user. Nope. He must currently live in /etc/passwd. This is, I
> suspect, because we have a different pam file for vsftpd to be able to
> communicate with the application openldap, making it impossible to
> also use IPA.
>
> I there a way to have the vsftpd check (and use) with IPA for it's
> local users and the application level openldap service for it's
> virtual users?
>
> This is the pam file vsftpd came with originally:
>
> #%PAM-1.0
> session    optional     pam_keyinit.so    force revoke
> auth       requiredpam_listfile.so item=user sense=deny
> file=/etc/vsftpd/ftpusers onerr=succeed
> auth       requiredpam_shells.so
> auth       includepassword-auth
> account    includepassword-auth
> session    required     pam_loginuid.so
> session    includepassword-auth
>
>
> And this is the pam file we now use:
>
> #%PAM-1.0
> authrequired/lib64/security/pam_ldap.so
> accountrequired/lib64/security/pam_ldap.so
> session  required /lib64/security/pam_ldap.so 
> password required /lib64/security/pam_ldap.so
>
> Thanks for any answer.
>
> Cheers,
>
> Fred
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
If you configure SSSD with 2 domains one IPA another LDAP and then tell
vsftpd to use pam_sss in pam stack instead of the pam_ldap you will be
able to authenticate users coming from both sources.
Effectively you need to take your pam_ldap configuration translate it
into sssd.conf settings for the second domain (do not touch the one that
you already have, just add another one) and then switch the pam config
for vsftpd. This should result in what you are looking for.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20131104/3e460bce/attachment.htm>

More information about the Freeipa-users mailing list