2016-05-19 06:51:20 -05:00
<!DOCTYPE html>
2015-08-06 22:56:15 -05:00
< html >
< head >
< meta http-equiv = "Content-Type" content = "text/html; charset=utf-8" / >
< title > Install Pure-FTPd with OpenLDAP backend on RHEL/CentOS< / title >
< link rel = "stylesheet" type = "text/css" href = "./css/markdown.css" / >
< / head >
< body >
< div id = "navigation" >
2016-04-19 12:48:51 -05:00
< a href = "/index.html" target = "_blank" >
< img alt = "iRedMail web site"
src="./images/logo-iredmail.png"
style="vertical-align: middle; height: 30px;"
/>
< span > iRedMail< / span >
< / a >
2016-02-29 02:15:19 -06:00
// < a href = "./index.html" > Document Index< / a > < / div > < h1 id = "install-pure-ftpd-with-openldap-backend-on-rhelcentos" > Install Pure-FTPd with OpenLDAP backend on RHEL/CentOS< / h1 >
2015-08-06 22:56:15 -05:00
< div class = "toc" >
< ul >
< li > < a href = "#install-pure-ftpd-with-openldap-backend-on-rhelcentos" > Install Pure-FTPd with OpenLDAP backend on RHEL/CentOS< / a > < ul >
< li > < a href = "#install-pure-ftpd" > Install Pure-FTPd< / a > < / li >
< li > < a href = "#use-a-proper-ldap-bind-dnpassword-to-query-accounts" > Use a proper LDAP bind dn/password to query accounts< / a > < / li >
< li > < a href = "#configure-the-ldap-setting-for-pureftpd" > Configure the LDAP setting for PureFTPD< / a > < / li >
< li > < a href = "#config-openldap" > Config OpenLDAP< / a > < / li >
< li > < a href = "#create-ftp-home-directory" > Create FTP Home Directory< / a > < / li >
< li > < a href = "#restart-openldap-and-pure-ftpd-service" > Restart OpenLDAP and Pure-FTPD Service< / a > < / li >
< li > < a href = "#add-ldap-ftp-attributes-and-values-for-new-user" > Add LDAP FTP attributes and values for new user< / a > < / li >
< li > < a href = "#configure-iptables" > Configure iptables< / a > < / li >
< li > < a href = "#testing" > Testing< / a > < / li >
< li > < a href = "#troubleshooting" > Troubleshooting< / a > < / li >
< / ul >
< / li >
< / ul >
< / div >
< h2 id = "install-pure-ftpd" > Install Pure-FTPd< / h2 >
< p > Install PureFTPD from EPEL yum repo:< / p >
< pre > < code > # yum install pure-ftpd
< / code > < / pre >
< h2 id = "use-a-proper-ldap-bind-dnpassword-to-query-accounts" > Use a proper LDAP bind dn/password to query accounts< / h2 >
2016-04-18 11:30:23 -05:00
< p > iRedMail generates a read-only LDAP bind dn < code > cn=vmail,dc=xxx,dc=xxx< / code > during
installation, so it's perfect to query user accounts with this dn.< / p >
< p > You can find the full dn and password in < code > /etc/postfix/ldap/catchall_maps.cf< / code > :< / p >
2015-08-06 22:56:15 -05:00
< pre > < code > # grep 'bind_' /etc/postfix/ldap/catchall_maps.cf
bind_dn = cn=vmail,dc=example,dc=com
bind_pw = InYTi8qGjamTb6Me2ESwbb6rxQUs5y
< / code > < / pre >
< h2 id = "configure-the-ldap-setting-for-pureftpd" > Configure the LDAP setting for PureFTPD< / h2 >
< ul >
2016-04-18 11:30:23 -05:00
< li > Open < code > /etc/pure-ftpd/pureftpd-ldap.conf< / code > and update parameters below:< / li >
2015-08-06 22:56:15 -05:00
< / ul >
2016-04-18 11:30:23 -05:00
< pre > < code > LDAPServer localhost
LDAPPort 389
LDAPBaseDN o=domains,dc=example,dc=com
LDAPBindDN cn=vmail,dc=example,dc=com
LDAPBindPW InYTi8qGjamTb6Me2ESwbb6rxQUs5y # cn=vmail password
LDAPDefaultUID 2000 # < - UID of `vmail` user.
LDAPDefaultGID 2000 # < - GID of `vmail` user.
LDAPFilter (& (objectClass=PureFTPdUser)(mail=\L)(FTPStatus=enabled))
LDAPHomeDir FTPHomeDir # < - New LDAP attribute, we will add it later.
LDAPVersion 3
2015-08-06 22:56:15 -05:00
< / code > < / pre >
< h2 id = "config-openldap" > Config OpenLDAP< / h2 >
< ul >
2016-04-18 11:30:23 -05:00
< li > Get the schema modified by iredmail, it adds a new attribute < code > FTPHomeDir< / code > to
store per-user FTP home directory. Default schema uses < code > homeDirectory< / code > .< / li >
2015-08-06 22:56:15 -05:00
< / ul >
< pre > < code > # wget https://bitbucket.org/zhb/iredmail/raw/default/extra/samples/pureftpd.schema
2016-04-18 11:30:23 -05:00
# mv pureftpd.schema /etc/openldap/schema/
2015-08-06 22:56:15 -05:00
< / code > < / pre >
< ul >
2016-04-18 11:30:23 -05:00
< li > Update < code > /etc/openldap/slapd.conf< / code > , include < code > pureftpd.schema< / code > after < code > iredmail.schema< / code > :< / li >
2015-08-06 22:56:15 -05:00
< / ul >
< pre > < code > include /etc/openldap/schema/iredmail.schema
include /etc/openldap/schema/pureftpd.schema # < -- Add this line.
< / code > < / pre >
< ul >
< li > Open < code > /etc/openldap/slapd.conf< / code > , append required indexes for attributes
defined in < code > pureftpd.schema< / code > :< / li >
< / ul >
< pre > < code > # Indexes for Pure-FTPd LDAP attributes.
index FTPQuotaFiles,FTPQuotaMBytes eq,pres
index FTPUploadRatio,FTPDownloadRatio eq,pres
index FTPUploadBandwidth,FTPDownloadBandwidth eq,pres
index FTPStatus,FTPuid,FTPgid,FTPHomeDir eq,pres
< / code > < / pre >
< h2 id = "create-ftp-home-directory" > Create FTP Home Directory< / h2 >
< p > We're going to store all FTP data under < code > /home/ftp/< / code > directory, so let's create
2016-04-18 11:30:23 -05:00
< code > /home/ftp/< / code > first, directory owner MUST be < code > root< / code > user.< / p >
2015-08-06 22:56:15 -05:00
< pre > < code > # mkdir /home/ftp/
# ls -dl /home/ftp
drwxr-xr-x 3 root root 4096 Jun 7 20:18 /home/ftp/
< / code > < / pre >
< h2 id = "restart-openldap-and-pure-ftpd-service" > Restart OpenLDAP and Pure-FTPD Service< / h2 >
2016-04-18 11:30:23 -05:00
< p > Restart Pure-FTPd and OpenLDAP services:< / p >
2015-08-06 22:56:15 -05:00
< pre > < code > # /etc/init.d/ldap restart
# /etc/init.d/pure-ftpd restart
# netstat -ntlp | grep pure-ftpd
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2062/pure-ftpd (SERVER)
tcp 0 0 :::21 :::* LISTEN 2062/pure-ftpd (SERVER)
< / code > < / pre >
< h2 id = "add-ldap-ftp-attributes-and-values-for-new-user" > Add LDAP FTP attributes and values for new user< / h2 >
2016-04-18 11:30:23 -05:00
< p > With script shipped in iRedMail, you can quickly create NEW mail user which
has pureftpd service support.< / p >
2015-08-06 22:56:15 -05:00
< ul >
2016-04-18 11:30:23 -05:00
< li > Open file < code > tools/create_mail_user_OpenLDAP.sh< / code > under your iRedMail directory
(e.g. < code > /root/iRedMail-0.9.4/tools/create_mail_user_OpenLDAP.sh< / code > ), update
paraemters below with correct values:< / li >
2015-08-06 22:56:15 -05:00
< / ul >
2016-04-18 11:30:23 -05:00
< pre > < code > LDAP_SUFFIX=" dc=example,dc=com" # < - Change the LDAP suffix
BINDPW='passwd' # < - Password for the bind dn `cn=Manager,dc=example,dc=com`
PUREFTPD_INTEGRATION='YES' # < - Set to 'YES' to enable the pureftp inteegration
FTP_STORAGE_BASE_DIRECTORY='/home/ftp' # < - Change it to the ftp home directory
2015-08-06 22:56:15 -05:00
< / code > < / pre >
< ul >
2016-04-18 11:30:23 -05:00
< li > Run the script to create a new user < code > user1@example.com< / code > . The default
password is same as user name (< code > user1< / code > ) by default.< / li >
2015-08-06 22:56:15 -05:00
< / ul >
< pre > < code > # bash create_mail_user_OpenLDAP.sh example.com user1
adding new entry " ou=Users,domainName=example.com,o=domains,dc=example,dc=com"
ldapadd: Already exists (68)
adding new entry " ou=Groups,domainName=example.com,o=domains,dc=example,dc=com"
ldapadd: Already exists (68)
adding new entry " ou=Aliases,domainName=example.com,o=domains,dc=example,dc=com"
ldapadd: Already exists (68)
adding new entry " mail=user1@example.com,ou=Users,domainName=example.com,o=domains,dc=example,dc=com"
< / code > < / pre >
2016-04-18 11:30:23 -05:00
< p > You can now login to both webmail and FTP service as this user.< / p >
2015-08-06 22:56:15 -05:00
< h2 id = "configure-iptables" > Configure iptables< / h2 >
< p > iRedMail doesn't open port 20 and 21 by default, you must open them first.< / p >
< ul >
< li > Open < code > /etc/sysconfig/iptables< / code > and set correct values:< / li >
< / ul >
< pre > < code > -A INPUT -p tcp --dport 20 -j ACCEPT
-A INPUT -p tcp --dport 21 -j ACCEPT
< / code > < / pre >
< ul >
< li > Restart the iptables service< / li >
< / ul >
2016-04-18 11:30:23 -05:00
< pre > < code > # service iptables restart
2015-08-06 22:56:15 -05:00
< / code > < / pre >
< h2 id = "testing" > Testing< / h2 >
2016-04-18 11:30:23 -05:00
< p > You can use windows FTP client or Linux ftp client (e.g. command line ftp
client < code > lftp< / code > or GUI client < a href = "https://filezilla-project.org" > < code > FileZilla< / code > < / a > ) for
testing.< / p >
< p > We use < code > lftp< / code > for testing below:< / p >
2015-08-06 22:56:15 -05:00
< pre > < code > $ lftp localhost
localhost:~> debug 4
localhost:~> login user1@example.com user1 # < -- input the username and password
user1@example.com@localhost:~> ls
---- Connecting to localhost (127.0.0.1) port 21
< --- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
< --- 220-You are user number 1 of 50 allowed.
< --- 220-Local time is now 16:25. Server port: 21.
< --- 220-IPv6 connections are also welcome on this server.
< --- 220 You will be disconnected after 15 minutes of inactivity.
< --- 211-Extensions supported:
< --- EPRT
< --- IDLE
< --- MDTM
< --- SIZE
< --- REST STREAM
< --- MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
< --- MLSD
< --- ESTP
< --- PASV
< --- EPSV
< --- SPSV
< --- ESTA
< --- AUTH TLS
< --- PBSZ
< --- PROT
< --- UTF8
< --- 211 End.
< --- 500 This security scheme is not implemented
< --- 200 OK, UTF-8 enabled
< --- 200 MLST OPTS type;size;sizd;modify;UNIX.mode;UNIX.uid;UNIX.gid;unique;
< --- 331 User user1@example.com OK. Password required
< --- 230-Your bandwidth usage is restricted
< --- 230-User user1@example.com has group access to: vmail
< --- 230-You must respect a 1:5 (UL/DL) ratio
< --- 230-OK. Current restricted directory is /
< --- 230-0 files used (0%) - authorized: 50 files
< --- 230 0 Kbytes used (0%) - authorized: 10240 Kb
< --- 257 " /" is your current location
< --- 227 Entering Passive Mode (127,0,0,1,32,58)
< --- 150 Accepted data connection
drwxr-xr-x 2 500 vmail 4096 Jun 10 16:16 .
drwxr-xr-x 2 500 vmail 4096 Jun 10 16:16 ..
-rw------- 1 500 vmail 0 Jun 10 16:16 .ftpquota
< / code > < / pre >
< h2 id = "troubleshooting" > Troubleshooting< / h2 >
< p > Enable verbose log in pure-ftpd< / p >
< ul >
< li > Open < code > /etc/pure-ftpd/pure-ftpd.conf< / code > and set correct values:< / li >
< / ul >
2016-04-18 11:30:23 -05:00
< pre > < code > VerboseLog yes # < -- change from no to yes
2015-08-06 22:56:15 -05:00
< / code > < / pre >
< ul >
2016-04-18 11:30:23 -05:00
< li > Open < code > /etc/rsyslog.conf< / code > and set correct values:< / li >
2015-08-06 22:56:15 -05:00
< / ul >
< pre > < code > ftp.* -/var/log/pureftpd.log # < -- Add entry
< / code > < / pre >
< ul >
< li > Restart services< / li >
< / ul >
2016-04-18 11:30:23 -05:00
< pre > < code > # service pure-ftpd restart
# service rsyslog restart
2015-08-06 22:56:15 -05:00
< / code > < / pre >
< p > Monitor < code > /var/log/pureftpd.log< / code > for troubleshooting:< / p >
< pre > < code > # tail -0f /var/log/pureftpd.log
< / code > < / pre >
2016-05-19 06:51:20 -05:00
< p > If you need to debug OpenLDAP, please refer to another document: < a href = "./debug.openldap.html" > Debug OpenLDAP< / a > .< / p > < div class = "footer" >
< p style = "text-align: center; color: grey;" > All documents are available in < a href = "https://bitbucket.org/zhb/iredmail-docs/src" > BitBucket repository< / a > , and published under < a href = "http://creativecommons.org/licenses/by-nd/3.0/us/" target = "_blank" > Creative Commons< / a > license. You can < a href = "https://bitbucket.org/zhb/iredmail-docs/get/tip.tar.bz2" > download the latest version< / a > for offline reading. If you found something wrong, please do < a href = "http://www.iredmail.org/contact.html" > contact us< / a > to fix it.< / p >
< / div >
< script type = "text/javascript" >
2015-08-06 22:56:15 -05:00
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-3293801-21', 'auto');
ga('send', 'pageview');
< / script >
< / body > < / html >