6.7 KiB
6.7 KiB
Install Pure-FTPd with OpenLDAP backend on RHEL/CentOS
[TOC]
Install Pure-FTPd
Install PureFTPD from EPEL yum repo:
# yum install pure-ftpd
Use a proper LDAP bind dn/password to query accounts
iRedMail generates a read-only LDAP bind dn cn=vmail,dc=xxx,dc=xxx during
installation, so it's perfect to query user accounts with this dn.
You can find the full dn and password in /etc/postfix/ldap/catchall_maps.cf:
# grep 'bind_' /etc/postfix/ldap/catchall_maps.cf
bind_dn = cn=vmail,dc=example,dc=com
bind_pw = InYTi8qGjamTb6Me2ESwbb6rxQUs5y
Configure the LDAP setting for PureFTPD
- Open
/etc/pure-ftpd/pureftpd-ldap.confand update parameters below:
LDAPServer localhost
LDAPPort 389
LDAPBaseDN o=domains,dc=example,dc=com
LDAPBindDN cn=vmail,dc=example,dc=com
LDAPBindPW InYTi8qGjamTb6Me2ESwbb6rxQUs5y # cn=vmail password
LDAPDefaultUID 2000 # <- UID of `vmail` user.
LDAPDefaultGID 2000 # <- GID of `vmail` user.
LDAPFilter (&(objectClass=PureFTPdUser)(mail=\L)(FTPStatus=enabled))
LDAPHomeDir FTPHomeDir # <- New LDAP attribute, we will add it later.
LDAPVersion 3
Config OpenLDAP
- Get the schema modified by iredmail, it adds a new attribute
FTPHomeDirto store per-user FTP home directory. Default schema useshomeDirectory.
# wget https://bitbucket.org/zhb/iredmail/raw/0.9.9/extra/samples/pureftpd.schema
# mv pureftpd.schema /etc/openldap/schema/
- Update
/etc/openldap/slapd.conf, includepureftpd.schemaafteriredmail.schema:
include /etc/openldap/schema/iredmail.schema
include /etc/openldap/schema/pureftpd.schema # <-- Add this line.
- Open
/etc/openldap/slapd.conf, append required indexes for attributes defined inpureftpd.schema:
# Indexes for Pure-FTPd LDAP attributes.
index FTPQuotaFiles,FTPQuotaMBytes eq,pres
index FTPUploadRatio,FTPDownloadRatio eq,pres
index FTPUploadBandwidth,FTPDownloadBandwidth eq,pres
index FTPStatus,FTPuid,FTPgid,FTPHomeDir eq,pres
Create FTP Home Directory
We're going to store all FTP data under /home/ftp/ directory, so let's create
/home/ftp/ first, directory owner MUST be root user.
# mkdir /home/ftp/
# ls -dl /home/ftp
drwxr-xr-x 3 root root 4096 Jun 7 20:18 /home/ftp/
Restart OpenLDAP and Pure-FTPD Service
Restart Pure-FTPd and OpenLDAP services:
# /etc/init.d/ldap restart
# /etc/init.d/pure-ftpd restart
# netstat -ntlp | grep pure-ftpd
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2062/pure-ftpd (SERVER)
tcp 0 0 :::21 :::* LISTEN 2062/pure-ftpd (SERVER)
Add LDAP FTP attributes and values for new user
With script shipped in iRedMail, you can quickly create NEW mail user which has pureftpd service support.
- Open file
tools/create_mail_user_OpenLDAP.shunder your iRedMail directory (e.g./root/iRedMail-0.9.4/tools/create_mail_user_OpenLDAP.sh), update paraemters below with correct values:
LDAP_SUFFIX="dc=example,dc=com" # <- Change the LDAP suffix
BINDPW='passwd' # <- Password for the bind dn `cn=Manager,dc=example,dc=com`
PUREFTPD_INTEGRATION='YES' # <- Set to 'YES' to enable the pureftp inteegration
FTP_STORAGE_BASE_DIRECTORY='/home/ftp' # <- Change it to the ftp home directory
- Run the script to create a new user
user1@example.com. The default password is same as user name (user1) by default.
# bash create_mail_user_OpenLDAP.sh example.com user1
adding new entry "ou=Users,domainName=example.com,o=domains,dc=example,dc=com"
ldapadd: Already exists (68)
adding new entry "ou=Groups,domainName=example.com,o=domains,dc=example,dc=com"
ldapadd: Already exists (68)
adding new entry "ou=Aliases,domainName=example.com,o=domains,dc=example,dc=com"
ldapadd: Already exists (68)
adding new entry "mail=user1@example.com,ou=Users,domainName=example.com,o=domains,dc=example,dc=com"
You can now login to both webmail and FTP service as this user.
Configure iptables
iRedMail doesn't open port 20 and 21 by default, you must open them first.
- Open
/etc/sysconfig/iptablesand set correct values:
-A INPUT -p tcp --dport 20 -j ACCEPT
-A INPUT -p tcp --dport 21 -j ACCEPT
- Restart the iptables service
# service iptables restart
Testing
You can use windows FTP client or Linux ftp client (e.g. command line ftp
client lftp or GUI client FileZilla) for
testing.
We use lftp for testing below:
$ lftp localhost
localhost:~> debug 4
localhost:~> login user1@example.com user1 # <-- input the username and password
user1@example.com@localhost:~> ls
---- Connecting to localhost (127.0.0.1) port 21
<--- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
<--- 220-You are user number 1 of 50 allowed.
<--- 220-Local time is now 16:25. Server port: 21.
<--- 220-IPv6 connections are also welcome on this server.
<--- 220 You will be disconnected after 15 minutes of inactivity.
<--- 211-Extensions supported:
<--- EPRT
<--- IDLE
<--- MDTM
<--- SIZE
<--- REST STREAM
<--- MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
<--- MLSD
<--- ESTP
<--- PASV
<--- EPSV
<--- SPSV
<--- ESTA
<--- AUTH TLS
<--- PBSZ
<--- PROT
<--- UTF8
<--- 211 End.
<--- 500 This security scheme is not implemented
<--- 200 OK, UTF-8 enabled
<--- 200 MLST OPTS type;size;sizd;modify;UNIX.mode;UNIX.uid;UNIX.gid;unique;
<--- 331 User user1@example.com OK. Password required
<--- 230-Your bandwidth usage is restricted
<--- 230-User user1@example.com has group access to: vmail
<--- 230-You must respect a 1:5 (UL/DL) ratio
<--- 230-OK. Current restricted directory is /
<--- 230-0 files used (0%) - authorized: 50 files
<--- 230 0 Kbytes used (0%) - authorized: 10240 Kb
<--- 257 "/" is your current location
<--- 227 Entering Passive Mode (127,0,0,1,32,58)
<--- 150 Accepted data connection
drwxr-xr-x 2 500 vmail 4096 Jun 10 16:16 .
drwxr-xr-x 2 500 vmail 4096 Jun 10 16:16 ..
-rw------- 1 500 vmail 0 Jun 10 16:16 .ftpquota
Troubleshooting
Enable verbose log in pure-ftpd
- Open
/etc/pure-ftpd/pure-ftpd.confand set correct values:
VerboseLog yes # <-- change from no to yes
- Open
/etc/rsyslog.confand set correct values:
ftp.* -/var/log/pureftpd.log # <-- Add entry
- Restart services
# service pure-ftpd restart
# service rsyslog restart
Monitor /var/log/pureftpd.log for troubleshooting:
# tail -0f /var/log/pureftpd.log
If you need to debug OpenLDAP, please refer to another document: Debug OpenLDAP.