iredmail-doc/html/pureftpd.openldap.centos.html

244 lines
11 KiB
HTML

<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Install Pure-FTPd with OpenLDAP backend on RHEL/CentOS</title>
<link rel="stylesheet" type="text/css" href="./css/markdown.css" />
</head>
<body>
<div id="navigation">
<a href="https://www.iredmail.org" target="_blank">
<img alt="iRedMail web site"
src="./images/logo-iredmail.png"
style="vertical-align: middle; height: 30px;"
/>&nbsp;
<span>iRedMail</span>
</a>
&nbsp;&nbsp;//&nbsp;&nbsp;<a href="./index.html">Document Index</a></div><h1 id="install-pure-ftpd-with-openldap-backend-on-rhelcentos">Install Pure-FTPd with OpenLDAP backend on RHEL/CentOS</h1>
<div class="toc">
<ul>
<li><a href="#install-pure-ftpd-with-openldap-backend-on-rhelcentos">Install Pure-FTPd with OpenLDAP backend on RHEL/CentOS</a><ul>
<li><a href="#install-pure-ftpd">Install Pure-FTPd</a></li>
<li><a href="#use-a-proper-ldap-bind-dnpassword-to-query-accounts">Use a proper LDAP bind dn/password to query accounts</a></li>
<li><a href="#configure-the-ldap-setting-for-pureftpd">Configure the LDAP setting for PureFTPD</a></li>
<li><a href="#config-openldap">Config OpenLDAP</a></li>
<li><a href="#create-ftp-home-directory">Create FTP Home Directory</a></li>
<li><a href="#restart-openldap-and-pure-ftpd-service">Restart OpenLDAP and Pure-FTPD Service</a></li>
<li><a href="#add-ldap-ftp-attributes-and-values-for-new-user">Add LDAP FTP attributes and values for new user</a></li>
<li><a href="#configure-iptables">Configure iptables</a></li>
<li><a href="#testing">Testing</a></li>
<li><a href="#troubleshooting">Troubleshooting</a></li>
</ul>
</li>
</ul>
</div>
<h2 id="install-pure-ftpd">Install Pure-FTPd</h2>
<p>Install PureFTPD from EPEL yum repo:</p>
<pre><code># yum install pure-ftpd
</code></pre>
<h2 id="use-a-proper-ldap-bind-dnpassword-to-query-accounts">Use a proper LDAP bind dn/password to query accounts</h2>
<p>iRedMail generates a read-only LDAP bind dn <code>cn=vmail,dc=xxx,dc=xxx</code> during
installation, so it's perfect to query user accounts with this dn.</p>
<p>You can find the full dn and password in <code>/etc/postfix/ldap/catchall_maps.cf</code>:</p>
<pre><code># grep 'bind_' /etc/postfix/ldap/catchall_maps.cf
bind_dn = cn=vmail,dc=example,dc=com
bind_pw = InYTi8qGjamTb6Me2ESwbb6rxQUs5y
</code></pre>
<h2 id="configure-the-ldap-setting-for-pureftpd">Configure the LDAP setting for PureFTPD</h2>
<ul>
<li>Open <code>/etc/pure-ftpd/pureftpd-ldap.conf</code> and update parameters below:</li>
</ul>
<pre><code>LDAPServer localhost
LDAPPort 389
LDAPBaseDN o=domains,dc=example,dc=com
LDAPBindDN cn=vmail,dc=example,dc=com
LDAPBindPW InYTi8qGjamTb6Me2ESwbb6rxQUs5y # cn=vmail password
LDAPDefaultUID 2000 # &lt;- UID of `vmail` user.
LDAPDefaultGID 2000 # &lt;- GID of `vmail` user.
LDAPFilter (&amp;(objectClass=PureFTPdUser)(mail=\L)(FTPStatus=enabled))
LDAPHomeDir FTPHomeDir # &lt;- New LDAP attribute, we will add it later.
LDAPVersion 3
</code></pre>
<h2 id="config-openldap">Config OpenLDAP</h2>
<ul>
<li>Get the schema modified by iredmail, it adds a new attribute <code>FTPHomeDir</code> to
store per-user FTP home directory. Default schema uses <code>homeDirectory</code>.</li>
</ul>
<pre><code># wget https://bitbucket.org/zhb/iredmail/raw/0.9.9/extra/samples/pureftpd.schema
# mv pureftpd.schema /etc/openldap/schema/
</code></pre>
<ul>
<li>Update <code>/etc/openldap/slapd.conf</code>, include <code>pureftpd.schema</code> after <code>iredmail.schema</code>:</li>
</ul>
<pre><code>include /etc/openldap/schema/iredmail.schema
include /etc/openldap/schema/pureftpd.schema # &lt;-- Add this line.
</code></pre>
<ul>
<li>Open <code>/etc/openldap/slapd.conf</code>, append required indexes for attributes
defined in <code>pureftpd.schema</code>:</li>
</ul>
<pre><code># Indexes for Pure-FTPd LDAP attributes.
index FTPQuotaFiles,FTPQuotaMBytes eq,pres
index FTPUploadRatio,FTPDownloadRatio eq,pres
index FTPUploadBandwidth,FTPDownloadBandwidth eq,pres
index FTPStatus,FTPuid,FTPgid,FTPHomeDir eq,pres
</code></pre>
<h2 id="create-ftp-home-directory">Create FTP Home Directory</h2>
<p>We're going to store all FTP data under <code>/home/ftp/</code> directory, so let's create
<code>/home/ftp/</code> first, directory owner MUST be <code>root</code> user.</p>
<pre><code># mkdir /home/ftp/
# ls -dl /home/ftp
drwxr-xr-x 3 root root 4096 Jun 7 20:18 /home/ftp/
</code></pre>
<h2 id="restart-openldap-and-pure-ftpd-service">Restart OpenLDAP and Pure-FTPD Service</h2>
<p>Restart Pure-FTPd and OpenLDAP services:</p>
<pre><code># /etc/init.d/ldap restart
# /etc/init.d/pure-ftpd restart
# netstat -ntlp | grep pure-ftpd
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2062/pure-ftpd (SERVER)
tcp 0 0 :::21 :::* LISTEN 2062/pure-ftpd (SERVER)
</code></pre>
<h2 id="add-ldap-ftp-attributes-and-values-for-new-user">Add LDAP FTP attributes and values for new user</h2>
<p>With script shipped in iRedMail, you can quickly create NEW mail user which
has pureftpd service support.</p>
<ul>
<li>Open file <code>tools/create_mail_user_OpenLDAP.sh</code> under your iRedMail directory
(e.g. <code>/root/iRedMail-0.9.4/tools/create_mail_user_OpenLDAP.sh</code>), update
paraemters below with correct values:</li>
</ul>
<pre><code>LDAP_SUFFIX=&quot;dc=example,dc=com&quot; # &lt;- Change the LDAP suffix
BINDPW='passwd' # &lt;- Password for the bind dn `cn=Manager,dc=example,dc=com`
PUREFTPD_INTEGRATION='YES' # &lt;- Set to 'YES' to enable the pureftp inteegration
FTP_STORAGE_BASE_DIRECTORY='/home/ftp' # &lt;- Change it to the ftp home directory
</code></pre>
<ul>
<li>Run the script to create a new user <code>user1@example.com</code>. The default
password is same as user name (<code>user1</code>) by default.</li>
</ul>
<pre><code># bash create_mail_user_OpenLDAP.sh example.com user1
adding new entry &quot;ou=Users,domainName=example.com,o=domains,dc=example,dc=com&quot;
ldapadd: Already exists (68)
adding new entry &quot;ou=Groups,domainName=example.com,o=domains,dc=example,dc=com&quot;
ldapadd: Already exists (68)
adding new entry &quot;ou=Aliases,domainName=example.com,o=domains,dc=example,dc=com&quot;
ldapadd: Already exists (68)
adding new entry &quot;mail=user1@example.com,ou=Users,domainName=example.com,o=domains,dc=example,dc=com&quot;
</code></pre>
<p>You can now login to both webmail and FTP service as this user.</p>
<h2 id="configure-iptables">Configure iptables</h2>
<p>iRedMail doesn't open port 20 and 21 by default, you must open them first.</p>
<ul>
<li>Open <code>/etc/sysconfig/iptables</code> and set correct values:</li>
</ul>
<pre><code>-A INPUT -p tcp --dport 20 -j ACCEPT
-A INPUT -p tcp --dport 21 -j ACCEPT
</code></pre>
<ul>
<li>Restart the iptables service</li>
</ul>
<pre><code># service iptables restart
</code></pre>
<h2 id="testing">Testing</h2>
<p>You can use windows FTP client or Linux ftp client (e.g. command line ftp
client <code>lftp</code> or GUI client <a href="https://filezilla-project.org"><code>FileZilla</code></a>) for
testing.</p>
<p>We use <code>lftp</code> for testing below:</p>
<pre><code>$ lftp localhost
localhost:~&gt; debug 4
localhost:~&gt; login user1@example.com user1 # &lt;-- input the username and password
user1@example.com@localhost:~&gt; ls
---- Connecting to localhost (127.0.0.1) port 21
&lt;--- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
&lt;--- 220-You are user number 1 of 50 allowed.
&lt;--- 220-Local time is now 16:25. Server port: 21.
&lt;--- 220-IPv6 connections are also welcome on this server.
&lt;--- 220 You will be disconnected after 15 minutes of inactivity.
&lt;--- 211-Extensions supported:
&lt;--- EPRT
&lt;--- IDLE
&lt;--- MDTM
&lt;--- SIZE
&lt;--- REST STREAM
&lt;--- MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
&lt;--- MLSD
&lt;--- ESTP
&lt;--- PASV
&lt;--- EPSV
&lt;--- SPSV
&lt;--- ESTA
&lt;--- AUTH TLS
&lt;--- PBSZ
&lt;--- PROT
&lt;--- UTF8
&lt;--- 211 End.
&lt;--- 500 This security scheme is not implemented
&lt;--- 200 OK, UTF-8 enabled
&lt;--- 200 MLST OPTS type;size;sizd;modify;UNIX.mode;UNIX.uid;UNIX.gid;unique;
&lt;--- 331 User user1@example.com OK. Password required
&lt;--- 230-Your bandwidth usage is restricted
&lt;--- 230-User user1@example.com has group access to: vmail
&lt;--- 230-You must respect a 1:5 (UL/DL) ratio
&lt;--- 230-OK. Current restricted directory is /
&lt;--- 230-0 files used (0%) - authorized: 50 files
&lt;--- 230 0 Kbytes used (0%) - authorized: 10240 Kb
&lt;--- 257 &quot;/&quot; is your current location
&lt;--- 227 Entering Passive Mode (127,0,0,1,32,58)
&lt;--- 150 Accepted data connection
drwxr-xr-x 2 500 vmail 4096 Jun 10 16:16 .
drwxr-xr-x 2 500 vmail 4096 Jun 10 16:16 ..
-rw------- 1 500 vmail 0 Jun 10 16:16 .ftpquota
</code></pre>
<h2 id="troubleshooting">Troubleshooting</h2>
<p>Enable verbose log in pure-ftpd</p>
<ul>
<li>Open <code>/etc/pure-ftpd/pure-ftpd.conf</code> and set correct values:</li>
</ul>
<pre><code>VerboseLog yes # &lt;-- change from no to yes
</code></pre>
<ul>
<li>Open <code>/etc/rsyslog.conf</code> and set correct values:</li>
</ul>
<pre><code>ftp.* -/var/log/pureftpd.log # &lt;-- Add entry
</code></pre>
<ul>
<li>Restart services</li>
</ul>
<pre><code># service pure-ftpd restart
# service rsyslog restart
</code></pre>
<p>Monitor <code>/var/log/pureftpd.log</code> for troubleshooting:</p>
<pre><code># tail -0f /var/log/pureftpd.log
</code></pre>
<p>If you need to debug OpenLDAP, please refer to another document: <a href="./debug.openldap.html">Debug OpenLDAP</a>.</p><div class="footer">
<p style="text-align: center; color: grey;">All documents are available in <a href="https://github.com/iredmail/docs/">BitBucket repository</a>, and published under <a href="http://creativecommons.org/licenses/by-nd/3.0/us/" target="_blank">Creative Commons</a> license. You can <a href="https://github.com/iredmail/docs/archive/master.zip">download the latest version</a> for offline reading. If you found something wrong, please do <a href="https://www.iredmail.org/contact.html">contact us</a> to fix it.</p>
</div>
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-3293801-21"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-3293801-21');
</script>
</body></html>