The main option to use an LDAP directory is the LDAPServer
configuration option. If given, it specifies the hostname of the
directory server (optionally followed by port number separated by
a colon).
The program will bind the directory using LDAPBindDN
(and LDAPBindPW) and retrive the values having an object
class of LDAPObjectClass and identified by the
LDAPIdentifier.
The LDAPBindDN and LDAPBindPW option defines the distinguished name and credentials (password) needed to access the data in the directory service. It is allowed to include one %s in LDAPBindDN - it will be replaced with the user name. If UserAuthMagic is used, the special "authuser" and "authpass" are used, otherwise normal "ftpuser" and "ftppass" from USER and PASS ftp commands. If no LDAPBindDN specified, a annonymous bind will be used.
Additionally the directory tree root should be specified using
the LDAPBaseDN or LDAPAuthDN option. You can
also use both options set to differen root's if your profile
data is stored in a different tree than the authentication data.
One of both options is mandatory.
In order to gain more flexibiliy for the user management, the user dependent parts of the configuration can also be supplied with an LDAP directory.
The following configuration options will be tryed to retrieve
from the tree root specified by the LDAPBaseDN option:
DestinationAddress, DestinationPort, DestinationTransferMode, DestinationMinPort, DestinationMaxPort, ActiveMinDataPort, ActiveMaxDataPort, PassiveMinDataPort, PassiveMaxDataPort, SameAddress, TimeOut, ValidCommands.
For example, if your user (USERNAME) dependent configuration is stored as uid=USERNAME,ou=FTPProxy,dc=domain,dc=top in the directory, the setup may be as follows:
LDAPServer ldap.domain.top:389 LDAPBaseDN ou=FTPProxy,dc=domain,dc=top LDAPIdentifier uidIf a non-anonymous bind is needed to access the tree, a LDAPBind can be specified either to an specific user, i.e. "proxyuser":
LDAPBindDN uid=proxyuser,ou=FTPProxy,dc=domain,dc=topor also the user who want to login (ftp-user or auth-user name depending on UserAuthMagic):
LDAPBindDN uid=%s,ou=FTPProxy,dc=domain,dc=top
Since proxy-suite Version 1.9 the ftp-proxy supports also LDAP based user authentication.
To activate it, you have to set the UserAuthType
configuration option to ldap and define the
authentication tree root using the LDAPAuthDN
configuration option. If no LDAPAuthDN option
is set, LDAPBaseDN is used instead.
If you only want to check, if an user is allowed to
use the ftp-proxy service or not, you can define the
LDAPAuthOKFlag option to an attribute name
and its value, separated with an equal character.
The program will check, if the value for the given
attribute exists - the attribute may contain multiple
values. Example:
LDAPAuthOKFlag AllowedService=ftpProxy.
Further it is also possible to preform an password
authentication using the LDAPAuthPWAttr
and LDAPAuthPWType options.
The LDAPAuthPWAttr defines the name of the
password attribute. A common name for this attribute
is userPassword.
The LDAPAuthPWType option defined the type
of the password stored in the directory service.
Supported password types are plain for plain-text
passwords, crypt for crypted passwords and
{crypt} for crypted passwords prefixed with
a {crypt} string (a scheme specification).
The type may be followed by the number 0-9 of minimal
allowed passord length, i.e.
LDAPAuthPWType plainThis definition means, the directory contains plain-text password with the default minimal length of at least 5 characters.