分享
 
 
 

ProFTPD+MySQL/OpenLDAP用户认证

王朝mysql·作者佚名  2008-05-18
窄屏简体版  字體: |||超大  

一、准备工作

下载ProFTPD : ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.7.tar.gz

下载 mod_sql : http://www.lastditcheffort.org/~aah/proftpd/mod_sql/

下载mod_ldap-2.8.10 : http://www.horde.net/~jwm/software/mod_ldap/

二、Proftpd + MySQL

tar xvzf proftpd-version.tar.gz

cd proftpd-version

./configure --prefix=/usr/local/proftpd --with-modules=mod_sql:mod_sql_mysql

make

make install

安装成功后,测试ProFTPD,启动ProFTPD

/usr/local/proftpd/sbin/in.proftpd

如果没有显示任何信息,ProFTPD启动成功。使用系统用户登录Ftp Server

[root@linux sbin]# ftp localhost

Connected to localhost (127.0.0.1).

220 ProFTPD 1.2.7 Server (ProFTPD Default Installation) [linux.xuser.net]

Name (localhost:root):usera

331 Password required for usera.

Password:

230 User usera logged in.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp>

ProFTPD测试成功,关闭ProFTPD

killall in.proftpd

编辑proftpd.conf文件

vi /usr/local/proftpd/etc/proftpd.conf

添加下面几行参数

<Global>

SQLConnectInfo ftpusers@localhost:3306 root chen

SQLAuthTypes Plaintext

SQLUserInfo users userid passwd uid gid homedir NULL

RequireValidShell off

SQLAuthenticate users groups usersetfast groupsetfast

</Global>

格式说明:

SQLConnectInfo 数据库@主机名:端口 用户 密码

SQLAuthTypes 密码类型(Plaintext明文密码,Crypt DES密码,Backend MySQL password()函数产生的密码)

SQLUserInfo [用户表] [用户名字段] [密码字段] [用户ID] [组ID] [用户目录] NULL

创建ftpusers.sql文件

[mysql@linux mysql]$ vi ftpusers.sql

-- MySQL dump 8.22

--

-- Host: localhost Database: proftpd

---------------------------------------------------------

-- Server version 3.23.52-max

--

-- Table structure for table 'groups'

--

CREATE TABLE groups (

groupname varchar(255) binary NOT NULL default '',

gid int(11) NOT NULL default '0',

members text NOT NULL,

PRIMARY KEY (groupname)

) TYPE=MyISAM;

--

-- Dumping data for table 'groups'

--

INSERT INTO groups VALUES ('nogroup',502,'FTP Group');

--

-- Table structure for table 'users'

--

CREATE TABLE users (

userid varchar(255) binary NOT NULL default '',

passwd varchar(255) binary NOT NULL default '',

uid int(11) default NULL,

gid int(11) default NULL,

homedir varchar(255) default NULL,

shell varchar(255) default NULL,

count int(11) default NULL,

used double(10,1) default '0.0',

quota double(10,1) default '10000000.0',

PRIMARY KEY (userid)

) TYPE=MyISAM;

--

-- Dumping data for table 'users'

--

INSERT INTO users VALUES ('chen','chen',500,500,'/home/samba','/bin/sh',0,0.0,10000000.0);

INSERT INTO users VALUES ('user2','123456',500,500,'/home/samba','/bin/bash',1,0.0,10000000.0);

INSERT INTO users VALUES ('user1','123456',NULL,NULL,'/u01',NULL,1,0.0,10000000.0);

创建数据库与表

[mysql@linux mysql]$ echo "create database ftpusers" | mysql -uroot -pchen

[mysql@linux mysql]$ mysql -uroot -pchen ftpusers < ftpusers.sql

[mysql@linux mysql]$

再次启动ProFTPD

/usr/local/proftpd/sbin/in.proftpd

这次使用MySQL用户登录Ftp Server

显示230 User xxxxx logged in. MySQL认证成功

三、Proftpd + OpenLDAP

tar xvzf proftpd-version.tar.gz

cd proftpd-version

./configure --prefix=/usr/local/proftpd --with-modules=mod_ldap

make

make install

# tar zxvf mod_ldap-2.8.10.tar.gz

将mod_ldap-2.8.10目录下的posixAccount-objectclass和posixGroup-objectclass

复制到OpenLDAP 的schema目录下:

# cp mod_ldap-2.8.10/posix* /etc/openldap/schema/

# vi /etc/openldap/slapd.conf

修改OpenLDAP的配置文件slapd.conf,将这两个文件包含到该文件中:

include /etc/openldap/schema/posixAccount-objectclass

include /etc/openldap/schema/posixGroup-objectclass

重新启动OpenLDAP:

# service ldap restart

Stopping slapd: [ OK ]

Starting slapd: [ OK ]

编辑proftpd.conf文件

vi /usr/local/proftpd/etc/proftpd.conf

添加下面几行参数

<Global>

LDAPServer localhost

LDAPDNInfo cn=your-dn,dc=horde,dc=net dnpass

LDAPDoAuth on "dc=users,dc=horde,dc=net"

</Global>

格式说明:

LDAPServer OpenLDAP服务器

LDAPDNInfo cn=你的-dn,dc=区域名,dc=区域名 dn密码

LDAPDoAuth on "dc=区域名,dc=区域名"

例子:

<Global>

LDAPServer localhost

LDAPDNInfo cn=manager,dc=xuser,dc=net secret

LDAPDoAuth on dc=xuser,dc=net

</Global>

根据自己需要修改mod_ldap-2.8.10目录中的group-ldif和user-ldif文件,并将条目添加到OpenLDAP中:

# ldapadd -x -D "cn=manager,dc=xuser,dc=net" -w secret -f group-ldif

# ldapadd -x -D "cn=manager,dc=xuser,dc=net" -w secret -f user-ldif

显示:adding new entry "cn=mygroup, dc=xuser, dc=net" 添加成功

使用ldapsearch查看记录

# ldapsearch -x -b "dc=xuser,dc=net"

启动ProFTPD:

/usr/local/proftpd/sbin/in.proftpd

使用OpenLDAP用户登录Ftp Server

显示230 User xxxxx logged in. OpenLDAP认证成功

例:

[root@linux mod_ldap-2.8.10]# cat group-ldif

dn: cn=mygroup, dc=xuser, dc=net

objectclass: posixGroup

cn: mygroup

gidNumber: 100

memberUid: user1

memberUid: user2

memberUid: user3

memberUid: user4

memberUid: ftpusersb

memberUid: usera

memberUid: jwm

memberUid: 100

[root@linux mod_ldap-2.8.10]# cat user-ldif

dn: uid=jwm, dc=xuser, dc=net

objectclass: posixAccount

cn: John Morrissey

uid: jwm

uidNumber: 2000

gidNumber: 100

homeDirectory: /home/chen

userPassword: {crypt}*

loginShell: /bin/bash

dn: uid=chen, dc=xuser, dc=net

objectclass: posixAccount

cn: chen

uid: chen

uidNumber: 2000

gidNumber: 100

homeDirectory: /home/chen

userPassword: {crypt}sa7XjjlytXZZ2

loginShell: /bin/bash

dn: cn=ftpuser1, dc=xuser, dc=net

objectclass: posixAccount

cn: ftpuser1

uid: ftpuser1

uidNumber: 2000

gidNumber: 100

homeDirectory: /home/chen

userPassword: {crypt}sa7XjjlytXZZ2

loginShell: /bin/bash

dn: uid=usera, dc=xuser, dc=net

objectclass: posixAccount

cn: usera

uid: usera

uidNumber: 2000

gidNumber: 100

homeDirectory: /tmp

userPassword:{crypt}sa7XjjlytXZZ2

loginShell: /bin/bash

dn: uid=ftpuserb, dc=xuser, dc=net

objectclass: posixAccount

cn: ftpuserb

uid: ftpuserb

uidNumber: 2000

gidNumber: 100

homeDirectory: /tmp

userPassword:{crypt}O2BooHEK9JI06

loginShell: /bin/bash

上面的用户密码是用crypt方式加密的密码,密码产生请看

使用PHP产生:

# cat des.php

<html>

<p>DES 密碼產生器</p>

<form method=post action=des.php>

<p>password:<input name=passwd type=text size=20></p>

<input type=submit value=submit>

</form>

<?

$enpw=crypt($passwd);

echo "password is: $enpw";

?>

使用perl产生:

perl -e 'print("userPassword: ".crypt("secret","salt")."

");'

产生的DES密码,同样也可以用于OpenLDAP的管理员密码

# vi /etc/openldap/slapd.conf

rootpw {crypt}ijFYNcSNctBYg

四、标准的配置文件

MySQL认证配置实例

[root@linux root]# cat /usr/local/proftpd/etc/proftpd.conf

ServerName "ProFTPD Default Installation"

ServerType standalone

DefaultServer on

# Port 21 is the standard FTP port.

Port 21

# Umask 022 is a good standard umask to prevent new dirs and files

# from being group and world writable.

Umask 022

# We put our mod_sql directives in a <Global> block so they'll be

# inherited by the <Anonymous> block below, and any other <VirtualHost>

# blocks we may want to add. For a simple server these don't need to

# be in a <Global> block but it won't hurt anything.

<Global>

SQLConnectInfo ftpusers@localhost:3306 root chen

SQLAuthTypes Plaintext

SQLUserInfo users userid passwd uid gid homedir NULL

RequireValidShell off

SQLAuthenticate users groups usersetfast groupsetfast

</Global>

# To prevent DoS attacks, set the maximum number of child processes

# to 30. If you need to allow more than 30 concurrent connections

# at once, simply increase this value. Note that this ONLY works

# in standalone mode, in inetd mode you should use an inetd server

# that allows you to limit maximum number of processes per service

# (such as xinetd)

MaxInstances 30

# Set the normal user and group permissions for the server.

User nobody

Group nogroup

# Normally, we want files to be overwriteable.

<Directory /*>

AllowOverwrite on

</Directory>

# A basic anonymous configuration, no upload directories. If you

# don't want to support anonymous access, simply remove this

# <Anonymous ..> ... </Anonymous> block.

<Anonymous ~ftp>

User ftp

Group ftp

# We want clients to be able to login with "anonymous" as well as "ftp"

UserAlias anonymous ftp

# Limit the maximum number of anonymous logins

MaxClients 10

# We want 'welcome.msg' displayed at login, and '.message' displayed

# in each newly chdired directory.

DisplayLogin welcome.msg

DisplayFirstChdir .message

# Limit WRITE everywhere in the anonymous chroot

<Limit WRITE>

DenyAll

</Limit>

</Anonymous>

OpenLDAP认证配置实例

[root@linux root]# cat /usr/local/proftpd/etc/proftpd.conf

# This is a basic ProFTPD configuration file (rename it to

# 'proftpd.conf' for actual use. It establishes a single server

# and a single anonymous login. It assumes that you have a user/group

# "nobody" and "ftp" for normal operation and anon.

ServerName "ProFTPD Default Installation"

ServerType standalone

DefaultServer on

# Port 21 is the standard FTP port.

Port 21

# Umask 022 is a good standard umask to prevent new dirs and files

# from being group and world writable.

Umask 022

<Global>

LDAPDoAuth on dc=xuser,dc=net

LDAPServer localhost

LDAPDNInfo cn=manager,dc=xuser,dc=net secret

</Global>

# To prevent DoS attacks, set the maximum number of child processes

# to 30. If you need to allow more than 30 concurrent connections

# at once, simply increase this value. Note that this ONLY works

# in standalone mode, in inetd mode you should use an inetd server

# that allows you to limit maximum number of processes per service

# (such as xinetd).

MaxInstances 30

# Set the user and group under which the server will run.

User nobody

Group nogroup

# Normally, we want files to be overwriteable.

<Directory />

AllowOverwrite on

</Directory>

# A basic anonymous configuration, no upload directories.

<Anonymous ~ftp>

User ftp

Group ftp

# We want clients to be able to login with "anonymous" as well as "ftp"

UserAlias anonymous ftp

# Limit the maximum number of anonymous logins

MaxClients 10

# We want 'welcome.msg' displayed at login, and '.message' displayed

# in each newly chdired directory.

DisplayLogin welcome.msg

DisplayFirstChdir .message

# Limit WRITE everywhere in the anonymous chroot

<Limit WRITE>

DenyAll

</Limit>

</Anonymous>

# Include /usr/local/etc/mod_ldap.conf

OpenLDAP 配置文件

[root@linux root]# cat /etc/openldap/slapd.conf

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43 kurt Exp $

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include /etc/openldap/schema/core.schema

include /etc/openldap/schema/cosine.schema

include /etc/openldap/schema/inetorgperson.schema

include /etc/openldap/schema/nis.schema

include /etc/openldap/schema/redhat/rfc822-MailMember.schema

include /etc/openldap/schema/redhat/autofs.schema

include /etc/openldap/schema/redhat/kerberosobject.schema

include /etc/openldap/schema/chen

include /etc/openldap/schema/posixAccount-objectclass

include /etc/openldap/schema/posixGroup-objectclass

#include /etc/openldap/schema/qmail_schema

#include /etc/openldap/slapd.info.oc.conf

#include /etc/openldap/slapd.account.oc.conf

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral ldap://root.openldap.org

#pidfile //var/run/slapd.pid

#argsfile //var/run/slapd.args

# Create a replication log in /var/lib/ldap for use by slurpd.

#replogfile /var/lib/ldap/master-slapd.replog

# Load dynamic backend modules:

# modulepath /usr/sbin/openldap

# moduleload back_ldap.la

# moduleload back_ldbm.la

# moduleload back_passwd.la

# moduleload back_shell.la

# The next two lines allow use of TLS for connections using a dummy test

# certificate, but you should generate a proper certificate by changing to

# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on

# slapd.pem so that the ldap user or group can read it.

#TLSCertificateFile /usr/share/ssl/certs/slapd.pem

#TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem

#################################

# ldbm database definitions

#################################

database ldbm

suffix "dc=xuser,dc=net"

rootdn "cn=Manager,dc=xuser,dc=net"

#rootdn "cn=Manager,dc=my-domain,dc=com"

#rootdn "cn=Manager,o=My Organization Name,c=US"

# Cleartext passwords, especially for the rootdn, should

# be avoided. See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw secret

# rootpw secret

# rootpw {crypt}ijFYNcSNctBYg

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd/tools. Mode 700 recommended.

directory /var/lib/ldap

# Indices to maintain

index objectClass,uid,uidNumber,gidNumber,memberUid eq

index cn,mail,surname,givenname eq,subinitial

# Replicas to which we should propagate changes

#replica ldap-1.example.com:389 tls=yes

# bindmethod=sasl saslmech=GSSAPI

# authcId=host/ldap-master.example.com@EXAMPLE.COM

五、FAQ

Q:在本地ftp localhost输入用户名、密码回车后。等很久才进入FTP Server

A:ftp 127.0.0.1

Q:在远程服务器上ftp ip输入用户名、密码回车后。等很久才进入FTP Server

A:LDAPServer localhost 改为 LDAPServer 127.0.0.1

Q:[root@linux mod_ldap-2.8.10]# ftp 127.0.0.1

Connected to 127.0.0.1 (127.0.0.1).

500 FTP server shut down (going down at Tue Dec 17 19:00:00 2002) -- please try again later.

ftp>

A:rm –rf /etc/shutmsg

Q:登录Ftp Server 提示

530 Login incorrect.

Login failed.

我确认输入的用户、密码决对正确

A:在登录ProFTPD时加参数proftpd –d5 –n会输出调试信息。你可以在其中

找到答案。如果在调试信息中找到这一行no such user 'xxxx'

可能是与MySQL/OpenLDAP连接有问题。

Q:我在网上看见很多介绍如何安装ProFTPD文章,阅读大量的How to,按How to一步一步做,从来没有安装成功过。

A:网上很多文章,比较老,很多定义现以不在使用如:

SQLConnectInfo laftp@localhost 用户名 口令

SQLAuthTypes Plaintext Backend

SQLAuthoritative ON

SQLDefaultGID 1001

SQLDefaultUID 1001

SQLDoAuth ON

SQLDoGroupAuth ON

SQLGidField gid

SQLGroupGIDField gid

SQLGroupMembersField members

SQLGroupTable ftpgroup

SQLGroupnameField groupname

SQLHomedirField homedir

SQLMinUserUID 400

SQLMinUserGID 400

SQLPasswordField passwd

SQLUidField uid

SQLUserTable ftpuser

SQLUsernameField userid

SQLLoginCountField count

########################################################

LDAPServer "localhost"

LDAPPrefix "dc=horde,dc=net"

LDAPDN "cn=thedn,dc=horde,dc=net"

LDAPDNPass "ldap_dnpass"

LDAPNegativeCache on

主页地址:

http://www.9812.net

http://www.kdeopen.com

http://www.xaid.net

http://www.xuser.net

OICQ:13721218

ICQ:101888222

作者:Netkiller(陈景峰)

2002年12月17日星期二 第一版《ProFTPD + MySQL / OpenLDAP 用户认证》

如有问题E-Mail: netkiller@9812.net

声明:转载请保持此文档完整

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有