Bonjour à tous,

Je vais essayer d’être le plus clair possible pour vous expliquer mon problème car c’est un peu compliqué.

Petit projet de fin de 1ère année d’école d’ingénieur, faire fonctionner plusieurs serveurs débian virtualisés sous vmsphere (esx server).

Chaque groupe possède un serveur virtuel sur lequel une distribution de Debian 5 Lenny est installée. Sur ces serveurs est installé OpenVZ afin de créer deux serveurs virtuels. Un groupe a été chargé de paramétrer un serveur LDAP qui fonctionne sans problème, un autre un serveur DNS qui lui aussi fonctionne sans problèmes, et moi un serveur FTP sécurisé qui fonctionne aussi sans problèmes, mais en local !! et non via LDAP, l’erreur renvoyée est “Login incorrect”. La connexion a été testé via Filezilla (local fonctionne) ou sur debian via FTP-SSL, même erreur renvoyée, fonctionne en local mais non via LDAP.

Pour retracer l’installation de mon serveur FTP j’ai installé :

• VSFTPD comme serveur FTP
• OpenSSL pour générer un certificat SSL
• LIBNSS-LDAP et LIBPAM-LDAP pour se connecter à ldap via PAM

Ci dessous l’ensemble de mes fichiers de configuration.

L’adresse de mon serveur FTP est 192.168.1.234 et celle du serveur LDAP 192.168.1.216.

Tous les adresses se ping correctement entre elles dons pas de soucis de configuration réseau.

Sur mon serveur FTP, je vois correctement les utilisateurs LDAP (via un getent).

J’ai enlevé beaucoup de lignes ce commentaires pour raccourcir un peu

Fichier /etc/vsftpd.conf

[code]# Example config file /etc/vsftpd.conf

Run standalone? vsftpd can run either from an inetd or as a standalone

daemon started from an initscript.

listen=YES

#listen_ipv6=YES

Allow anonymous FTP? (Beware - allowed by default if you comment this out).

anonymous_enable=NO
#guest_enable=YES
#guest_username=virtual

Uncomment this to allow local users to log in.

local_enable=YES

Uncomment this to enable any form of FTP write command.

write_enable=YES

Default umask for local users is 077. You may wish to change this to 022,

if your users expect that (022 is used by most other ftpd’s)

local_umask=022

#anon_upload_enable=YES
#anon_mkdir_write_enable=YES

Activate directory messages - messages given to remote users when they

go into a certain directory.

dirmessage_enable=YES

Activate logging of uploads/downloads.

xferlog_enable=YES

Make sure PORT transfer connections originate from port 20 (ftp-data).

connect_from_port_20=YES

If you want, you can arrange for uploaded anonymous files to be owned by

a different user. Note! Using “root” for uploaded files is not

recommended!

#chown_uploads=YES
#chown_username=whoever

You may override where the log file goes if you like. The default is shown

below.

#xferlog_file=/var/log/vsftpd.log

If you want, you can have your log file in standard ftpd xferlog format

#xferlog_std_format=YES

You may change the default value for timing out an idle session.

#idle_session_timeout=600

You may change the default value for timing out a data connection.

#data_connection_timeout=120

It is recommended that you define on your system a unique user which the

ftp server can use as a totally isolated and unprivileged user.

#nopriv_user=ftpsecure

Enable this and the server will recognise asynchronous ABOR requests. Not

recommended for security (the code is non-trivial). Not enabling it,

however, may confuse older FTP clients.

#async_abor_enable=YES

#ascii_upload_enable=YES
#ascii_download_enable=YES

You may fully customise the login banner string:

ftpd_banner=BIENVENUE SUR LE FTP SECURISE

You may specify a file of disallowed anonymous e-mail addresses. Apparently

useful for combatting certain DoS attacks.

#deny_email_enable=YES

(default follows)

#banned_email_file=/etc/vsftpd.banned_emails

You may restrict local users to their home directories

chroot_local_user=YES
#chroot_list_enable=YES
#chroot_list_file=/etc/vsftpd.chroot_list

You may activate the “-R” option to the builtin ls. This is disabled by

default to avoid remote users being able to cause excessive I/O on large

sites. However, some broken FTP clients such as “ncftp” and “mirror” assume

the presence of the “-R” option, so there is a strong case for enabling it.

ls_recurse_enable=YES

Debian customization

This option should be the name of a directory which is empty. Also, the

directory should not be writable by the ftp user. This directory is used

as a secure chroot() jail at times vsftpd does not require filesystem

access.

secure_chroot_dir=/var/run/vsftpd

This string is the name of the PAM service vsftpd will use.

pam_service_name=vsftpd

#Active le module SSL.
ssl_enable=YES

#Emplacement du certificat RSA à utiliser pour les connections SSL.
rsa_cert_file=/etc/vsftpd-ssl/vsftpd.pem
#Autorise les protocoles suivants :
ssl_tlsv1=YES
ssl_sslv3=YES
ssl_sslv2=YES
#Refuse le protocole suivant :
#ssl_sslv2=NO
#Force les transactions d’authentification non anonymes via SSL.
force_local_logins_ssl=YES
#Force le transfert des données via SSL.
force_local_data_ssl=YES[/code]
Fichier /etc/libnss-ldap.conf

[code]host 192.168.1.216

The distinguished name of the search base.

base dc=csii1a,dc=***,dc=***,dc=fr

Another way to specify your LDAP server is to provide an

uri ldap://ldap-g9.***.***.***.fr ldaps://ldap-g9.***.***.***.fr:636

The LDAP version to use

ldap_version 3

The distinguished name to bind to the server with.

Optional: default is to bind anonymously.

Please do not put double quotes around it as they

would be included literally.

#binddn cn=proxyuser,dc=padl,dc=com

The credentials to bind with.

Optional: default is no credential.

#bindpw secret

The distinguished name to bind to the server with

if the effective user ID is root. Password is

stored in /etc/libnss-ldap.secret (mode 600)

Use ‘echo -n “mypassword” > /etc/libnss-ldap.secret’ instead

of an editor to create the file.

rootbinddn cn=admin,dc=***,dc=***,dc=***,dc=fr

The port.

Optional: default is 389.

port 636

The search scope.

scope sub
#scope one
#scope base

Search timelimit

#timelimit 30

Bind/connect timelimit

#bind_timelimit 30

Reconnect policy:

hard_open: reconnect to DSA with exponential backoff if

opening connection failed

hard_init: reconnect to DSA with exponential backoff if

initializing connection failed

hard: alias for hard_open

soft: return immediately on server failure

bind_policy soft

Connection policy:

persist: DSA connections are kept open (default)

oneshot: DSA connections destroyed after request

#nss_connect_policy persist

Idle timelimit; client will close connections

(nss_ldap only) if the server has not been contacted

for the number of seconds specified below.

#idle_timelimit 3600

Use paged rseults

#nss_paged_results yes

Pagesize: when paged results enable, used to set the

pagesize to a custom value

#pagesize 1000

Filter to AND with uid=%s

pam_filter objectclass=account

The user ID attribute (defaults to uid)

pam_login_attribute uid

Search the root DSE for the password policy (works

with Netscape Directory Server)

#pam_lookup_policy yes

Check the ‘host’ attribute for access control

Default is no; if set to yes, and user has no

value for the host attribute, and pam_ldap is

configured for account management (authorization)

then the user will not be allowed to login.

#pam_check_host_attr yes

Check the ‘authorizedService’ attribute for access

control

Default is no; if set to yes, and the user has no

value for the authorizedService attribute, and

pam_ldap is configured for account management

(authorization) then the user will not be allowed

to login.

#pam_check_service_attr yes

Group to enforce membership of

#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

Group member attribute

#pam_member_attribute uniquemember

Specify a minium or maximum UID number allowed

#pam_min_uid 0
#pam_max_uid 0

Template login attribute, default template user

(can be overriden by value of former attribute

in user’s entry)

#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

HEADS UP: the pam_crypt, pam_nds_passwd,

and pam_ad_passwd options are no

longer supported.

Do not hash the password at all; presume

the directory server will do it, if

necessary. This is the default.

#pam_password clear

Hash password locally; required for University of

Michigan LDAP server, and works with Netscape

Directory Server if you’re using the UNIX-Crypt

hash mechanism and not using the NT Synchronization

service.

#pam_password crypt

Remove old password first, then update in

cleartext. Necessary for use with Novell

Directory Services (NDS)

#pam_password nds

RACF is an alias for the above. For use with

IBM RACF

#pam_password racf

Update Active Directory password, by

creating Unicode password and updating

unicodePwd attribute.

#pam_password ad

Use the OpenLDAP password change

extended operation to update the password.

#pam_password exop

Redirect users to a URL or somesuch on password

changes.

#pam_password_prohibit_message Please visit http://internal to change your password.

Use backlinks for answering initgroups()

#nss_initgroups backlink

Enable support for RFC2307bis (distinguished names in group

members)

#nss_schema rfc2307bis

RFC2307bis naming contexts

Syntax:

nss_base_XXX base?scope?filter

where scope is {base,one,sub}

and filter is a filter to be &'d with the

default filter.

You can omit the suffix eg:

nss_base_passwd ou=People,

to append the default base DN but this

may incur a small performance impact.

#nss_base_passwd ou=People,dc=padl,dc=com?one
#nss_base_shadow ou=People,dc=padl,dc=com?one
#nss_base_group ou=Group,dc=padl,dc=com?one
#nss_base_hosts ou=Hosts,dc=padl,dc=com?one
#nss_base_services ou=Services,dc=padl,dc=com?one
#nss_base_networks ou=Networks,dc=padl,dc=com?one
#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one

attribute/objectclass mapping

Syntax:

#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass

configure --enable-nds is no longer supported.

NDS mappings

#nss_map_attribute uniqueMember member

Services for UNIX 3.5 mappings

#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad

configure --enable-mssfu-schema is no longer supported.

Services for UNIX 2.0 mappings

#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

RFC 2307 (AD) mappings

#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad

configure --enable-authpassword is no longer supported

AuthPassword mappings

#nss_map_attribute userPassword authPassword

AIX SecureWay mappings

#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

For pre-RFC2307bis automount schema

#nss_map_objectclass automountMap nisMap
#nss_map_attribute automountMapName nisMapName
#nss_map_objectclass automount nisObject
#nss_map_attribute automountKey cn
#nss_map_attribute automountInformation nisMapEntry

Netscape SDK LDAPS

#ssl on

Netscape SDK SSL options

#sslpath /etc/ssl/certs

OpenLDAP SSL mechanism

start_tls mechanism uses the normal LDAP port, LDAPS typically 636

#ssl start_tls
ssl off

OpenLDAP SSL options

Require and verify server certificate (yes/no)

Default is to use libldap’s default behavior, which can be configured in

/etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for

OpenLDAP 2.0 and earlier is “no”, for 2.1 and later is “yes”.

#tls_checkpeer yes

CA certificates for server certificate verification

At least one of these are required if tls_checkpeer is “yes”

#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

Seed the PRNG if /dev/urandom is not provided

#tls_randfile /var/run/egd-pool

SSL cipher suite

See man ciphers for syntax

#tls_ciphers TLSv1

Client certificate and key

Use these, if your server requires client authentication.

#tls_cert
#tls_key

Disable SASL security layers. This is needed for AD.

#sasl_secprops maxssf=0

Override the default Kerberos ticket cache location.

#krb5_ccname FILE:/etc/.ldapcache[/code]
Fichier /etc/nsswitch.conf

[code]# /etc/nsswitch.conf

passwd: compat ldap
group: compat ldap
shadow: compat ldap

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis[/code]
Et le dernier /etc/pam.d/vsftpd

[code]# Standard behaviour for ftpd(8).
auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

Note: vsftpd handles anonymous logins on its own. Do not enable

pam_ftp.so.

Standard blurb.

#@include common-account
#@include common-session

#@include common-auth

account required pam_unix.so
account sufficient pam_ldap.so

session required pam_unix.so
session optional pam_ldap.so

auth required pam_unix.so nullok_secure
auth sufficient pam_ldap.so use_first_pass

password required pam_unix.so nullok obscure min=4 max=8 md5
password sufficient pam_ldap.so use_authtok[/code]

Voilà, j’ai fais exprès de mettre des *** dans les lignes du DC.

J’ai passé plus de 10 heures à chercher sans succès, je penche pour une erreur dans le fichier /etc/pam.d/vsftpd mais je n’ai rien trouvé.

En espérant que quelqu’un puisse m’aider, je dois soutenir mon projet mardi prochain (25 mai !!)

Encore merci à tous