0

I am authenticating a ProFTPD (with mod_sftp) instance with a LDAP server. I want to have the following setup:

A chroot for all users to /home/ftp. (This works).

Now I would like to chroot specific LDAP groups to a different folder under /home/ftp. For example, users who are in the LDAP group "external" should only see /home/ftp/external and users not in that group should see /home/ftp.

All the uploaded files should belong to the same Linux user.

My ldap.conf is

<IfModule mod_ldap.c>
LDAPServer ldap://localhost:389/??sub

LDAPDefaultUID 2004
LDAPDefaultGID 2004
LDAPForceDefaultGID on
LDAPForceDefaultUID on

LDAPGenerateHomedir on
LDAPGenerateHomedirPrefix /home/ftp
LDAPGenerateHomedirPrefixNoUsername on

CreateHome off

LDAPBindDN "cn=admin,dc=example,dc=com" password
LDAPUsers ou=Users,DC=example,DC=com (uid=%u)
</IfModule>

and in my proftpd.conf I use:

DefaultRoot         /home/ftp

I actually don't have a clue how to proceed here or how to structure it... I may be able to slightly change the setup, and maybe create a small amount of Linux users or a Linux group, but I am rather not able to change the LDAP server (it is a Active Directory to which I don't have access), so preferably everything should be configurable in ProFTPD.

A bonus would be if the directory structure could be setup in the AD, though (maybe with home directory?), so that I don't have to change the ProFTPD configuration for every "special" group.

Any advise would be deeply appreciated :)

Thanks!

Castaglia
  • 3,349
  • 3
  • 21
  • 42
Stigr Vulferam
  • 11
  • 1
  • 6

1 Answers1

0

ProFTPD's DefaultRoot directive can take an optional group expression, which says whether to apply the DefaultRoot to that user (based on their group membership), or not.

For example, you might use:

DefaultRoot /home/ftp/external external
DefaultRoot /home/ftp

The first DefaultRoot says to chroot users to /home/ftp/external if they are members of group "external". Otherwise, do nothing. The second/final DefaultRoot is the "catch all" rule, for chrooting all users to /home/ftp. First matching DefaultRoot directive found, in the order defined in the config file, wins.

Note that to have the group membership of your users also provided by mod_ldap, you may also need to use the LDAPGroups directive in your configuration.

Hope this helps!

Castaglia
  • 3,349
  • 3
  • 21
  • 42
  • This actually worked fine. I had some misconceptions about LDAP groups and how ProFTPD uses them (I thought it somehow mapped them to Linux groups, but it will only use LDAP users and groups), but it worked. I had to add `LDAPGroups ou=groups,ou=Users,DC=example,DC=com` in my LDAP config. – Stigr Vulferam May 09 '16 at 07:52
  • I need to come back at this: I am currently implementing this with an Active Directory. I have used the `LDAPGroups` statement, but it is not correctly pulling the GID lookup from the AD (Because the AD does not have any GIDs) in it. I am actually trying to wrap my head around how ProFTPd does the group lookup. Does ProFTPd download _all_ groups from the LDAP and then internally match the users and groups if virtual users are used? What is the `gid-number-filter-template` then for? – Stigr Vulferam Jul 01 '16 at 07:58
  • What AD schema are you using for your users/accounts? – Castaglia Jul 01 '16 at 15:01