我正在尝试使用 LDAPS 通过 SSL(端口 636)从 Active Directory 对我的 FTP 用户进行身份验证。
我设法使用端口 389 上的简单 LDAP 使其工作,现在我想提高安全性!
操作系统是 Debian 11 x64 最新版本
ProFTPd 版本:
# dpkg -l | grep proftpd
ii proftpd-core 1.3.7a+dfsg-12+deb11u2 amd64 Versatile, virtual-hosting FTP daemon - binaries
ii proftpd-mod-crypto 1.3.7a+dfsg-12+deb11u2 amd64 Versatile, virtual-hosting FTP daemon - TLS/SSL/SFTP modules
ii proftpd-mod-ldap 1.3.7a+dfsg-12+deb11u2 amd64 Versatile, virtual-hosting FTP daemon - LDAP module
这是 ldap.conf 文件:
<IfModule mod_ldap.c>
LDAPServer ldaps://x.x.x.x/??sub
LDAPAuthBinds on
LDAPSearchScope subtree
LDAPBindDN "CN=myuser,CN=Users,DC=domain,DC=local" "password"
LDAPUsers "DC=domain,DC=local" "(&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local))"
LDAPGenerateHomedir on 0775
CreateHome on 0755
LDAPGenerateHomedirPrefix /home/ftphome
LDAPDefaultUID 1111
LDAPDefaultGID 1111
LDAPAttr uid sAMAccountName
LDAPAttr gidNumber primaryGroupID
LDAPLog /var/log/proftpd/ldap.log
</IfModule>
当服务正在运行时(以 proftpd/nogroup 身份运行),身份验证不起作用:
2023-05-23 14:54:19,616 mod_ldap/2.9.5[21336]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:54:19,618 mod_ldap/2.9.5[21336]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:54:19,619 mod_ldap/2.9.5[21336]: attempting connection to URL ldaps://x.x.x.x:636/??sub
2023-05-23 14:54:19,620 mod_ldap/2.9.5[21336]: set LDAP protocol version to 3
2023-05-23 14:54:19,629 mod_ldap/2.9.5[21336]: bind as DN 'CN=myuser,CN=Users,DC=domain,DC=local' failed for 'ldaps://x.x.x.x/??sub': Can't contact LDAP server
2023-05-23 14:54:19,631 mod_ldap/2.9.5[21336]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:54:19,632 mod_ldap/2.9.5[21336]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:54:19,632 mod_ldap/2.9.5[21336]: attempting connection to URL ldaps://x.x.x.x:636/??sub
2023-05-23 14:54:19,632 mod_ldap/2.9.5[21336]: set LDAP protocol version to 3
2023-05-23 14:54:19,638 mod_ldap/2.9.5[21336]: bind as DN 'CN=myuser,CN=Users,DC=domain,DC=local' failed for 'ldaps://x.x.x.x/??sub': Can't contact LDAP server
我尝试了调试模式('proftpd -n -d 10')并且它正常工作:
2023-05-23 14:56:51,051 mod_ldap/2.9.5[21348]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:56:51,053 mod_ldap/2.9.5[21348]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:56:51,054 mod_ldap/2.9.5[21348]: attempting connection to URL ldaps://x.x.x.x:636/??sub
2023-05-23 14:56:51,055 mod_ldap/2.9.5[21348]: set LDAP protocol version to 3
2023-05-23 14:56:51,065 mod_ldap/2.9.5[21348]: successfully bound as DN 'CN=myuser,CN=Users,DC=domain,DC=local' with password (see config) for 'ldaps://x.x.x.x/??sub'
2023-05-23 14:56:51,067 mod_ldap/2.9.5[21348]: set dereferencing to 0
2023-05-23 14:56:51,067 mod_ldap/2.9.5[21348]: set query timeout to 5 secs
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: searched under base DN DC=domain,DC=local using filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local))
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: fetching values for attribute sAMAccountName
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: fetching values for attribute uidNumber
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: no values for attribute uidNumber, trying defaults
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: using LDAPDefaultUID 1111
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: fetching values for attribute primaryGroupID
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: fetching values for attribute homeDirectory
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: no values for attribute homeDirectory, trying defaults
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: using default homedir /home/domain/ftpuser1
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: fetching values for attribute loginShell
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: no values for attribute loginShell, trying defaults
2023-05-23 14:56:51,195 mod_ldap/2.9.5[21348]: found user ftpuser1, UID 1111, GID 513, homedir /home/domain/ftpuser1, shell
2023-05-23 14:56:51,197 mod_ldap/2.9.5[21348]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:56:51,197 mod_ldap/2.9.5[21348]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:56:51,197 mod_ldap/2.9.5[21348]: attempting connection to URL ldaps://x.x.x.x:636/??sub
2023-05-23 14:56:51,197 mod_ldap/2.9.5[21348]: set LDAP protocol version to 3
2023-05-23 14:56:51,207 mod_ldap/2.9.5[21348]: successfully bound as DN 'CN=myuser,CN=Users,DC=domain,DC=local' with password (see config) for 'ldaps://x.x.x.x/??sub'
2023-05-23 14:56:51,207 mod_ldap/2.9.5[21348]: set dereferencing to 0
2023-05-23 14:56:51,207 mod_ldap/2.9.5[21348]: set query timeout to 5 secs
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: searched under base DN DC=domain,DC=local using filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local))
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: fetching values for attribute sAMAccountName
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: fetching values for attribute uidNumber
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: no values for attribute uidNumber, trying defaults
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: using LDAPDefaultUID 1111
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: fetching values for attribute primaryGroupID
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: fetching values for attribute homeDirectory
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: no values for attribute homeDirectory, trying defaults
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: using default homedir /home/domain/ftpuser1
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: fetching values for attribute loginShell
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: no values for attribute loginShell, trying defaults
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: found user ftpuser1, UID 1111, GID 513, homedir /home/domain/ftpuser1, shell
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: searched under base DN DC=domain,DC=local using filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local))
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: fetching values for attribute sAMAccountName
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: fetching values for attribute uidNumber
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: no values for attribute uidNumber, trying defaults
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: using LDAPDefaultUID 1111
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: fetching values for attribute primaryGroupID
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: fetching values for attribute homeDirectory
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: no values for attribute homeDirectory, trying defaults
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: using default homedir /home/domain/ftpuser1
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: fetching values for attribute loginShell
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: no values for attribute loginShell, trying defaults
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: found user ftpuser1, UID 1111, GID 513, homedir /home/domain/ftpuser1, shell
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: attempting connection to URL ldaps://x.x.x.x:636/??sub
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: set LDAP protocol version to 3
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: set dereferencing to 0
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: set query timeout to 5 secs
2023-05-23 14:56:51,414 mod_ldap/2.9.5[21348]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:56:51,414 mod_ldap/2.9.5[21348]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:56:51,442 mod_ldap/2.9.5[21348]: searched under base DN DC=domain,DC=local using filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local))
2023-05-23 14:56:51,442 mod_ldap/2.9.5[21348]: fetching values for attribute sAMAccountName
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: fetching values for attribute uidNumber
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: no values for attribute uidNumber, trying defaults
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: using LDAPDefaultUID 1111
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: fetching values for attribute primaryGroupID
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: fetching values for attribute homeDirectory
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: no values for attribute homeDirectory, trying defaults
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: using default homedir /home/domain/ftpuser1
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: fetching values for attribute loginShell
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: no values for attribute loginShell, trying defaults
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: found user ftpuser1, UID 1111, GID 513, homedir /home/domain/ftpuser1, shell
我不明白为什么它在调试模式下运行正常,当然我需要它在服务模式下运行!我尝试以 root/root 身份运行该服务(这很糟糕!)但它也不起作用。
谢谢你们的帮助,因为我真的陷入困境。
答案1
我找不到让 LDAP over SSL 工作的方法,但我设法让 LDAP over TLS 工作。这不是我想要的,但比不安全的连接要好!
<IfModule mod_ldap.c>
LDAPServer ldap://x.x.x.x/??sub ssl-verify:off
LDAPUseTLS on
LDAPTLSRequireCert off
LDAPAuthBinds on
LDAPSearchScope subtree
LDAPBindDN "CN=myuser,CN=Users,DC=domain,DC=local" "password"
LDAPUsers "DC=domain,DC=local" "(&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,OU=domain,DC=domain,DC=local))"
LDAPGenerateHomedir on 0775
CreateHome on 0755
LDAPGenerateHomedirPrefix /home/domain
LDAPDefaultUID 1111
LDAPDefaultGID 1111
LDAPAttr uid sAMAccountName
LDAPAttr gidNumber primaryGroupID
LDAPLog /var/log/proftpd/ldap.log
</IfModule>