Debian 11 + ProFTPd 和 LDAPS

Debian 11 + ProFTPd 和 LDAPS

我正在尝试使用 LDAPS 通过 SSL(端口 636)从 Active Directory 对我的 FTP 用户进行身份验证。

我设法使用端口 389 上的简单 LDAP 使其工作,现在我想提高安全性!

操作系统是 Debian 11 x64 最新版本

ProFTPd 版本:

# dpkg -l | grep proftpd
ii  proftpd-core                   1.3.7a+dfsg-12+deb11u2         amd64        Versatile, virtual-hosting FTP daemon - binaries
ii  proftpd-mod-crypto             1.3.7a+dfsg-12+deb11u2         amd64        Versatile, virtual-hosting FTP daemon - TLS/SSL/SFTP modules
ii  proftpd-mod-ldap               1.3.7a+dfsg-12+deb11u2         amd64        Versatile, virtual-hosting FTP daemon - LDAP module

这是 ldap.conf 文件:

<IfModule mod_ldap.c>
    LDAPServer                ldaps://x.x.x.x/??sub
    LDAPAuthBinds             on
    LDAPSearchScope           subtree
    LDAPBindDN                "CN=myuser,CN=Users,DC=domain,DC=local" "password"
    LDAPUsers                 "DC=domain,DC=local" "(&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local))"
    LDAPGenerateHomedir       on 0775
    CreateHome                on 0755
    LDAPGenerateHomedirPrefix /home/ftphome
    LDAPDefaultUID            1111
    LDAPDefaultGID            1111
    LDAPAttr                  uid sAMAccountName
    LDAPAttr                  gidNumber primaryGroupID
    LDAPLog                   /var/log/proftpd/ldap.log
</IfModule>

当服务正在运行时(以 proftpd/nogroup 身份运行),身份验证不起作用:

2023-05-23 14:54:19,616 mod_ldap/2.9.5[21336]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:54:19,618 mod_ldap/2.9.5[21336]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:54:19,619 mod_ldap/2.9.5[21336]: attempting connection to URL ldaps://x.x.x.x:636/??sub
2023-05-23 14:54:19,620 mod_ldap/2.9.5[21336]: set LDAP protocol version to 3
2023-05-23 14:54:19,629 mod_ldap/2.9.5[21336]: bind as DN 'CN=myuser,CN=Users,DC=domain,DC=local' failed for 'ldaps://x.x.x.x/??sub': Can't contact LDAP server
2023-05-23 14:54:19,631 mod_ldap/2.9.5[21336]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:54:19,632 mod_ldap/2.9.5[21336]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:54:19,632 mod_ldap/2.9.5[21336]: attempting connection to URL ldaps://x.x.x.x:636/??sub
2023-05-23 14:54:19,632 mod_ldap/2.9.5[21336]: set LDAP protocol version to 3
2023-05-23 14:54:19,638 mod_ldap/2.9.5[21336]: bind as DN 'CN=myuser,CN=Users,DC=domain,DC=local' failed for 'ldaps://x.x.x.x/??sub': Can't contact LDAP server

我尝试了调试模式('proftpd -n -d 10')并且它正常工作:

2023-05-23 14:56:51,051 mod_ldap/2.9.5[21348]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:56:51,053 mod_ldap/2.9.5[21348]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:56:51,054 mod_ldap/2.9.5[21348]: attempting connection to URL ldaps://x.x.x.x:636/??sub
2023-05-23 14:56:51,055 mod_ldap/2.9.5[21348]: set LDAP protocol version to 3
2023-05-23 14:56:51,065 mod_ldap/2.9.5[21348]: successfully bound as DN 'CN=myuser,CN=Users,DC=domain,DC=local' with password (see config) for 'ldaps://x.x.x.x/??sub'
2023-05-23 14:56:51,067 mod_ldap/2.9.5[21348]: set dereferencing to 0
2023-05-23 14:56:51,067 mod_ldap/2.9.5[21348]: set query timeout to 5 secs
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: searched under base DN DC=domain,DC=local using filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local))
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: fetching values for attribute sAMAccountName
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: fetching values for attribute uidNumber
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: no values for attribute uidNumber, trying defaults
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: using LDAPDefaultUID 1111
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: fetching values for attribute primaryGroupID
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: fetching values for attribute homeDirectory
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: no values for attribute homeDirectory, trying defaults
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: using default homedir /home/domain/ftpuser1
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: fetching values for attribute loginShell
2023-05-23 14:56:51,194 mod_ldap/2.9.5[21348]: no values for attribute loginShell, trying defaults
2023-05-23 14:56:51,195 mod_ldap/2.9.5[21348]: found user ftpuser1, UID 1111, GID 513, homedir /home/domain/ftpuser1, shell
2023-05-23 14:56:51,197 mod_ldap/2.9.5[21348]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:56:51,197 mod_ldap/2.9.5[21348]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:56:51,197 mod_ldap/2.9.5[21348]: attempting connection to URL ldaps://x.x.x.x:636/??sub
2023-05-23 14:56:51,197 mod_ldap/2.9.5[21348]: set LDAP protocol version to 3
2023-05-23 14:56:51,207 mod_ldap/2.9.5[21348]: successfully bound as DN 'CN=myuser,CN=Users,DC=domain,DC=local' with password (see config) for 'ldaps://x.x.x.x/??sub'
2023-05-23 14:56:51,207 mod_ldap/2.9.5[21348]: set dereferencing to 0
2023-05-23 14:56:51,207 mod_ldap/2.9.5[21348]: set query timeout to 5 secs
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: searched under base DN DC=domain,DC=local using filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local))
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: fetching values for attribute sAMAccountName
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: fetching values for attribute uidNumber
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: no values for attribute uidNumber, trying defaults
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: using LDAPDefaultUID 1111
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: fetching values for attribute primaryGroupID
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: fetching values for attribute homeDirectory
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: no values for attribute homeDirectory, trying defaults
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: using default homedir /home/domain/ftpuser1
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: fetching values for attribute loginShell
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: no values for attribute loginShell, trying defaults
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: found user ftpuser1, UID 1111, GID 513, homedir /home/domain/ftpuser1, shell
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:56:51,323 mod_ldap/2.9.5[21348]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: searched under base DN DC=domain,DC=local using filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local))
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: fetching values for attribute sAMAccountName
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: fetching values for attribute uidNumber
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: no values for attribute uidNumber, trying defaults
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: using LDAPDefaultUID 1111
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: fetching values for attribute primaryGroupID
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: fetching values for attribute homeDirectory
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: no values for attribute homeDirectory, trying defaults
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: using default homedir /home/domain/ftpuser1
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: fetching values for attribute loginShell
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: no values for attribute loginShell, trying defaults
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: found user ftpuser1, UID 1111, GID 513, homedir /home/domain/ftpuser1, shell
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: attempting connection to URL ldaps://x.x.x.x:636/??sub
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: set LDAP protocol version to 3
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: set dereferencing to 0
2023-05-23 14:56:51,404 mod_ldap/2.9.5[21348]: set query timeout to 5 secs
2023-05-23 14:56:51,414 mod_ldap/2.9.5[21348]: generated filter DC=domain,DC=local from template DC=domain,DC=local and value ftpuser1
2023-05-23 14:56:51,414 mod_ldap/2.9.5[21348]: generated filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) from template (&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local)) and value ftpuser1
2023-05-23 14:56:51,442 mod_ldap/2.9.5[21348]: searched under base DN DC=domain,DC=local using filter (&(sAMAccountName=ftpuser1)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,DC=domain,DC=local))
2023-05-23 14:56:51,442 mod_ldap/2.9.5[21348]: fetching values for attribute sAMAccountName
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: fetching values for attribute uidNumber
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: no values for attribute uidNumber, trying defaults
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: using LDAPDefaultUID 1111
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: fetching values for attribute primaryGroupID
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: fetching values for attribute homeDirectory
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: no values for attribute homeDirectory, trying defaults
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: using default homedir /home/domain/ftpuser1
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: fetching values for attribute loginShell
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: no values for attribute loginShell, trying defaults
2023-05-23 14:56:51,443 mod_ldap/2.9.5[21348]: found user ftpuser1, UID 1111, GID 513, homedir /home/domain/ftpuser1, shell

我不明白为什么它在调试模式下运行正常,当然我需要它在服务模式下运行!我尝试以 root/root 身份运行该服务(这很糟糕!)但它也不起作用。

谢谢你们的帮助,因为我真的陷入困境。

答案1

我找不到让 LDAP over SSL 工作的方法,但我设法让 LDAP over TLS 工作。这不是我想要的,但比不安全的连接要好!

<IfModule mod_ldap.c>
    LDAPServer                ldap://x.x.x.x/??sub ssl-verify:off
    LDAPUseTLS                on
    LDAPTLSRequireCert        off
    LDAPAuthBinds             on
    LDAPSearchScope           subtree
    LDAPBindDN                "CN=myuser,CN=Users,DC=domain,DC=local" "password"
    LDAPUsers                 "DC=domain,DC=local" "(&(sAMAccountName=%u)(objectclass=user)(memberOf=CN=FTP Users,CN=Users,OU=domain,DC=domain,DC=local))"
    LDAPGenerateHomedir       on 0775
    CreateHome                on 0755
    LDAPGenerateHomedirPrefix /home/domain
    LDAPDefaultUID            1111
    LDAPDefaultGID            1111
    LDAPAttr                  uid sAMAccountName
    LDAPAttr                  gidNumber primaryGroupID
    LDAPLog                   /var/log/proftpd/ldap.log
</IfModule>

相关内容