Controlled forward proxying possible?
Hello I would like to know if it is possible to configure the SuSE FTP Proxy as a forward proxy with user authentication and user-based authorisation. Specifically, I need an FTP proxy that a local user may log in to using credentials local to the proxy, from which she may be either automatically be redirected to an FTP server (using credentials stored on the proxy, e.g.) via some sort of username to FTP server mapping mechanism, or from which she may establish an FTP session to a list of FTP servers (specific to her). http://www.suse.com/en/whitepapers/proxy_suite/ftp_proxy/ftp_proxy_wp_5.html makes it sound like this is not possible. Is that true? If someone could confirm my suspicion, I could move on to look for another package. Cheers, Tobias -- Tobias Reckhard secunet Tel : +49(6196)95888-42 Mergenthalerallee 77 Fax : +49(6196)95888-88 D-65760 Eschborn E-Mail: tobias.reckhard@secunet.com
On Tue, Jun 14, 2005 at 10:26:15AM +0200, Tobias Reckhard wrote:
Hello Hello!
I would like to know if it is possible to configure the SuSE FTP Proxy as a forward proxy with user authentication and user-based authorisation.
Yes. Using ldap simple bind for authentication. Specify LDAPAuthDN, set LDAPBindDN to auto [find the user dn bellow of LDAPAuthDN], use UserAuthMagic to encode the auth credentials in FTP USER and PASS cmds. Take a look into the mailing list archives (lists.suse.com); I've described several LDAP setups there.
Specifically, I need an FTP proxy that a local user may log in to using credentials local to the proxy, from which she may be either automatically be redirected to an FTP server (using credentials stored on the proxy, e.g.) via some sort of username to FTP server mapping mechanism,
You can override the destination specifying the FTP server in DestinationAddress (in the user section of the config file or ldap attribute, LDAPBaseDN) for each user or globaly (config).
or from which she may establish an FTP session to a list of FTP servers (specific to her).
A List of allowed destinations is not possible (not implemented). What you can do is to setup it in transparent proxy mode, where you can limit the list of recheable FTP servers (for all users). In this case, the ftp-proxy has to run on some gateway machine (see TransProxy-Mini-Howto.txt).
http://www.suse.com/en/whitepapers/proxy_suite/ftp_proxy/ftp_proxy_wp_5.html makes it sound like this is not possible. Is that true? If someone could confirm my suspicion, I could move on to look for another package.
The whitepaper / web page is outdated. Take a look into the newest
version on the ftp server.
Read the ftp-proxy.conf.5 manual page, and/or ftp-proxy.conf.sample
(proxy-suite version 1.9.2.4).
Bye,
Marius.
--
° --- Marius Tomaschewski
Hi Many thanks for your response, I appreciate it. Marius Tomaschewski wrote:
On Tue, Jun 14, 2005 at 10:26:15AM +0200, Tobias Reckhard wrote:
I would like to know if it is possible to configure the SuSE FTP Proxy as a forward proxy with user authentication and user-based authorisation.
Yes. Using ldap simple bind for authentication.
OK... I guess I could install OpenLDAP on the machine in question, though it does seem a little overblown in this specific case. :-)
Specify LDAPAuthDN, set LDAPBindDN to auto [find the user dn bellow of LDAPAuthDN], use UserAuthMagic to encode the auth credentials in FTP USER and PASS cmds. Take a look into the mailing list archives (lists.suse.com); I've described several LDAP setups there.
Thanks, I'll look for your posts then.
Specifically, I need an FTP proxy that a local user may log in to using credentials local to the proxy, from which she may be either automatically be redirected to an FTP server (using credentials stored on the proxy, e.g.) via some sort of username to FTP server mapping mechanism,
You can override the destination specifying the FTP server in DestinationAddress (in the user section of the config file or ldap attribute, LDAPBaseDN) for each user or globaly (config).
Yes, I tried that, but... umm.. now, why didn't it work the way I had hoped..? I'll need to go back and take a look at it again. Sorry.. :-(
or from which she may establish an FTP session to a list of FTP servers (specific to her).
A List of allowed destinations is not possible (not implemented).
OK, but it would be sufficient if I could force one user to one FTP server with the DestinationAddress option. I'll check that out.
What you can do is to setup it in transparent proxy mode, where you can limit the list of recheable FTP servers (for all users). In this case, the ftp-proxy has to run on some gateway machine (see TransProxy-Mini-Howto.txt).
Transparent proxying is out of the question in this case. Thanks for the hint, though.
http://www.suse.com/en/whitepapers/proxy_suite/ftp_proxy/ftp_proxy_wp_5.html makes it sound like this is not possible. Is that true? If someone could confirm my suspicion, I could move on to look for another package.
The whitepaper / web page is outdated. Take a look into the newest version on the ftp server.
Read the ftp-proxy.conf.5 manual page, and/or ftp-proxy.conf.sample (proxy-suite version 1.9.2.4).
I have, but they're not very detailed about how deployment really works and how the different options interact. I'll take a look at it again, though. Thanks again for your input. Cheers, Tobias -- Tobias Reckhard secunet Tel : +49(6196)95888-42 Mergenthalerallee 77 Fax : +49(6196)95888-88 D-65760 Eschborn E-Mail: tobias.reckhard@secunet.com
participants (2)
-
Marius Tomaschewski
-
Tobias Reckhard