Hello ! Is proxy-suite able to authenticate users against an LDAP directory before forwarding FTP to the server or parent proxy ? Or more generally is there support for external authenticators ? The homepage describes a LDAP feature: "Is able to retrieve configuration data from an LDAP directory" but it does not seem to be related to users. If LDAP user authentication is not already available, it would be exciting to have such a new feature as many HTTP proxies are set up that way and sharing the same database between an HTTP proxy and proxy-suite would be great ! Best regards, Phil
Hi, On Fri, Jul 02, porte64@free.fr wrote:
Is proxy-suite able to authenticate users against an LDAP directory before forwarding FTP to the server or parent proxy ?
Or more generally is there support for external authenticators ?
There is support to authenticate the user against the ldap server. It also supports a rebind, so it doesn't matter which crypt algorithmus you use for the passwords (only the ldap server has to support it). -- Gruß Dieter -- I do not get viruses because I do not use MS software. If you use Outlook then please do not put my email address in your address-book so that WHEN you get a virus it won't use my address in the From field.
On Fri, Jul 02, 2004 at 10:42:55AM +0200, porte64@free.fr wrote:
Hello !
Hello!
Is proxy-suite able to authenticate users against an LDAP directory before forwarding FTP to the server or parent proxy ?
Or more generally is there support for external authenticators ?
LDAP yes, other authenticators are currently not implemented.
The homepage describes a LDAP feature: "Is able to retrieve configuration data from an LDAP directory" but it does not seem to be related to users.
Yes, it needs an update as well as the docs. BTW: It would be nice, if some volunteer writes a mini-HOWTO for LDAP auth :-)
If LDAP user authentication is not already available, it would be exciting to have such a new feature as many HTTP proxies are set up that way and sharing the same database between an HTTP proxy and proxy-suite would be great !
You can use LDAP auth in transparent proxy mode or
together with "AllowMagicUser" feature as well.
The authentication is based on ldap_simple_bind call,
similar to other implementations (e.g. pam_ldap).
You have to encode the auth username and password in the
USER and PASS commands using UserAuthMagic:
=== & ftp-proxy.conf & ===
#
# Defines if additional and the order of user authentication
# name and password should be encoded in FTP USER and PASS
# commands, as supported by some ftp-client's (i.e. @auth by
# NcFTP). Valid settings are:
#
# @auth for ftpuser@authuser[@host:port]
# auth@ for authuser@ftpuser[@host:port]
#
# Note: UserAuthMagic may be combined with MagicUser feature.
# In case of "AllowMagicUser no", the proxy doesn't parse for
# the [@host:port] part in the USER command.
#
# You can use e.g. "UserAuthMagic auth%" as well - this causes
# the proxy to use "%" separator character in USER command:
#
# auth% for authuser%ftpuser
#
UserAuthMagic auth%
UserAuthType ldap
LDAPServer localhost
LDAPAuthDN dc=domain,dc=tld
LDAPIdentifier uid
LDAPObjectClass simpleSecurityObject
LDAPBindDN auto
#LDAPPreBindDN uid=ftp-proxy,...
#LDAPPreBindPW ftp-proxy-passwd
#LDAPAuthOKFlag allowedService=FTPProxy
#LDAPBaseDN dc=domain,dc=tld
##
## OBSOLETE features - don't use them
## except you know what you are doing!
## (They're required for OpenLDAP 1.x)
##
#LDAPAuthPWAttr userPassword
#LDAPAuthPWType {crypt}7
=== & ftp-proxy.conf & ===
The "LDAPBindDN auto" causes the proxy to do an anonymous
(or nonanonymous if LDAPPreBindDN/LDAPPreBindPW given)
ldap search using for "authuser" (uid=authuser here)
bellow of DN specified in LDAPAuthDN.
If an entry for "authuser" is found, the proxy binds to
its DN (e.g. uid=authuser,ou=People,dc=domain,dc=tld)
using the password extracted from PASS command (via the
UserAuthMagic mechanism).
This bind is the main authentication step.
Note: Verify, that your LDAP server doesn't fallback to
an anonymous bind if the password was wrong!
It should return some failure (LDAP_INVALID_CREDENTIALS
or similar).
If LDAPAuthOKFlag specified, the proxy checks additionally
if the entry contains an attribute "allowedService" with a
value "FTPProxy" (in the above case).
The "LDAPBaseDN" DN is used to search for a user config;
if you want auth only, LDAPAuthDN is sufficient.
See also the previous thread - Subject "LDAP Auth".
Kind regards,
Marius Tomaschewski
participants (3)
-
Dieter Bloms
-
Marius Tomaschewski
-
porte64@free.fr