Am 17.06.2011 15:48, schrieb Ralf Haferkamp:
I used the following configuration in the past and migrating an old system to 11.4. But there I just don't get it to work anymore.
pure-ftpd is started through xinetd:
server_args = -E -A -l pam
/etc/pam.d/pure-ftpd: #%PAM-1.0 auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth sufficient pam_ldap.so auth required pam_shells.so #auth include common-auth account include common-account password include common-password session required pam_loginuid.so session include common-session
Hm, why don't you setup pam_ldap in /etc/pam.d/common-auth? Do just want to allow ftps logins via LDAP and nothing else? And wouldn't you need to add pam_ldap to the "account" section as well (this depends of course on the contents of "/etc/pam.d/common-account") ?
The users in the LDAP database only use ftp and imap/pop3 and therefore I only change those. (The mailserver configuration is not yet ready so I cannot verify if it works for them). I don't need the features of the account section and haven't had it configured on the previous version. Still I tried to use pam_ldap for it but nothing changed.
nss_ldap and openldap apparently work correctly but when I try to log in over ftp it always fails. I can bind with the same user credentials to ldap (tested via ldapsearch).
I get the following output in /var/log/messages:
pure-ftpd: PAM audit_log_acct_message() failed: Operation not permitted pure-ftpd: (?@localhost) [WARNING] Authentication failed for user [xxx] Are running pure-ftpd as a non-root user by chance? It might be that pure-ftpd drops too much of it privileges before doing PAM authentication. I am not familiar with the pure-ftpd code though. BTW, does pure-ftpd's pam authentication work for you for non-ldap based users?
Good point. Just tested and set the pam config back to defaults and tried to login through pure-ftpd as a "passwd" user. Fails the same way. That makes that most likely a pure pure-ftpd issue ;-) According to the preconfigured xinetd service it's started as root but still it could be compiled to drop privileges. So I'm going to create a bugreport against pure-ftpd for now. Thanks for the hints. Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org