Environment
Novell Open Enterprise Server 2 (OES 2)
Novell FTP
Novell FTP
Situation
Disabling LDAP anonymous binds causes the Novell FTP server to fail.
Anonymous binds are not allowed on the LDAP server.
How to allow pure-ftpd to work without LDAP anonymous binds.
Novell FTP on OES2, how to disable anonymous LDAP binds.
Anonymous binds are not allowed on the LDAP server.
How to allow pure-ftpd to work without LDAP anonymous binds.
Novell FTP on OES2, how to disable anonymous LDAP binds.
Resolution
This document is assuming that the ftp server and the LDAP server are all local. This configuration does not use SSL for the LDAP client on the OES2 box. Clear text passwords are sent to the local LDAP server. This does not pose a risk as you are using a local FTP server on a local LDAP server.
Here are the recommended steps to prevent LDAP anonymous binds via FTP to the OES2 server.
Make sure to add a replica of the partition where the user objects are located as well as the server's ncp server object. This will help with LUM, FTP and LDAP related events.
LUM enable all users you wish to FTP into the box.
Run the following commands to get the services back up and running:
rcpure-ftpd stop
rcpure-ftpd start
nldap -u
nldap -l
rcnamcd stop
rcnamcd start
Here are the recommended steps to prevent LDAP anonymous binds via FTP to the OES2 server.
- Install Novell FTP through the OES install and configuration within YAST.
- Go to the LDAP server object through iManager. Go to the Connections section of the General Tab. Under Restrictions change the bind restrictions to "Disallow anonymous simple bind" Apply the setting, go to the General Information tab and choose the refresh button to reload LDAP.
- Go to the LDAP group object through iManager. Uncheck the "require TLS for Simple Binds with password". A LDAP proxy user is not needed. It is recommended that the LDAP proxy field be blank. (A LDAP Proxy user is used to change rights of an anonymous login from [PUBLIC] to the rights of the proxy user. Since anonymous login is disallowed, this configuration is not necessary)
- Edit the /etc/ldap.conf. The below changes / settings are required:
- host <ipaddr> (recommend local ip address)
- base <FDN of base> (example: "base o=novell")
- ldap_version 3
- bind_policy soft
- binddn <FDN of user> (this is your proxy user that will authenticate. This is required for the disabled anonymous bind to work.)
- bindpw <password of binddn user>
- pam_lookup_policy yes
- pam_password nds
- change "ssl on" to "ssl no"
- uncomment the nss_map_attribute uniqueMember member line
- comment out the ssl start_tls comment
- Edit the /etc/pure-ftpd/pure-ftpd.conf file.
- Enable parameter CreateHomeDir to yes.
- Set the AnonymousOnly to no if you want eDirectory users to authentitcate as the ftp user.
- Set the NoAnonymous to yes if you don't want any anonymous ftp users.
- If you wish to login to ftp as an anonymous ftp user, when it prompts for a user, type "anonymous". (This is different than LDAP anonymous authentication)
- Enable parameter CreateHomeDir to yes.
- As anonymous LDAP binds are disabled, you will need to configure LUM to use a proxy user to perform the simple bind to the ldap server. Modify the nam.conf to do this. Make sure the proxy user has sufficient rights to the LUM objects in the tree. The proxy user in the nam.conf also needs to have access to LUM attributes.
- proxy-user-fdn=cn=lum-proxy,o=novell
- proxy-user-pwd=novell
Make sure to add a replica of the partition where the user objects are located as well as the server's ncp server object. This will help with LUM, FTP and LDAP related events.
LUM enable all users you wish to FTP into the box.
Run the following commands to get the services back up and running:
rcpure-ftpd stop
rcpure-ftpd start
nldap -u
nldap -l
rcnamcd stop
rcnamcd start
Additional Information
NOTE: It is recommended to use the openLDAP client (pam_ldap.so) for authentication with pure-ftpd.