Setting up Novell FTP (LUM-enabled pure-ftpd on OES)

 

 

1. The OES server has been successfully installed, and is part of a functioning tree. As part of this, Novell Account Management (including namcd, nam.conf, etc) are configured and functioning properly.

 

2. LUM-enabled users exist in the tree, and it is our goal that they be able to log into OES through pure-ftpd.

 

 

At the server where pure-ftpd will be running, give the following command:

 

 

where "username" is replaced with the name of the LUM-enabled user which you will be testing. This user should exist in eDirectory but should not exist as a "local user" in the traditional Linux files (i.e. /etc/passwd). This "id" command should return the same information about the user and his group(s), as retrieved from eDirectory (user object, Linux profile tab). If the user is not found by "id", then there is a problem with LUM or with that user object, which should be addressed before expecting the user to successfully log in through pure-ftpd.

 

 

The first step that is needed (aside from the prerequisites mentions above) is to tell Yast's OES configuration to install "Novell FTP". Specifically:

 

1. As root, run yast2 (graphical version of YaST).

 

2. In the left frame, select Open Enterprise Server.

 

3. In the right frame, select OES Install and Configuration.

 

4. On the Software Selection screen, under "Open Enterprise..." check "Novell FTP". Then click "Accept".

 

5. After this installs the FTP components, it will bring you to a OES Configuration screen. It may take 10 - 20 seconds for this screen to fully populate. To verify FTP is considered a LUM service, find the "Linux User Management" section. Underneath it, it will say "reconfigure is disabled." Click the word "disabled" and it will change to "enabled" and a summary will come up. FTP should say "yes." If it does not, click the heading "Linux User Management," then login as admin. At the new screen, simply click "next." Then on the subsequent screen, check the box for FTP.  For troubleshooting purposes (i.e. to do comparisons with another authentication method), it is often helpful to also check "su".

 

6. Click Next, Accept, and/or Finish, as needed to continue through the installation.

 

NOTE: In step 4, if "Novell FTP" is already checked, the LUM configuration should still be verified by highlighting "Novell Linux User Management" in the left-hand frame, then clicking "accept". Then proceed with step 5.

 

NOTE: In OES 11 SP0, Novell FTP used the package "pure-ftpd" provided by the underlying SLES installation. Starting in OES 11 SP1, the SLES pure-ftpd package is not used for Novell FTP. The OES-specific enhancements will be found only in the package "novell-oes-pure-ftpd". OES's "Novell FTP" pattern will know which one to install, and will remove the existing "pure-ftpd" package if necessary. Either package uses the same file names and locations.

 

 

 

Every environment may have slightly different needs, and the "default" configuration for pure-ftpd is rarely going to be what is needed. The first thing to do is to read through the configuration file, /etc/pure-ftpd/pure-ftpd.conf . While reviewing it, there will likely be several changes needed. A few of the common changes will be listed below, but it is very strongly recommended that you carefully read through the entire conf file and be familiar with the available parameters, and what the existing settings do. Most administrators will NOT get the results they want without carefully reviewing and modifying this file.

 

SIDE NOTE: The YaST "FTP Server" configuration tool will *not* give access to all options available to OES's customized pure-ftpd, so it is recommended to deal directly with the configuration file, rather than use the YaST tool.

 

Just a few suggestions about configuration areas to focus on:

 

This is set to "yes" in the default .conf file. This will cause all users to be "jailed" in their home directory as if it were a root directory. If this is not desired, change it to "no".

 

This is set to "10" in the default file. Most production systems will need a higher number. If it needs to be higher than 50, then the PassivePortRange (later in the file) should also be expanded. Pure-ftpd requires that 2 passive ports be possible for every connection. So, for example, if 80 simultaneous FTP sessions are needed, then the PassivePortRange should cover 160 ports.

 

This is set to "3" in the default file. If there is an individual client which will require many sessions open at once, boost this number, according to your needs. Or if it is intended that a web browser such as MS Internet Explorer be used as an FTP client, boost it as well (try 6). MSIE may rapidly attempt multiple connections and may get denied if this setting has not been boosted. Other web browsers may have similar habits.

 

This is set to "yes" by default. Change it to "no" in order to support regular user logins (including LUM-enabled eDir accounts).

 

The size (width) of this range must be at least double the MaxClientsNumber, as noted above.

 

This setting is not usually used unless the following combination of items are both in effect: (1) The FTP Server is behind a NAT device (so it is known by a public address which is not bound directly at the FTP server system) and (2) FTP sessions using TLS/SSL encryption will be used. The combination of those 2 technologies will require that the "ForcePassiveIP" parameter be set to the public address which represents this FTP server.  This must never be set to 0.0.0.0

 

This is usually remarked out.  Without it specifically being set, pure-ftpd will listen on port 21 on all available IP addresses on this server. If you wish to listen on only 1 particular IP address, set that here.

 

This is set to "yes" in the default file. It is usually required to set this to "no" if users will be uploading files to NSS volumes. See KB 7000662 for more information.

 

This is set to "yes" in the default file. If the anonymous account will need to upload files, change it to "no".

 

This is set to "yes" by default. If users will need to rename files, change it to "no".

 

This is remarked out by default. Do not attempt to put this into effect unless you have created an appropriate certificate. For instructions on this, see /usr/share/doc/packages/pure-ftpd/README.TLS. Find the section which begins, "To create a self-signed certificate".

 

This is set to "no" in the default file. If users will need to use this FTP server to access Novell NCP volumes on other NCP servers in the tree, set this to "yes".

 

This is remarked out in the default file. If pure-ftpd should ignore users' individual home directories and instead be placed in a common location, un-remark the line and specify the path. Used by itself, this should represent a local path, such as /home/ftp or /media/nss/VOL1. (Note: this setting does not effect the anonymous user.)

 

DefaultHomeDirectoryServer (available on OES 11 SP1 and above)

This is remarked out in the default file. It is designed to be used together with DefaultHomeDirectory. It allows the common path to be located on a remote Novell NCP Server, instead of local to the FTP server. This should be set to the DNS name or IP address of the remote server. The "remote_server" option also needs to be set to "yes". When this setting is used, the usage of the DefaultHomeDirectory setting also changes. In this case, the DefaultHomeDirectory becomes a NCP volume path, designated such as: /VOLNAME/path

 

EnableRemoteHomeDirectory (available on OES 11 SP1 and above)

This will cause pure-ftpd to take users to their eDirectory NCP home volume and directory, rather than the posix home directory (from the user's Linux Profile) and rather than a DefaultHomeDirectory (set in pure-ftpd.conf). Pure-ftpd will attempt to start the user's FTP session at the NCP home directory, even if it is on a separate Novell Server in the tree. This feature also relies on "remote_server" being enabled. Users with NCP home dirs defined in eDirectory will be taken there. Users without such a definition would be taken to pure-ftpd.conf's "DefaultHomeDirectory...." locations, if they are set. Otherwise users will be taken to their local posix home, such as /home/user.

 

If this OES FTP server is replacing a NetWare FTP server, and ascii (plain text) file line delimiters should be handled as they were on NetWare (rather than how Linux traditionally handles them), then set this to yes. Default is no.

 

 

1. For deeper configuration information than the comments provided in the .conf file, there are several sources.

 

For FTP options that come from the general Linux pure-ftpd package, see the man page for pure-ftpd. If can be a little confusing to compare options in the conf file to command line settings discussed in the man page. The best approach is to see what the option in the conf file is, then locate that item in the "Alternative Style" section near the top of the pure-ftpd man page. Once you find the long style options which corresponds to it (usually an exact match, but not always), it will give you the corresponding short option. Then look deeper into the man page for the explanation of that short option.

 

2. For more information on OES-specific options that Novell has added for remote server functionality, accessing NCP volumes, disabling Linux-style ascii manipulation (to mimic NetWare), etc., see the OES online documentation.

 

3. There is additional documentation located in /usr/share/doc/packages/pure-ftpd, on any SUSE system where pure-ftpd has been installed.

 

 

 

1. If you make a change to a LUM user but that change doesn't seem to be reflected in current behavior, use the following command to flush the nam cache:

 

namconfig cache_refresh

 

2. To fully test whether a eDirectory user is functioning correctly (which it must be, before pure-ftpd can hope to use it), it is often useful to "su" to that user and perform some file system tests, in a terminal window of the server itself. The potential hurdle here, however, is that "su" is not always a LUM-enabled service. If "id username" works but "su username" does not, it may be desirable to check on this.

 

This can be done in YaST (GUI version), Open Enterprise Server, OES Install and Configuration. Under "OES Services" click to highlight "Novell Linux User Management (LUM)". Don't change it's check mark to another symbol, just highlight that line. Click "Accept".

 

Wait for the list of various services to populate and display the reconfigure status. This will likely take around 20 seconds. Then under "Linux User Management" click on the word "disabled" in "Reconfigure is disabled". That will change to "enabled".

 

Now click on "Linux User Management" (the heading). Enter the admin password when prompted (and click OK). This brings up the first LUM configuration screen. Typically nothing here needs to be changed. Normally at least the first 3 lines are populated. In some cases, the second the third lines are not configured, so it's recommended in those cases to enter:

 

-the "Unix Config Context." This is the location of the "Unix Config" object in eDirectory. There is typically only 1 per tree, and it is usually in the same context as the admin user.

 

-the "Unix Workstation Context. This is the location of the Unix Workstation object for this particular OES Server, and is usually in the same context as the normal NCP server object of this machine.

 

Then click NEXT.

 

Now a LUM configuration screen will come up which shows which services to LUM-enable. Sometimes nothing needs to be changed here. However, for troubleshooting purposes, a minimum of "ftp" and "su" should be checked. If there are other services shown which need to be able to authenticate against eDirectory, check those boxes as well. Click NEXT.

 

This returns to the Novell OES configuration screen. Click NEXT. This will rewrite LUM configuration settings. Once it says "Installation Completed" click FINISH. A screen may come up for "Novell Customer Center Configuration" at this point. Click "Configure Later", and then "NEXT".

 

Now, with su being LUM-enabled, the authentication and file system access of the user can be checked independently of FTP. This will help determine if some problems are in FTP itself or at lower layers.

 

For example, to test authentication of the LUM user, start as any non-root user, and enter:

 

su username

 

This should prompt for a password (unless you are acting as root, who is not required to give one).

 

(If you don't want to deal with any user other than root and the test eDir user, then use this trick: First su from root to the eDir user (without password) and then su again from the eDir user to the same eDir user, which will require the password and perform the authentication.)

 

Upon giving the password, login will either succeed or fail. If it fails here, there is still a LUM problem and that must be solved before FTP can be expected to work.

 

Once you have su-ed to an eDir user, you can also test file system access as that user. This is especially important for NSS volume access, as NSS volumes have their own access controls, beyond the posix permissions used by other Linux file systems. If your eDir user account cannot access certain paths or files from a terminal, it will not be able to access them from FTP, either. File system rights may need to be checked.  In the case of an NSS volume, this would mean checking Novell Trustee Rights.

 

3. You may have users which are already LUM enabled, but which aren't associated with this particular OES server (aka Unix workstation" object). Verifying this typically means:

 

a. In iManager -> Users -> Modify Users, check the user's Linux Profile. Make note of the Primary Group Name.

 

b. In iManager -> Groups -> Modify Groups, Find the group which was identified in 3a.  Within it's "Linux Profile" tab, in the list of Unix Workstations, add the Unix Workstation object which represents the OES Server / FTP Server.  A Unix Workstation object will be named in the form "Unix Workstation - <oes-servername>".

 

4. If ftp users are going to interact with NSS volumes, consider enabling hard links on those volumes. For further details, instructions, or options, see KB 7000662.

 

5. If pure-ftpd is not launching upon boot, you can enable that with the command:

 

chkconfig pure-ftpd 35