知乎專欄 | 多維度架構 | 微信號 netkiller-ebook | QQ群:128659835 請註明“讀者” |
準備工作
下載ProFTPD : ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.7.tar.gz
下載 mod_sql : http://www.lastditcheffort.org/~aah/proftpd/mod_sql/
下載mod_ldap-2.8.10 : http://www.horde.net/~jwm/software/mod_ldap/
tar xvzf proftpd-version.tar.gz cd proftpd-version ./configure --prefix=/usr/local/proftpd --with-modules=mod_sql:mod_sql_mysql make make install
安裝成功後,測試ProFTPD,啟動ProFTPD /usr/local/proftpd/sbin/in.proftpd 如果沒有顯示任何信息,ProFTPD啟動成功。使用系統用戶登錄Ftp Server [root@linux sbin]# ftp localhost Connected to localhost (127.0.0.1). 220 ProFTPD 1.2.7 Server (ProFTPD Default Installation) [linux.xuser.net] Name (localhost:root):usera 331 Password required for usera. Password: 230 User usera logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> ProFTPD測試成功,關閉ProFTPD killall in.proftpd 編輯proftpd.conf檔案 vi /usr/local/proftpd/etc/proftpd.conf 添加下面幾行參數 <Global> SQLConnectInfo ftpusers@localhost:3306 root chen SQLAuthTypes Plaintext SQLUserInfo users userid passwd uid gid homedir NULL RequireValidShell off SQLAuthenticate users groups usersetfast groupsetfast </Global> 格式說明: SQLConnectInfo 資料庫@主機名:連接埠 用戶 密碼 SQLAuthTypes 密碼類型(Plaintext明文密碼,Crypt DES密碼,Backend MySQL password()函數產生的密碼) SQLUserInfo [用戶表] [用戶名欄位] [密碼欄位] [用戶ID] [組ID] [用戶目錄] NULL 創建ftpusers.sql檔案 [mysql@linux mysql]$ vi ftpusers.sql -- MySQL dump 8.22 -- -- Host: localhost Database: proftpd --------------------------------------------------------- -- Server version 3.23.52-max -- -- Table structure for table 'groups' -- CREATE TABLE groups ( groupname varchar(255) binary NOT NULL default '', gid int(11) NOT NULL default '0', members text NOT NULL, PRIMARY KEY (groupname) ) TYPE=MyISAM; -- -- Dumping data for table 'groups' -- INSERT INTO groups VALUES ('nogroup',502,'FTP Group'); -- -- Table structure for table 'users' -- CREATE TABLE users ( userid varchar(255) binary NOT NULL default '', passwd varchar(255) binary NOT NULL default '', uid int(11) default NULL, gid int(11) default NULL, homedir varchar(255) default NULL, shell varchar(255) default NULL, count int(11) default NULL, used double(10,1) default '0.0', quota double(10,1) default '10000000.0', PRIMARY KEY (userid) ) TYPE=MyISAM; -- -- Dumping data for table 'users' -- INSERT INTO users VALUES ('chen','chen',500,500,'/home/samba','/bin/sh',0,0.0,10000000.0); INSERT INTO users VALUES ('user2','123456',500,500,'/home/samba','/bin/bash',1,0.0,10000000.0); INSERT INTO users VALUES ('user1','123456',NULL,NULL,'/u01',NULL,1,0.0,10000000.0); 創建資料庫與表 [mysql@linux mysql]$ echo "create database ftpusers" | mysql -uroot -pchen [mysql@linux mysql]$ mysql -uroot -pchen ftpusers < ftpusers.sql [mysql@linux mysql]$ 再次啟動ProFTPD /usr/local/proftpd/sbin/in.proftpd 這次使用MySQL用戶登錄Ftp Server 顯示230 User xxxxx logged in. MySQL認證成功
tar xvzf proftpd-version.tar.gz cd proftpd-version ./configure --prefix=/usr/local/proftpd --with-modules=mod_ldap make make install # tar zxvf mod_ldap-2.8.10.tar.gz 將mod_ldap-2.8.10目錄下的posixAccount-objectclass和posixGroup-objectclass 複製到OpenLDAP 的schema目錄下: # cp mod_ldap-2.8.10/posix* /etc/openldap/schema/ # vi /etc/openldap/slapd.conf 修改OpenLDAP的配置檔案slapd.conf,將這兩個檔案包含到該檔案中: include /etc/openldap/schema/posixAccount-objectclass include /etc/openldap/schema/posixGroup-objectclass 重新啟動OpenLDAP: # service ldap restart Stopping slapd: [ OK ] Starting slapd: [ OK ] 編輯proftpd.conf檔案 vi /usr/local/proftpd/etc/proftpd.conf 添加下面幾行參數 <Global> LDAPServer localhost LDAPDNInfo cn=your-dn,dc=horde,dc=net dnpass LDAPDoAuth on "dc=users,dc=horde,dc=net" </Global> 格式說明: LDAPServer OpenLDAP伺服器 LDAPDNInfo cn=你的-dn,dc=區域名,dc=區域名 dn密碼 LDAPDoAuth on "dc=區域名,dc=區域名" 例子: <Global> LDAPServer localhost LDAPDNInfo cn=manager,dc=xuser,dc=net secret LDAPDoAuth on dc=xuser,dc=net </Global> 根據自己需要修改mod_ldap-2.8.10目錄中的group-ldif和user-ldif檔案,並將條目添加到OpenLDAP中: # ldapadd -x -D "cn=manager,dc=xuser,dc=net" -w secret -f group-ldif # ldapadd -x -D "cn=manager,dc=xuser,dc=net" -w secret -f user-ldif 顯示:adding new entry "cn=mygroup, dc=xuser, dc=net" 添加成功 使用ldapsearch查看記錄 # ldapsearch -x -b "dc=xuser,dc=net" 啟動ProFTPD: /usr/local/proftpd/sbin/in.proftpd 使用OpenLDAP用戶登錄Ftp Server 顯示230 User xxxxx logged in. OpenLDAP認證成功 例: [root@linux mod_ldap-2.8.10]# cat group-ldif dn: cn=mygroup, dc=xuser, dc=net objectclass: posixGroup cn: mygroup gidNumber: 100 memberUid: user1 memberUid: user2 memberUid: user3 memberUid: user4 memberUid: ftpusersb memberUid: usera memberUid: jwm memberUid: 100 [root@linux mod_ldap-2.8.10]# cat user-ldif dn: uid=jwm, dc=xuser, dc=net objectclass: posixAccount cn: John Morrissey uid: jwm uidNumber: 2000 gidNumber: 100 homeDirectory: /home/chen userPassword: {crypt}* loginShell: /bin/bash dn: uid=chen, dc=xuser, dc=net objectclass: posixAccount cn: chen uid: chen uidNumber: 2000 gidNumber: 100 homeDirectory: /home/chen userPassword: {crypt}sa7XjjlytXZZ2 loginShell: /bin/bash dn: cn=ftpuser1, dc=xuser, dc=net objectclass: posixAccount cn: ftpuser1 uid: ftpuser1 uidNumber: 2000 gidNumber: 100 homeDirectory: /home/chen userPassword: {crypt}sa7XjjlytXZZ2 loginShell: /bin/bash dn: uid=usera, dc=xuser, dc=net objectclass: posixAccount cn: usera uid: usera uidNumber: 2000 gidNumber: 100 homeDirectory: /tmp userPassword:{crypt}sa7XjjlytXZZ2 loginShell: /bin/bash dn: uid=ftpuserb, dc=xuser, dc=net objectclass: posixAccount cn: ftpuserb uid: ftpuserb uidNumber: 2000 gidNumber: 100 homeDirectory: /tmp userPassword:{crypt}O2BooHEK9JI06 loginShell: /bin/bash 上面的用戶密碼是用crypt方式加密的密碼,密碼產生請看 使用PHP產生: # cat des.php <html> <p>DES 密碼產生器</p> <form method=post action=des.php> <p>password:<input name=passwd type=text size=20></p> <input type=submit value=submit> </form> <? $enpw=crypt($passwd); echo "password is: $enpw"; ?> 使用perl產生: perl -e 'print("userPassword: ".crypt("secret","salt")."\n");' 產生的DES密碼,同樣也可以用於OpenLDAP的管理員密碼 # vi /etc/openldap/slapd.conf rootpw {crypt}ijFYNcSNctBYg 四、 標準的配置檔案 MySQL認證配置實例 [root@linux root]# cat /usr/local/proftpd/etc/proftpd.conf ServerName "ProFTPD Default Installation" ServerType standalone DefaultServer on # Port 21 is the standard FTP port. Port 21 # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 # We put our mod_sql directives in a <Global> block so they'll be # inherited by the <Anonymous> block below, and any other <VirtualHost> # blocks we may want to add. For a simple server these don't need to # be in a <Global> block but it won't hurt anything. <Global> SQLConnectInfo ftpusers@localhost:3306 root chen SQLAuthTypes Plaintext SQLUserInfo users userid passwd uid gid homedir NULL RequireValidShell off SQLAuthenticate users groups usersetfast groupsetfast </Global> # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd) MaxInstances 30 # Set the normal user and group permissions for the server. User nobody Group nogroup # Normally, we want files to be overwriteable. <Directory /*> AllowOverwrite on </Directory> # A basic anonymous configuration, no upload directories. If you # don't want to support anonymous access, simply remove this # <Anonymous ..> ... </Anonymous> block. <Anonymous ~ftp> User ftp Group ftp # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp # Limit the maximum number of anonymous logins MaxClients 10 # We want 'welcome.msg' displayed at login, and '.message' displayed # in each newly chdired directory. DisplayLogin welcome.msg DisplayFirstChdir .message # Limit WRITE everywhere in the anonymous chroot <Limit WRITE> DenyAll </Limit> </Anonymous> OpenLDAP認證配置實例 [root@linux root]# cat /usr/local/proftpd/etc/proftpd.conf # This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server # and a single anonymous login. It assumes that you have a user/group # "nobody" and "ftp" for normal operation and anon. ServerName "ProFTPD Default Installation" ServerType standalone DefaultServer on # Port 21 is the standard FTP port. Port 21 # Umask 022 is a good standard umask to prevent new dirs and files # from being group and world writable. Umask 022 <Global> LDAPDoAuth on dc=xuser,dc=net LDAPServer localhost LDAPDNInfo cn=manager,dc=xuser,dc=net secret </Global> # To prevent DoS attacks, set the maximum number of child processes # to 30. If you need to allow more than 30 concurrent connections # at once, simply increase this value. Note that this ONLY works # in standalone mode, in inetd mode you should use an inetd server # that allows you to limit maximum number of processes per service # (such as xinetd). MaxInstances 30 # Set the user and group under which the server will run. User nobody Group nogroup # Normally, we want files to be overwriteable. <Directory /> AllowOverwrite on </Directory> # A basic anonymous configuration, no upload directories. <Anonymous ~ftp> User ftp Group ftp # We want clients to be able to login with "anonymous" as well as "ftp" UserAlias anonymous ftp # Limit the maximum number of anonymous logins MaxClients 10 # We want 'welcome.msg' displayed at login, and '.message' displayed # in each newly chdired directory. DisplayLogin welcome.msg DisplayFirstChdir .message # Limit WRITE everywhere in the anonymous chroot <Limit WRITE> DenyAll </Limit> </Anonymous> # Include /usr/local/etc/mod_ldap.conf OpenLDAP 配置檔案 [root@linux root]# cat /etc/openldap/slapd.conf # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/redhat/rfc822-MailMember.schema include /etc/openldap/schema/redhat/autofs.schema include /etc/openldap/schema/redhat/kerberosobject.schema include /etc/openldap/schema/chen include /etc/openldap/schema/posixAccount-objectclass include /etc/openldap/schema/posixGroup-objectclass #include /etc/openldap/schema/qmail_schema #include /etc/openldap/slapd.info.oc.conf #include /etc/openldap/slapd.account.oc.conf # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org #pidfile //var/run/slapd.pid #argsfile //var/run/slapd.args # Create a replication log in /var/lib/ldap for use by slurpd. #replogfile /var/lib/ldap/master-slapd.replog # Load dynamic backend modules: # modulepath /usr/sbin/openldap # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la # The next two lines allow use of TLS for connections using a dummy test # certificate, but you should generate a proper certificate by changing to # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. #TLSCertificateFile /usr/share/ssl/certs/slapd.pem #TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem ####################################################################### # ldbm database definitions ####################################################################### database ldbm suffix "dc=xuser,dc=net" rootdn "cn=Manager,dc=xuser,dc=net" #rootdn "cn=Manager,dc=my-domain,dc=com" #rootdn "cn=Manager,o=My Organization Name,c=US" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # rootpw secret # rootpw {crypt}ijFYNcSNctBYg # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd/tools. Mode 700 recommended. directory /var/lib/ldap # Indices to maintain index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial # Replicas to which we should propagate changes #replica ldap-1.example.com:389 tls=yes # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com@EXAMPLE.COM 五、 FAQ Q:在本地ftp localhost輸入用戶名、密碼回車後。等很久才進入FTP Server A:ftp 127.0.0.1 Q:在遠程伺服器上ftp ip輸入用戶名、密碼回車後。等很久才進入FTP Server A:LDAPServer localhost 改為 LDAPServer 127.0.0.1 Q:[root@linux mod_ldap-2.8.10]# ftp 127.0.0.1 Connected to 127.0.0.1 (127.0.0.1). 500 FTP server shut down (going down at Tue Dec 17 19:00:00 2002) -- please try again later. ftp> A:rm –rf /etc/shutmsg Q:登錄Ftp Server 提示 530 Login incorrect. Login failed. 我確認輸入的用戶、密碼決對正確 A:在登錄ProFTPD時加參數proftpd –d5 –n會輸出調試信息。你可以在其中 找到答案。如果在調試信息中找到這一行no such user 'xxxx' 可能是與MySQL/OpenLDAP連接有問題。 Q:我在網上看見很多介紹如何安裝ProFTPD文章,閲讀大量的How to,按How to一步一步做,從來沒有安裝成功過。 A:網上很多文章,比較老,很多定義現以不在使用如: SQLConnectInfo laftp@localhost 用戶名 口令 SQLAuthTypes Plaintext Backend SQLAuthoritative ON SQLDefaultGID 1001 SQLDefaultUID 1001 SQLDoAuth ON SQLDoGroupAuth ON SQLGidField gid SQLGroupGIDField gid SQLGroupMembersField members SQLGroupTable ftpgroup SQLGroupnameField groupname SQLHomedirField homedir SQLMinUserUID 400 SQLMinUserGID 400 SQLPasswordField passwd SQLUidField uid SQLUserTable ftpuser SQLUsernameField userid SQLLoginCountField count ######################################################## LDAPServer "localhost" LDAPPrefix "dc=horde,dc=net" LDAPDN "cn=thedn,dc=horde,dc=net" LDAPDNPass "ldap_dnpass" LDAPNegativeCache on