配置vsftp通过openldap认证

Posted 2020-08-08

ftp服务器用过的肯定不少，虽然可能有很多公司已经摒弃不用，网上也有很多其他方案可以替代，但是还是有些特别的用途，还是有一定的用武之地的。在部署了ldap之后，我们当然想尽可能多的将生产范围内的其他系统或应用的认证都对接到ldap上来，所以这一次来使用ldap认证登录vsftp。

1、准备工作

1 2 3 4 5 6 7 8 9

#停止iptables，并查看iptables状态 /etc/init.d/iptables stop iptables -L -n #禁用SELinux,并查看SELinux状态 setenforce 0 getenforce #编辑/etc/hosts，添加openldap server的记录 echo "192.168.49.138   ldapsrv01.contoso.com" >>/etc/hosts #添加成功后，最好ping一下，看是否能解析正常

2、安装相关的软件包

yum -y install vsftpd ftp
yum -y install nss-pam-ldapd pam_ldap

3、配置/etc/pam_ldap.conf

[[email protected] ~]# cp /etc/pam_ldap.conf /etc/pam_ldap.conf.bak$(date +%F)

[[email protected] ~]# egrep -v "#|^$" /etc/pam_ldap.conf 

host 127.0.0.1

base dc=example,dc=com

[[email protected] ~]# sed -i ‘/^host/s/host/#host/‘ /etc/pam_ldap.conf 

[[email protected] ~]# sed -i ‘/^base/s/base/#base/‘ /etc/pam_ldap.conf 

[[email protected] ~]# egrep -v "#|^$" /etc/pam_ldap.conf 

[[email protected] ~]# echo "host  192.168.49.138" >>/etc/pam_ldap.conf 

[[email protected] ~]# echo "base  dc=contoso,dc=com" >>/etc/pam_ldap.conf 

[[email protected] ~]# echo "binddn  cn=admin,dc=contoso,dc=com" >>/etc/pam_ldap.conf 

[[email protected] ~]# echo "bindpw  123456" /etc/pam_ldap.conf 

[[email protected] ~]# egrep -v "#|^$" /etc/pam_ldap.conf 

host  192.168.49.138

base  dc=contoso,dc=com

binddn  cn=admin,dc=contoso,dc=com

bindpw  123456

4、配置/etc/vsftpd/vsftpd.conf

cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.bak$(date +%F)

vi /etc/vsftpd/vsftpd.conf

[[email protected] ~]# diff /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.bak2016-09-12 

12c12

< anonymous_enable=NO

---

> anonymous_enable=YES

28d27

< anon_upload_enable=YES

33d31

< anon_mkdir_write_enable=YES

103,104d100

< chroot_local_user=YES

< #

124,126d119

< guest_enable=YES

< guest_username=ftp

< local_root=/opt/data

5、配置/etc/pam.d/vsftpd

cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.bak$(date +%F)

[[email protected] ~]# cat /etc/pam.d/vsftpd

#%PAM-1.0

session    optional     pam_keyinit.so    force revoke

session    optional     pam_ldap.so

auth       sufficient   pam_ldap.so

auth       required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed

auth       required pam_shells.so

auth       include password-auth

account    sufficient   pam_ldap.so

account    include password-auth

session    required     pam_loginuid.so

session    include password-auth

password   required     pam_ldap.so

6、创建ftp根目录并启动vsftpd服务

mkdir -p /opt/data
chown -R ftp:ftp /opt/data
chkconfig vsftpd on
/etc/init.d/vsftpd start

7、使用ftp客户端测试

[[email protected] ~]# ftp 127.0.0.1

Connected to 127.0.0.1 (127.0.0.1).

220 (vsFTPd 2.2.2)

Name (127.0.0.1:root): charleslv

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp>

#ldap用户登录成功

[[email protected] ~]# useradd user1

[[email protected] ~]# echo "111111" |passwd --stdin user1

Changing password for user user1.

passwd: all authentication tokens updated successfully.

[[email protected] ~]# ftp 127.0.0.1

Connected to 127.0.0.1 (127.0.0.1).

220 (vsFTPd 2.2.2)

Name (127.0.0.1:root): user1

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> 

#本地用户登录成功

本文出自 “IT小二郎” 博客，请务必保留此出处http://jerry12356.blog.51cto.com/4308715/1852080