Integration/PureFTPd.iRedMail.with.OpenLDAP/Ubuntu

From iRedMail
Jump to: navigation, search

Contents

Install Pure-FTPd

Install PureFTPD

Terminal:
# apt-get install pure-ftpd-ldap 

Config PureFTPD

  • Make PureFTPd chroot every virtual user in his home directory so he will not be able to browse directories and files outside his home directory.
Terminal:
echo "yes" > /etc/pure-ftpd/conf/ChrootEveryone
  • Make PureFTPd create a user's home directory when the user logs in and the home directory does not exist yet.
Terminal:
echo "yes" > /etc/pure-ftpd/conf/CreateHomeDir
  • Make that PureFTPd doesn't look up host names which can significantly speed up connections and reduce bandwidth usage.
Terminal:
echo "yes" > /etc/pure-ftpd/conf/DontResolve
  • Open /etc/pure-ftpd/db/ldap.conf, config LDAP lookup related settings:
File: /etc/pure-ftpd/db/ldap.conf
LDAPServer localhost
LDAPPort 389
LDAPBaseDN o=domains,dc=example,dc=com
LDAPBindDN cn=vmail,dc=example,dc=com
LDAPBindPW kZ6uB29mViWKWI9lOH3cGnF7z3Dw3B             # Password of cn=vmail,dc=example,dc=com
LDAPDefaultUID 1000                                           # <- UID of 'vmail' user.
LDAPDefaultGID 1000                                           # <- GID of 'vmail' user.
LDAPFilter (&(objectClass=PureFTPdUser)(mail=\L)(FTPStatus=enabled))
LDAPHomeDir FTPHomeDir                                           # <- This is new attribute, we will add it
LDAPVersion 3

You can find LDAPBindDN and LDAPBindPW in Postfix lookup files, for example, /etc/postfix/ldap/virtual_mailbox_domains.cf

File: /etc/postfix/ldap_virtual_mailbox_domains.cf
bind_dn         = cn=vmail,dc=example,dc=com
bind_pw         = kZ6uB29mViWKWI9lOH3cGnF7z3Dw3B

It's recommended to use cn=vmail instead of other bind DN, because cn=vmail is a low privilege user, it can read LDAP server, but cannot write/update.

Config OpenLDAP

  • Get the schema modify by iRedMail:
Terminal:
# wget http://iredmail.googlecode.com/hg/extra/pureftpd.schema -P /etc/ldap/schema/ 

This schema adds one more LDAP attribute FTPHomeDir, used to store path of FTP home directory.

  • Open /etc/ldap/slapd.conf :include pureftpd.schema after iredmail.schema, and add attribute index for Pure-FTPd related attributes at bottom of slapd.conf.
File: /etc/ldap/slapd.conf
include /etc/ldap/schema/iredmail.schema
include /etc/ldap/schema/pureftpd.schema             # <-- Add this line.

...

# Indexes for FTP attributes
index FTPQuotaFiles,FTPQuotaMBytes eq,pres
index FTPUploadRatio,FTPDownloadRatio eq,pres
index FTPUploadBandwidth,FTPDownloadBandwidth eq,pres
index FTPStatus,FTPuid,FTPgid,FTPHomeDir eq,pres
  • Restart OpenLDAP service to make it work:
Terminal:
# /etc/init.d/slapd restart

Create FTP Home Dir

FTP data are all stored in /home/ftp/ directory. Create /home/ftp/, owner must be 'root' user.

Terminal:
# mkdir /home/ftp/
# ls -dl /home/ftp
drwxr-xr-x 2 root root 4096 Oct  3 16:53 /home/ftp

Restart PureFTPD Service

  • Restart Pure-FTPd service:
Terminal:
# /etc/init.d/pure-ftpd-ldap restart 
  • Check service status:
Terminal:
# netstat -ntlp | grep pure-ftpd
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      12548/pure-ftpd
tcp6       0      0 :::21                   :::*                    LISTEN      12548/pure-ftpd

Add LDAP FTP attributes and values for new user

use the iredmail tools quick create the user include the PureFTP attributes and values.

  • Open /iRedMail-x.y.z/tools/create_mail_user_OpenLDAP.sh and set correct values:
File: /iRedMail-x.y.z/tools/create_mail_user_OpenLDAP.sh
LDAP_SUFFIX="dc=example,dc=com" # <- Change the LDAP suffix 
BINDPW='passwd'                 # <- The user cn=manager,dc=example,dc=com password
PUREFTPD_INTEGRATION='YES'      # <- Change form NO to YES,enable the pureftp inteegration
  • Run the script create a user user1 and user2. by default, the default password is same with user name.
Terminal:
# bash create_mail_user_OpenLDAP.sh example.com user1 user2 

adding new entry "ou=Users,domainName=example.com,o=domains,dc=example,dc=com"
ldapadd: Already exists (68)
adding new entry "ou=Groups,domainName=example.com,o=domains,dc=example,dc=com"
ldapadd: Already exists (68)
adding new entry "ou=Aliases,domainName=example.com,o=domains,dc=example,dc=com"
ldapadd: Already exists (68)
adding new entry "mail=user1@example.com,ou=Users,domainName=example.com,o=domains,dc=example,dc=com"
adding new entry "mail=user2@example.com,ou=Users,domainName=example.com,o=domains,dc=example,dc=com"


Config iptables

By default the iredmail mail have not open 21 port,If you use the ftp client test, you need open the 20 and 21 port.

  • Open /etc/default/iptables and set correct values:
File: /etc/default/iptables
# http/https, smtp/smtps, pop3/pop3s, imap/imaps, ssh
-A INPUT -p tcp -m multiport --dport 80,443,25,465,110,995,143,993,587,465,22,20,21 -j ACCEPT # <-- Add 20 21 

  • Restart the iptables service
Terminal:
# /etc/init.d/iptables restart 

Testing

You can use windows FTP client or linux ftp client lftp test.

Terminal:
# lftp localhost
lftp localhost:~> debug 4
lftp localhost:~> login user1@example.com user1 # <-- input the username and password
lftp user1@example.com@localhost:~> ls 

---- Connecting to localhost (127.0.0.1) port 21
<--- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
<--- 220-You are user number 1 of 50 allowed.
<--- 220-Local time is now 16:25. Server port: 21.
<--- 220-IPv6 connections are also welcome on this server.
<--- 220 You will be disconnected after 15 minutes of inactivity.
<--- 211-Extensions supported:
<---  EPRT
<---  IDLE
<---  MDTM
<---  SIZE
<---  REST STREAM
<---  MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
<---  MLSD
<---  ESTP
<---  PASV
<---  EPSV
<---  SPSV
<---  ESTA
<---  AUTH TLS
<---  PBSZ
<---  PROT
<---  UTF8
<--- 211 End.
<--- 500 This security scheme is not implemented
<--- 200 OK, UTF-8 enabled
<--- 200  MLST OPTS type;size;sizd;modify;UNIX.mode;UNIX.uid;UNIX.gid;unique;
<--- 331 User user1@example.com OK. Password required
<--- 230-Your bandwidth usage is restricted
<--- 230-User user1@example.com has group access to:  vmail   
<--- 230-You must respect a 1:5 (UL/DL) ratio
<--- 230-OK. Current restricted directory is /
<--- 230-0 files used (0%) - authorized: 50 files
<--- 230 0 Kbytes used (0%) - authorized: 10240 Kb
<--- 257 "/" is your current location
<--- 227 Entering Passive Mode (127,0,0,1,32,58)
<--- 150 Accepted data connection
drwxr-xr-x    2 500      vmail        4096 Jun 10 16:16 .
drwxr-xr-x    2 500      vmail        4096 Jun 10 16:16 ..
-rw-------    1 500      vmail           0 Jun 10 16:16 .ftpquota


Troubleshooting

  • Enable verbose log in pure-ftpd
Terminal:
echo "yes" > /etc/pure-ftpd/conf/VerboseLog

Open /etc/rsyslog.conf and set correct values:

File: /etc/rsyslog.conf
ftp.*                       -/var/log/pure-ftpd/pureftpd.log # <-- Add entry

Create the file of pureftpd.log

Terminal:
# touch /var/log/pure-ftpd/pureftpd.log 


  • Enable OpenLDAP log

Open /etc/ldap/slapd.conf and set correct values:

File: /etc/ldap/slapd.conf
loglevel    256 # <-- change form 0 to 256  

  • Restart related service
Terminal:
# /etc/init.d/rsyslog restart
# /etc/init.d/pure-ftpd-ldap restart
# /etc/init.d/slapd restart
  • Monitor /var/log/pureftpd.log and /var/log/openldap.log for troubleshooting.
Terminal:
# tail -0f /var/log/openldap.log 
Nov 11 17:42:09 mail slapd[16124]: warning: /etc/hosts.deny, line 0: missing newline or line too long
Nov 11 17:42:09 mail slapd[16124]: conn=5 fd=14 ACCEPT from IP=127.0.0.1:46247 (IP=0.0.0.0:389)
Nov 11 17:42:09 mail slapd[16124]: conn=5 op=0 BIND dn="cn=vmail,dc=example,dc=com" method=128
Nov 11 17:42:09 mail slapd[16124]: conn=5 op=0 BIND dn="cn=vmail,dc=example,dc=com" mech=SIMPLE ssf=0
Nov 11 17:42:09 mail slapd[16124]: conn=5 op=0 RESULT tag=97 err=0 text=
Nov 11 17:42:09 mail slapd[16124]: conn=5 op=1 SRCH base="o=domains,dc=example,dc=com" scope=2 
deref=0 filter="(&(objectClass=PureFTPdUser)(mail=user1@example.com)(FTPStatus=enabled))"
Nov 11 17:42:09 mail slapd[16124]: conn=5 op=1 SRCH attr=FTPHomeDir uidNumber 
FTPuid gidNumber FTPgid userPassword loginShell FTPStatus FTPQuotaFiles 
FTPQuotaMBytes FTPDownloadRatio FTPUploadRatio FTPDownloadBandwidth FTPUploadBandwidth
Nov 11 17:42:09 mail slapd[16124]: conn=5 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov 11 17:42:09 mail slapd[16124]: conn=5 op=2 UNBIND
Nov 11 17:42:09 mail slapd[16124]: conn=5 fd=14 closed

# tail -0f /var/log/pure-ftpd/pureftpd.log
Nov 11 17:39:37 mail pure-ftpd: (?@123.114.254.226) [INFO] New connection from 123.114.254.226
Nov 11 17:39:37 mail pure-ftpd: (?@123.114.254.226) [DEBUG] Command [user] [user1@example.com]
Nov 11 17:39:38 mail pure-ftpd: (?@123.114.254.226) [DEBUG] Command [pass] [<*>]
Nov 11 17:39:38 mail pure-ftpd: (?@123.114.254.226) [INFO] user1@example.com is now logged in
Nov 11 17:39:38 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [syst] []
Nov 11 17:39:39 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [feat] []
Nov 11 17:39:39 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [pwd] []
Nov 11 17:39:39 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [type] [A]
Nov 11 17:39:40 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [port] [123,114,254,226,17,57]
Nov 11 17:39:40 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [list] [-a]
Nov 11 17:39:48 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [type] [I]
Nov 11 17:39:49 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [port] [123,114,254,226,17,60]
Nov 11 17:39:49 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [stor] [test.pdf]
Nov 11 17:39:51 mail pure-ftpd: (user1@example.com@123.114.254.226) [NOTICE] 
/home/ftp/example.com/u/us/use/user1-2009.11.11.17.22.26/ftp//chenshake.pdf uploaded  (14317 bytes, 9.45KB/sec)
Nov 11 17:39:51 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [type] [A]
Nov 11 17:39:52 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [port] [123,114,254,226,17,61]
Nov 11 17:39:53 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [list] [-a]
Nov 11 17:40:24 mail pure-ftpd: (user1@example.com@123.114.254.226) [DEBUG] Command [pwd] []
Nov 11 17:40:34 mail pure-ftpd: (user1@example.com@123.114.254.226) [INFO] Logout.

Personal tools