Set Up Linux Based FTP with Active Directory Integration

We have a new LAMP server, and we needed FTP set up for the machine.  We do not need user folders.   We do need developers and designers to have access to it via ftp, using their windows domain accounts.

This was a big one.  All the code is there and nothing needs compiling.  Yet for some reason there is not a great guide on this.  For the most part I have dabbled with Windows Servers, so this is a bit of a departure for me.

Let’s start out with some software specs of what I used to get this done.

I picked up this project mid stream.  That said, the parts of this process that I will not be covering are:

Install the FTP Server

Let’s install ProFTPD (our ftp server) and the mod_ldap module.  You can use ‘yum‘ which automatically installs and updates packages.  At the command prompt, type this:

yum install proftpd.i386

yum install proftpd-ldap.i386

Done.  That was easy.

Setup File Permissions

First, create a new user and group that will run the FTP service.  This is the one step that I did not do, so I am not too clear on the details.  We will name our user ‘ftpuser’ and our group ‘ftpgroup’.

After creating our user and group, we need to capture the numeric ID that the *nix operating system refers to.  At the command prompt, type this:

id -u ftpuser

id -g ftpgroup

Take note of the ID’s.  We will be using them shortly.

Next, take ownership of your www folder.  Let’s assume that your www folder is in ‘/var/www’. You can do this with this command:

chown -r ftpuser:ftpgroup /var/www

The ‘-r’ indicates that we will recursively take ownership of our subfolders.

We are done with File Permissions now.  Keep those ID’s handy as we will still need them later.

Setup ProFTPD

ProFTPD stores its settings in a .conf file, most likely /etc/proftpd.conf.  Please back up this file before making changes.  This section will be broken down into two sections: basic setup, and Active Directory integration.

Basic ProFTPD.conf

The basic setup for your ftp server should look something like this:

#
# Server defaults
#

ServerName            "Your Server Name Here"
DefaultServer         on
ServerType            standalone
Port                  21
Umask                 022            # Important -- This lets controls who can acces new ftp files.
DefaultRoot           /var/www
RequireValidShell     off
UseFtpUsers           off
PersistentPasswd      off
PassivePorts          60000 65535    # Default Ports for passive mode so we can set up the firewall.

# ProFTP starts with root access.  After kicking off however, it
# will switch to this reduced access account and group.

User                  ftpuser
Group                 ftpgroup

A couple things to note:

There are tons of more directives. These are here to just get you started.

Active Directory portion of ProFTPD.conf

Next we need to setup our active directory integration.  This part of the .conf file uses the mod_ldap module that we installed earlier.  This part of your .conf file should look something like this:

# Load LDAP module
LoadModule mod_ldap.c

# LDAP settings
<IfModule mod_ldap.c>
 AuthOrder mod_ldap.c

#DNS Name of Your Active Directory Server
 LDAPServer servername
 LDAPAttr uid sAMAccountName

 # GID/UID for our ftp user
 LDAPDefaultGID    50
 LDAPDefaultUID    14

 # Default Home Directory -- This fails but thats ok because it defaults to our home dir.
 LDAPGenerateHomedir on
 LDAPGenerateHomedirPrefix /usr/

# Default account to bind to Active Directory
 LDAPDNInfo "CN=account-with-bind-access-to-ad,CN=users,DC=your-b-name,DC=your-a-name" "password"
 LDAPAuthBinds on

 LDAPDoAuth on "CN=Users,DC=your-b-name,DC=your-a-name" "sAMAccountName=%v"
</IfModule>

In short, this bit of .conf binds and authenticates your end users when they log in to.  A couple notes:

There are a bunch of other directives for mod_ldap, but this should be enough to get you started.

So now we’re done right..?

Updating your Firewall

Even after all the software is setup, people still need to access it.  FTP runs on just port 21, right? Wrong.  Many FTP clients use passive mode, which uses ton’s of additional ports.  This is why in the basic setup of our .conf we added a limit to the number of ports passive mode could bind to in this line:

PassivePorts          60000 65535

This directive limits passive mode to using the ports 60,000 to 65,535.  We are using high port number to avoid other applications that may be binding to our port range.  You can test whether these ports are open by typing this at the command prompt:

nmap -sT -I -p 60000-65535 localhost

You can use any port range as long as they are open.

The our linux inplementation had our filewall living in our iptables config flie.  This file is located at ‘/etc/sysconfig/iptables’ .  In order to open up these ports in our iptables config file, we add the following lines:

-A input_allow -s 10.0.0.0/255.0.0.0 -i eth0 -p tcp -m comment --comment "FTPD" -m tcp --dport 21 -j ACCEPT
-A input_allow -s 10.0.0.0/255.0.0.0 -i eth0 -p tcp -m comment --comment "FTPD Passive" -m tcp --dport 60000:65535 -j ACCEPT

The first line opens port 21, where the initial connection is made.  The second line opens ports 60,000-65535 allowing passive data transfer.  Clearly there is a lot more you can do with configuring your firewall, but this should get you started.

Debugging

So you followed all my advice only to discover I have been selling you a pack of lies!  Hold up, lets debug your problem.

Over the course of debugging, you may need to stop/start/restart proftpd.  I’ve found the easiest way to do this is by killing the process, and starting it again.  To do this type:

ps -A

Find your process (proftpd), in the list and take note of the ID in first column.  Then type:

kill {id}

This isn’t the ideal way to reboot a server, but you are setting it up so you don’t really need to worry about people being on it at the moment.

Normally you can start proftpd with the simple command of

proftpd

Suprise!  However, when debugging our setup, we may find it more useful to start proftpd as a command line application.  Kill your existing proftpd process so you can rebind to those ports and then start proftpd in debug mode like this:

proftpd -nd6

Now, when someone logs in all their transactions are dumped out to the screen.  There can be some useful tidbits of information in this stream.  While a little bit of google and these errors can get you a long way, there are other ways you can debug proftpd.

September 14, 2009 • Tags: , , , , • Posted in: Technology

2 Responses to “Set Up Linux Based FTP with Active Directory Integration”

  1. Lawrence - April 1, 2015

    Very informative post, i’m regular reader of your site.

    I noticed that your site is outranked by many other blogs in google’s search results.
    You deserve to be in top-10. I know what can help you, search in google for:

    Omond’s tips outsource the work

  2. Tony - September 15, 2016

    If you are interested in topic: earn online india quotes about love – you should read about Bucksflooder first

Leave a Reply