mod_ldap is a third-party module that allows proftpd to do user authentication and name/UID lookups against an LDAP database.

Please note: Read the CHANGES section below for mod_ldap v2.7 changes; some significant changes have been made. Do NOT upgrade to mod_ldap v2.7 before reading the CHANGES section.

Sections:

• 1. How do I set up mod_ldap?
• 2. Changes in v2.5.2 - v2.7.1
• 3. To-Do
• 4. Thanks
• 5. Author

1. How do I set up mod_ldap?
If you are using a version of mod_ldap included with a ProFTPD release, you can simply:

  tar xvzf proftpd-version.tar.gz
  cd proftpd-version
  ./configure --with-modules=mod_ldap
  make
  make install

  ldapadd -D your-root-dn -w your-root-dn-password < ldif

Read up on the LDAP configuration directives. At a bare minimum, you'll need to have the LDAPServer, LDAPDNInfo, and LDAPDoAuth configuration directives in your proftpd.conf.

A sample set of LDAP configuration directives is included here:

    LDAPServer localhost
    LDAPDNInfo cn=your-dn,dc=horde,dc=net dnpass
    LDAPDoAuth on "dc=users,dc=horde,dc=net"

If you wish to use a newer version of mod_ldap that is not yet included with a release version of ProFTPD, simply download the file mod_ldap.c, say:

  cp -f mod_ldap.c proftpd-version/contrib

2. Changes in v2.5.2 - v2.7.1
Please check the web site for previous changelogs.

v2.7.1:

• UID/GID caching code updated with MacGyver's portability fixes

• Added a fix for picky LDAP servers like Sun Directory Services; using AuthBinds with those LDAP servers would break in previous mod_ldap versions. See the comments in the code for more details (search for "Sun Directory Services").
  
  
• You can now specify custom LDAP search filters at runtime. See the configuration guide entries for LDAPDo* for more details.
  
  
• Objectclass is now enforced. You must have an objectclass attribute for each of your LDAP objects. This attribute must have a value of posixAccount ("objectclass: posixAccount"). For groups, this attribute must have the value posixGroup ("objectclass: posixGroup"). If you wish to disable this objectclass enforcement, use the the LDAP filter

  "(uid=%u)"

  for Auth and UID lookups (see doc/Configuration.html for how to specify a custom LDAP search filter).
  
  
• Removed allowedServices code. The functionality that allowedServices provided can now be duplicated with a modified LDAP search filter.

  For example, to replicate basic allowedServices checking, pass this LDAP search filter to LDAPDoAuth:

        (&(uid=%u)(|(allowedServices=*FTP*)(!(allowedService=*))))
        

  To emulate deniedServices checking, use this search filter:

        (&(uid=%u)(!(deniedServices=*FTP*)))
        

  To emulate both allowedServices and deniedServices checking, use this filter:

        (&(uid=%u)(|(allowedServices=*FTP*)(!(allowedService=*)))(!(deniedServices=*FTP*)))
        

• Fixed a bug that would prevent proper search scope selection.

• HomedirOnDemandSuffix - create an additional subdirectory in a user's home directory (/home/user/anotherdirectory) on demand.
  
  
• Minor group fixes/cleanups - supplementary groups now work properly.
  
  
• Password {scheme}s are now treated in a case-insensitive manner.
  
  
• Password-hash support for any crypto method OpenSSL supports. To enable extended OpenSSL password hash support, edit mod_ldap.c and uncomment #define HAVE_OPENSSL. You'll also need to edit Make.rules to link against OpenSSL. Further details are provided in mod_ldap.c.
  
  
• Runtime search scope selection; one-level or subtree searches can be selected from proftpd.conf.

• different log levels in mod_ldap to log varying debug info
• perror()-like error reporting to improve error messages
• shadowAccount objectclass stuff - inactive, expiration, etc.

• James for a copy of his LDAP module
• Krzysztof Dabrowski for some big virtual-user ideas
• Peter Deacon for ideas
• Peter Fabian for ideas and a tested platform
• Ralf Kruedewagen for a tested platform
• Scott Murphy for a trouble report
• Bert Vermeulen for patches