ftp服务器用过的肯定不少,虽然可能有很多公司已经摒弃不用,网上也有很多其他方案可以替代,但是还是有些特别的用途,还是有一定的用武之地的。在部署了ldap之后,我们当然想尽可能多的将生产范围内的其他系统或应用的认证都对接到ldap上来,所以这一次来使用ldap认证登录vsftp。
1、准备工作
1
2
3
4
5
6
7
8
9
|
#停止iptables,并查看iptables状态
/etc/init
.d
/iptables
stop
iptables -L -n
#禁用SELinux,并查看SELinux状态
setenforce 0
getenforce
#编辑/etc/hosts,添加openldap server的记录
echo
"192.168.49.138 ldapsrv01.contoso.com"
>>
/etc/hosts
#添加成功后,最好ping一下,看是否能解析正常
|
2、安装相关的软件包
yum -y install vsftpd ftp yum -y install nss-pam-ldapd pam_ldap
3、配置/etc/pam_ldap.conf
[root@server136 ~]# cp /etc/pam_ldap.conf /etc/pam_ldap.conf.bak$(date +%F)
[root@server136 ~]# egrep -v "#|^$" /etc/pam_ldap.conf
host 127.0.0.1
base dc=example,dc=com
[root@server136 ~]# sed -i '/^host/s/host/#host/' /etc/pam_ldap.conf
[root@server136 ~]# sed -i '/^base/s/base/#base/' /etc/pam_ldap.conf
[root@server136 ~]# egrep -v "#|^$" /etc/pam_ldap.conf
[root@server136 ~]# echo "host 192.168.49.138" >>/etc/pam_ldap.conf
[root@server136 ~]# echo "base dc=contoso,dc=com" >>/etc/pam_ldap.conf
[root@server136 ~]# echo "binddn cn=admin,dc=contoso,dc=com" >>/etc/pam_ldap.conf
[root@server136 ~]# echo "bindpw 123456" /etc/pam_ldap.conf
[root@server136 ~]# egrep -v "#|^$" /etc/pam_ldap.conf
host 192.168.49.138
base dc=contoso,dc=com
binddn cn=admin,dc=contoso,dc=com
bindpw 123456
4、配置/etc/vsftpd/vsftpd.conf
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.bak$(date +%F)
vi /etc/vsftpd/vsftpd.conf
[root@server136 ~]# diff /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.bak2016-09-12
12c12
< anonymous_enable=NO
---
> anonymous_enable=YES
28d27
< anon_upload_enable=YES
33d31
< anon_mkdir_write_enable=YES
103,104d100
< chroot_local_user=YES
< #
124,126d119
< guest_enable=YES
< guest_username=ftp
< local_root=/opt/data
5、配置/etc/pam.d/vsftpd
cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.bak$(date +%F)
[root@server136 ~]# cat /etc/pam.d/vsftpd
#%PAM-1.0
session optional pam_keyinit.so force revoke
session optional pam_ldap.so
auth sufficient pam_ldap.so
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
auth required pam_shells.so
auth include password-auth
account sufficient pam_ldap.so
account include password-auth
session required pam_loginuid.so
session include password-auth
password required pam_ldap.so
6、创建ftp根目录并启动vsftpd服务
mkdir -p /opt/data chown -R ftp:ftp /opt/data chkconfig vsftpd on /etc/init.d/vsftpd start
7、使用ftp客户端测试
[root@server136 ~]# ftp 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (127.0.0.1:root): charleslv
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
#ldap用户登录成功
[root@server136 ~]# useradd user1
[root@server136 ~]# echo "111111" |passwd --stdin user1
Changing password for user user1.
passwd: all authentication tokens updated successfully.
[root@server136 ~]# ftp 127.0.0.1
Connected to 127.0.0.1 (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (127.0.0.1:root): user1
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
#本地用户登录成功