All notes
Proftpd

# Install

service proftpd start/stop/restart/reload

# Default conf.
vim /etc/proftpd.conf

# Checking the syntax of the configuration file
proftpd -t6


## Virtual users authentication configuration

• AuthUserFile : Specify the users file, has the same format as /etc/passwd
• AuthGroupFile : Specify the groups file, has the same format as /etc/group

ftpasswd is a Perl script designed to create and manage those two files.  

# These files can be created with ftpasswd:
ftpasswd --passwd --name {username} --file /etc/ftpd.passwd --uid {5000} --gid {5000} --home /var/ftp/username-home/ --shell /bin/false
ftpasswd --group --name group1 –file /etc/ftpd.group --gid 5000 --member username

# For example, add a ftp user called tom:
ftpasswd --passwd --name tom --file /etc/ftpd.passwd --uid 5001 --gid 5001 --home /var/ftp/tom/ --shell /bin/false
ftpasswd --group --name ftpcbz –file /etc/ftpd.group --gid 5000 --member tom

 
• Warnings! The created user must have UNIX permission under his home directory.
• The value of --shell option must be set to /bin/false if you want to improve the security of the FTP server.

Then the above directives must be set in this way :

AuthUserFile	/etc/ftpd.passwd
AuthGroupFile	/etc/ftpd.group


Sometimes ProFTPD throws many errors when you try to authenticated trough virtual users then you must look these directives and theris recommend values.

# Don't check against /etc/shells
RequireValidShell	off

# Don't check against /etc/passwd, use only AuthUserFile
AuthOrder	mod_auth_file.c.

# Disable PAM authentication
PersistentPasswd	off
AuthPAM off

# To jail users to theirs respective home directories, add following to config file:
DefaulRoot ~

# If DIRMODE is omitted then DIRMODE = FILEMODE.
# More restrictive:

# To Deny every one except admin changes files permission via ftp put this in your context:
DenyAll


## Install LDAP module

NOTE: the reference on mod_ldap provided on Ref is outdated! For example, LDAPDNInfo is already renamed to LDAPBindDN.

Ref. Installation. Follow the normal steps for using third-party modules in proftpd:

  ./configure --with-modules=mod_ldap
make
make install

You may need to specify the location of the OpenLDAP header and library files in your configure command, e.g.:
 ./configure --with-modules=mod_ldap \
--with-includes=/usr/local/openldap/include \
--with-libraries=/usr/local/openldap/lib


One mod_ldap user submitted the following configuration for allowing mod_ldap to communicate to a Windows Active Directory server. Note that this configuration has not been tested.  

<IfModule mod_ldap.c>
LDAPServer dc.example.org:3268
LDAPUseTLS on
LDAPAuthBinds on
LDAPDNInfo "cn=SRV_ACC_SVN_AUTH,ou=special accounts,ou=Sales,dc=example,dc=org" ******************

LDAPSearchScope subtree

# Assign default IDs
LDAPDefaultUID 106
LDAPDefaultGID 65534

# Create the home directory
LDAPGenerateHomedir on
LDAPGenerateHomedirPrefix /home

# Use different attribute names where necessary
LDAPAttr uid sAMAccountName
LDAPAttr gidNumber primaryGroupID
</IfModule>

 

# Virtual user

Ref. you are free to use any IDs you like. It is generally a good idea to use IDs for your virtual users that are not already in use in /etc/passwd, in order to keep the privileges of your system users separate from the privileges of your virtual users; privileges are determined by IDs. However, in some cases (such as using ProFTPD for FTP access to websites), you may want all of your virtual users to run as the web server user, e.g. user "www" or user "apache". Use the IDs that make the most sense for your site needs.

One related question often asked is "Can I have my virtual users have the same IDs?" Yes, you can. This means that all of those virtual users would have the exact same privileges. If you use this approach, make sure those virtual users are all confined to separate home (or web site) directories by using:

  DefaultRoot ~

in your proftpd.conf. This means that even though those virtual users would all have the same privileges, they would be unable to see and affect each others' files since they would all be separated in different directories.

# FAQ

AuthOrder mod_ldap.c