All notes


service proftpd start/stop/restart/reload

# Default conf.
vim /etc/proftpd.conf

# Checking the syntax of the configuration file
proftpd -t6

Virtual users authentication configuration

ftpasswd is a Perl script designed to create and manage those two files.

# These files can be created with ftpasswd:
ftpasswd --passwd --name {username} --file /etc/ftpd.passwd --uid {5000} --gid {5000} --home /var/ftp/username-home/ --shell /bin/false
ftpasswd --group --name group1 –file /etc/ --gid 5000 --member username

# For example, add a ftp user called tom:
ftpasswd --passwd --name tom --file /etc/ftpd.passwd --uid 5001 --gid 5001 --home /var/ftp/tom/ --shell /bin/false
ftpasswd --group --name ftpcbz –file /etc/ --gid 5000 --member tom

Then the above directives must be set in this way :

AuthUserFile	/etc/ftpd.passwd
AuthGroupFile	/etc/

Sometimes ProFTPD throws many errors when you try to authenticated trough virtual users then you must look these directives and theris recommend values.

# Don't check against /etc/shells
RequireValidShell	off

# Don't check against /etc/passwd, use only AuthUserFile
AuthOrder	mod_auth_file.c.

# Disable PAM authentication
PersistentPasswd	off
AuthPAM off

# To jail users to theirs respective home directories, add following to config file:
DefaulRoot ~

# If DIRMODE is omitted then DIRMODE = FILEMODE.
Umask 022
# More restrictive:
Umask 026 027

# To Deny every one except admin changes files permission via ftp put this in your context:
AllowUser admin

Install LDAP module

NOTE: the reference on mod_ldap provided on Ref is outdated! For example, LDAPDNInfo is already renamed to LDAPBindDN.

Ref. Installation. Follow the normal steps for using third-party modules in proftpd:

  ./configure --with-modules=mod_ldap
  make install
You may need to specify the location of the OpenLDAP header and library files in your configure command, e.g.:
 ./configure --with-modules=mod_ldap \
    --with-includes=/usr/local/openldap/include \

One mod_ldap user submitted the following configuration for allowing mod_ldap to communicate to a Windows Active Directory server. Note that this configuration has not been tested.

<IfModule mod_ldap.c>
	LDAPAuthBinds on
	LDAPDNInfo "cn=SRV_ACC_SVN_AUTH,ou=special accounts,ou=Sales,dc=example,dc=org" ******************
	LDAPDoAuth on ou=Users,ou=Sales,dc=example,dc=org "(&(sAMAccountName=%u)(objectclass=user)(memberOf=cn=Linux Admins,ou=Groups,ou=Sales,dc=example,DC=org))"
	LDAPSearchScope subtree
	# Assign default IDs
	LDAPDefaultUID 106
	LDAPDefaultGID 65534
	# Create the home directory
	LDAPGenerateHomedir on
	LDAPGenerateHomedirPrefix /home
	# Use different attribute names where necessary
	LDAPAttr uid sAMAccountName
	LDAPAttr gidNumber primaryGroupID

Virtual user

Ref. you are free to use any IDs you like. It is generally a good idea to use IDs for your virtual users that are not already in use in /etc/passwd, in order to keep the privileges of your system users separate from the privileges of your virtual users; privileges are determined by IDs. However, in some cases (such as using ProFTPD for FTP access to websites), you may want all of your virtual users to run as the web server user, e.g. user "www" or user "apache". Use the IDs that make the most sense for your site needs.

One related question often asked is "Can I have my virtual users have the same IDs?" Yes, you can. This means that all of those virtual users would have the exact same privileges. If you use this approach, make sure those virtual users are all confined to separate home (or web site) directories by using:

  DefaultRoot ~
in your proftpd.conf. This means that even though those virtual users would all have the same privileges, they would be unable to see and affect each others' files since they would all be separated in different directories.


Incorrect password


WCF note: Actually, use only the LDAP auth by setting: (suppress PAM)

AuthOrder mod_ldap.c