Hi Eric,

I've pasted the text into the http://wiki.galaxyproject.org/Admin/Config/ProFTPd_with_AD page. šI used the Apache syntax highlighter for the ProFTPd configuration file snippets, which I'm pretty sure is not exactly right, but I'm guessing it's close enough.

To unlock a page for editing you need to create an account, login, and then edit the page. šThis is a big pain until your account becomes vetted. šUntil then you have to answer Galaxy trivial pursuit šquestions on every save. šWe vet accounts on request, or once a month, whichever happens sooner.

Thanks for contributing this,

Dave C

š


On Thu, Nov 14, 2013 at 1:03 PM, Eric Rasche <rasche.eric@yandex.ru> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'd like to contribute what I've learnt today to this particular page.
As it is "locked", I am unsure how to contribute my information, so I'm
posting here in the hopes that someone with rights will update it.
Formatted in (pandoc compatible) Markdown for your ease.




# Configuring ProFTPD with OpenLDAP

I've found a set of working options for using ProFTPD with OpenLDAP
servers (instead of AD).

This configuration file can be modified and placed in
`/etc/proftpd/conf.d/galaxy.conf

Using the /conf.d/ directory, you can allow the ProFTPd to serve both
local users (with PAM authentication) in the main configuration file,
AND galaxy users on another port.

```
<VirtualHost xxx.yyy.zzz>
š š š š RequireValidShell š š š off
š š š š User š š š š š š š š š šgalaxy
š š š š Group š š š š š š š š š galaxy
š š š š Umask š š š š š š š š š 137 027
š š š š AllowOverwrite š š š š šon

š š š š # Ensure auth is LDAP
š š š š AuthPAM š š š š š š š š off
š š š š AuthOrder š š š š š š š mod_ldap.c

š š š š # Serve this VirtualHost on port 4000
š š š š Port š š š š š š š š š š4000

š š š š # LDAP Bind information
š š š š LDAPServer š š š š š š šldaps://xxx.yyy.zzz/??sub
š š š š LDAPUsers š š š š š š š "ou=People,dc=yyy,dc=zzz" š"(uid=%u)"
š š š š LDAPAuthBinds š š š š š on

š š š š # Force those numbers even if LDAP finds a valid UID/GID
š š š š LDAPDefaultUID š š š š š1003
š š š š LDAPDefaultGID š š š š š1003
š š š š LDAPForceDefaultUID š š on
š š š š LDAPForceDefaultGID š š on

š š š š # Please generate home dir with user/group rwx permissions.
Could probably be stricter
š š š š CreateHome š š š š š š šon 770
š š š š LDAPGenerateHomedir š š on 770

š š š š # Force this homedir even if LDAP said something different
š š š š LDAPForceGeneratedHomedir š š š š š š š on
š š š š LDAPGenerateHomedirPrefix
"/home/galaxy/galaxy/database/ftp/%u@cpt.tamu.edu"

š š š š # The username is already incorporated in the %u, use this or it
will get appended again
š š š š LDAPGenerateHomedirPrefixNoUsername š š on

š š š š TransferLog š š š š š š /var/log/proftpd/xfer-galaxy.log

š š š š # Cause every FTP user to be "jailed" (chrooted) into their home
directory
š š š š DefaultRoot
"/home/galaxy/galaxy/database/ftp/%u@cpt.tamu.edu"
š š š š # Allow users to resume interrupted uploads
š š š š AllowStoreRestart š š š on
š š š š # I set these as my passive ports because I run a very strict
firewall. Change as needed
š š š š PassivePorts š š š š š š49152 50000
</VirtualHost>
```

Notably, this configuration allows a galaxy virtualhost to coexist with
the normal FTP capabilities provided by ProFTPd, so users can still
access their home directories AND galaxy users can upload to galaxy.
Authentication can of course be changed to suit one's needs.

# TLS Configuration

If you're running the galaxy FTP portion under a VirtualHost, like
described above, you'll notice that TLS directives placed in the main
proftpd.conf file do not apply to VirtualHosts. As such, you can add a
section that looks like this to every VirtualHost that needs to be secured

```
<IfModule mod_tls.c>
š š š š TLSEngine š š š š š š š š š š š on
š š š š TLSLog š š š š š š š š š š š š š/var/log/proftpd/tls.galaxy.log
š š š š # Your cert and private key
š š š š TLSRSACertificateFile š š š š š /etc/ssl/certs/my.crt
š š š š TLSRSACertificateKeyFile š š š š/etc/ssl/private/my.key
š š š š TLSCACertificateFile š š š š š š/etc/ssl/certs/ca.bundle
š š š š # I've found that this is required for FileZilla
š š š š TLSOptions š šNoCertRequest EnableDiags NoSessionReuseRequired
š š š š # Most clients won't be sending certs
š š š š TLSVerifyClient š š š š š š š š off
š š š š TLSRequired š š š š š š š š š š on
</IfModule>
```







Cheers,
Eric

- --
Eric Rasche
Programmer II
Center for Phage Technology
Texas A&M University
College Station, TX 77843
404-692-2048
esr@tamu.edu
rasche.eric@yandex.ru
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJShTqNAAoJEMqDXdrsMcpVZh8QAL1PvZTtTco+hBeJ+2o9jCyp
DpasNtMm0PTKjmBR7Cq5lxNJeGlAcAJmafGKxnf7EEGPhJnw8xWUDwGolmjJmzik
o9kl/4vASKQPz6+SX7zqz5Fn2155FrSfgZXruSc3N/56UR6N1mbUdJ0fOdm83vfi
hlmVOErujrCkx5S8zSALf7UgTfDT3aPsCyLmy6wy+keNUhpDp5jY2Kvzfm133PIM
YIxKM93rPA+IZb99h2BHRNOQjGIcIIM5cWhQ+NSd1lrRmSKZHFvvfVRvKbjb7uxL
A+JJ86A3QEsfJm9Krch55KKYpWoom3l53xw+EMLBsO6Surerc6hZcsZsEhPaK/sq
GiM33nGZ7DUulJE3OW3lKgilSZY07d3C7ol1fPhovsI20XN3ESdaHAliOSQdT4hn
VqomH8qw8rWxKR1omP6MGfvWw1Sg8d8NylvyehylTOwLHO1iRGKT/HmzqEJSEVzb
TReA9r85d35tIRlnuuNcHPIdAQreH1fp4Pz1F3sCzn3at9Y2WHNvc9ySHaZXMo6M
/KvfdUFGQlDMtWIE3moK1mz5/IsIgDQiZm6Jc+hTcOTXueZ1RTIynLD4n6BHih6r
UrdCdHdwIb5WGLyQbO+scn5YybmYSLtbcc5UBS1PvgdQr61/QA9J0XI8SeRUrSX+
gNFhUh3T5bfrnA0eXnaq
=GZx9
-----END PGP SIGNATURE-----
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client. šTo manage your subscriptions to this
and other Galaxy lists, please use the interface at:
š http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
š http://galaxyproject.org/search/mailinglists/



--
http://galaxyproject.org/
http://getgalaxy.org/
http://usegalaxy.org/
http://wiki.galaxyproject.org/