-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I'd like to contribute what I've learnt today to this particular page. As it is "locked", I am unsure how to contribute my information, so I'm posting here in the hopes that someone with rights will update it. Formatted in (pandoc compatible) Markdown for your ease.
# Configuring ProFTPD with OpenLDAP
I've found a set of working options for using ProFTPD with OpenLDAP servers (instead of AD).
This configuration file can be modified and placed in `/etc/proftpd/conf.d/galaxy.conf
Using the /conf.d/ directory, you can allow the ProFTPd to serve both local users (with PAM authentication) in the main configuration file, AND galaxy users on another port.
``` <VirtualHost xxx.yyy.zzz> RequireValidShell off User galaxy Group galaxy Umask 137 027 AllowOverwrite on
# Ensure auth is LDAP AuthPAM off AuthOrder mod_ldap.c
# Serve this VirtualHost on port 4000 Port 4000
# LDAP Bind information LDAPServer ldaps://xxx.yyy.zzz/??sub LDAPUsers "ou=People,dc=yyy,dc=zzz" "(uid=%u)" LDAPAuthBinds on
# Force those numbers even if LDAP finds a valid UID/GID LDAPDefaultUID 1003 LDAPDefaultGID 1003 LDAPForceDefaultUID on LDAPForceDefaultGID on
# Please generate home dir with user/group rwx permissions. Could probably be stricter CreateHome on 770 LDAPGenerateHomedir on 770
# Force this homedir even if LDAP said something different LDAPForceGeneratedHomedir on LDAPGenerateHomedirPrefix "/home/galaxy/galaxy/database/ftp/%u@cpt.tamu.edu"
# The username is already incorporated in the %u, use this or it will get appended again LDAPGenerateHomedirPrefixNoUsername on
TransferLog /var/log/proftpd/xfer-galaxy.log
# Cause every FTP user to be "jailed" (chrooted) into their home directory DefaultRoot "/home/galaxy/galaxy/database/ftp/%u@cpt.tamu.edu" # Allow users to resume interrupted uploads AllowStoreRestart on # I set these as my passive ports because I run a very strict firewall. Change as needed PassivePorts 49152 50000 </VirtualHost> ```
Notably, this configuration allows a galaxy virtualhost to coexist with the normal FTP capabilities provided by ProFTPd, so users can still access their home directories AND galaxy users can upload to galaxy. Authentication can of course be changed to suit one's needs.
# TLS Configuration
If you're running the galaxy FTP portion under a VirtualHost, like described above, you'll notice that TLS directives placed in the main proftpd.conf file do not apply to VirtualHosts. As such, you can add a section that looks like this to every VirtualHost that needs to be secured
``` <IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.galaxy.log # Your cert and private key TLSRSACertificateFile /etc/ssl/certs/my.crt TLSRSACertificateKeyFile /etc/ssl/private/my.key TLSCACertificateFile /etc/ssl/certs/ca.bundle # I've found that this is required for FileZilla TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired # Most clients won't be sending certs TLSVerifyClient off TLSRequired on </IfModule> ```
Cheers, Eric
- -- Eric Rasche Programmer II Center for Phage Technology Texas A&M University College Station, TX 77843 404-692-2048 esr@tamu.edu rasche.eric@yandex.ru