wiki contributions: Admin/Config/ProFTPd_with_AD
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'd like to contribute what I've learnt today to this particular page. As it is "locked", I am unsure how to contribute my information, so I'm posting here in the hopes that someone with rights will update it. Formatted in (pandoc compatible) Markdown for your ease. # Configuring ProFTPD with OpenLDAP I've found a set of working options for using ProFTPD with OpenLDAP servers (instead of AD). This configuration file can be modified and placed in `/etc/proftpd/conf.d/galaxy.conf Using the /conf.d/ directory, you can allow the ProFTPd to serve both local users (with PAM authentication) in the main configuration file, AND galaxy users on another port. ``` <VirtualHost xxx.yyy.zzz> RequireValidShell off User galaxy Group galaxy Umask 137 027 AllowOverwrite on # Ensure auth is LDAP AuthPAM off AuthOrder mod_ldap.c # Serve this VirtualHost on port 4000 Port 4000 # LDAP Bind information LDAPServer ldaps://xxx.yyy.zzz/??sub LDAPUsers "ou=People,dc=yyy,dc=zzz" "(uid=%u)" LDAPAuthBinds on # Force those numbers even if LDAP finds a valid UID/GID LDAPDefaultUID 1003 LDAPDefaultGID 1003 LDAPForceDefaultUID on LDAPForceDefaultGID on # Please generate home dir with user/group rwx permissions. Could probably be stricter CreateHome on 770 LDAPGenerateHomedir on 770 # Force this homedir even if LDAP said something different LDAPForceGeneratedHomedir on LDAPGenerateHomedirPrefix "/home/galaxy/galaxy/database/ftp/%u@cpt.tamu.edu" # The username is already incorporated in the %u, use this or it will get appended again LDAPGenerateHomedirPrefixNoUsername on TransferLog /var/log/proftpd/xfer-galaxy.log # Cause every FTP user to be "jailed" (chrooted) into their home directory DefaultRoot "/home/galaxy/galaxy/database/ftp/%u@cpt.tamu.edu" # Allow users to resume interrupted uploads AllowStoreRestart on # I set these as my passive ports because I run a very strict firewall. Change as needed PassivePorts 49152 50000 </VirtualHost> ``` Notably, this configuration allows a galaxy virtualhost to coexist with the normal FTP capabilities provided by ProFTPd, so users can still access their home directories AND galaxy users can upload to galaxy. Authentication can of course be changed to suit one's needs. # TLS Configuration If you're running the galaxy FTP portion under a VirtualHost, like described above, you'll notice that TLS directives placed in the main proftpd.conf file do not apply to VirtualHosts. As such, you can add a section that looks like this to every VirtualHost that needs to be secured ``` <IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.galaxy.log # Your cert and private key TLSRSACertificateFile /etc/ssl/certs/my.crt TLSRSACertificateKeyFile /etc/ssl/private/my.key TLSCACertificateFile /etc/ssl/certs/ca.bundle # I've found that this is required for FileZilla TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired # Most clients won't be sending certs TLSVerifyClient off TLSRequired on </IfModule> ``` Cheers, Eric - -- Eric Rasche Programmer II Center for Phage Technology Texas A&M University College Station, TX 77843 404-692-2048 esr@tamu.edu rasche.eric@yandex.ru -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJShTqNAAoJEMqDXdrsMcpVZh8QAL1PvZTtTco+hBeJ+2o9jCyp DpasNtMm0PTKjmBR7Cq5lxNJeGlAcAJmafGKxnf7EEGPhJnw8xWUDwGolmjJmzik o9kl/4vASKQPz6+SX7zqz5Fn2155FrSfgZXruSc3N/56UR6N1mbUdJ0fOdm83vfi hlmVOErujrCkx5S8zSALf7UgTfDT3aPsCyLmy6wy+keNUhpDp5jY2Kvzfm133PIM YIxKM93rPA+IZb99h2BHRNOQjGIcIIM5cWhQ+NSd1lrRmSKZHFvvfVRvKbjb7uxL A+JJ86A3QEsfJm9Krch55KKYpWoom3l53xw+EMLBsO6Surerc6hZcsZsEhPaK/sq GiM33nGZ7DUulJE3OW3lKgilSZY07d3C7ol1fPhovsI20XN3ESdaHAliOSQdT4hn VqomH8qw8rWxKR1omP6MGfvWw1Sg8d8NylvyehylTOwLHO1iRGKT/HmzqEJSEVzb TReA9r85d35tIRlnuuNcHPIdAQreH1fp4Pz1F3sCzn3at9Y2WHNvc9ySHaZXMo6M /KvfdUFGQlDMtWIE3moK1mz5/IsIgDQiZm6Jc+hTcOTXueZ1RTIynLD4n6BHih6r UrdCdHdwIb5WGLyQbO+scn5YybmYSLtbcc5UBS1PvgdQr61/QA9J0XI8SeRUrSX+ gNFhUh3T5bfrnA0eXnaq =GZx9 -----END PGP SIGNATURE-----
Hi Eric, I've pasted the text into the http://wiki.galaxyproject.org/Admin/Config/ProFTPd_with_AD page. I used the Apache syntax highlighter for the ProFTPd configuration file snippets, which I'm pretty sure is not exactly right, but I'm guessing it's close enough. To unlock a page for editing you need to create an account, login, and then edit the page. This is a big pain until your account becomes *vetted*. Until then you have to answer Galaxy trivial pursuit questions on every save. We vet accounts on request, or once a month, whichever happens sooner. Thanks for contributing this, Dave C On Thu, Nov 14, 2013 at 1:03 PM, Eric Rasche <rasche.eric@yandex.ru> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I'd like to contribute what I've learnt today to this particular page. As it is "locked", I am unsure how to contribute my information, so I'm posting here in the hopes that someone with rights will update it. Formatted in (pandoc compatible) Markdown for your ease.
# Configuring ProFTPD with OpenLDAP
I've found a set of working options for using ProFTPD with OpenLDAP servers (instead of AD).
This configuration file can be modified and placed in `/etc/proftpd/conf.d/galaxy.conf
Using the /conf.d/ directory, you can allow the ProFTPd to serve both local users (with PAM authentication) in the main configuration file, AND galaxy users on another port.
``` <VirtualHost xxx.yyy.zzz> RequireValidShell off User galaxy Group galaxy Umask 137 027 AllowOverwrite on
# Ensure auth is LDAP AuthPAM off AuthOrder mod_ldap.c
# Serve this VirtualHost on port 4000 Port 4000
# LDAP Bind information LDAPServer ldaps://xxx.yyy.zzz/??sub LDAPUsers "ou=People,dc=yyy,dc=zzz" "(uid=%u)" LDAPAuthBinds on
# Force those numbers even if LDAP finds a valid UID/GID LDAPDefaultUID 1003 LDAPDefaultGID 1003 LDAPForceDefaultUID on LDAPForceDefaultGID on
# Please generate home dir with user/group rwx permissions. Could probably be stricter CreateHome on 770 LDAPGenerateHomedir on 770
# Force this homedir even if LDAP said something different LDAPForceGeneratedHomedir on LDAPGenerateHomedirPrefix "/home/galaxy/galaxy/database/ftp/%u@cpt.tamu.edu"
# The username is already incorporated in the %u, use this or it will get appended again LDAPGenerateHomedirPrefixNoUsername on
TransferLog /var/log/proftpd/xfer-galaxy.log
# Cause every FTP user to be "jailed" (chrooted) into their home directory DefaultRoot "/home/galaxy/galaxy/database/ftp/%u@cpt.tamu.edu" # Allow users to resume interrupted uploads AllowStoreRestart on # I set these as my passive ports because I run a very strict firewall. Change as needed PassivePorts 49152 50000 </VirtualHost> ```
Notably, this configuration allows a galaxy virtualhost to coexist with the normal FTP capabilities provided by ProFTPd, so users can still access their home directories AND galaxy users can upload to galaxy. Authentication can of course be changed to suit one's needs.
# TLS Configuration
If you're running the galaxy FTP portion under a VirtualHost, like described above, you'll notice that TLS directives placed in the main proftpd.conf file do not apply to VirtualHosts. As such, you can add a section that looks like this to every VirtualHost that needs to be secured
``` <IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.galaxy.log # Your cert and private key TLSRSACertificateFile /etc/ssl/certs/my.crt TLSRSACertificateKeyFile /etc/ssl/private/my.key TLSCACertificateFile /etc/ssl/certs/ca.bundle # I've found that this is required for FileZilla TLSOptions NoCertRequest EnableDiags NoSessionReuseRequired # Most clients won't be sending certs TLSVerifyClient off TLSRequired on </IfModule> ```
Cheers, Eric
- -- Eric Rasche Programmer II Center for Phage Technology Texas A&M University College Station, TX 77843 404-692-2048 esr@tamu.edu rasche.eric@yandex.ru -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJShTqNAAoJEMqDXdrsMcpVZh8QAL1PvZTtTco+hBeJ+2o9jCyp DpasNtMm0PTKjmBR7Cq5lxNJeGlAcAJmafGKxnf7EEGPhJnw8xWUDwGolmjJmzik o9kl/4vASKQPz6+SX7zqz5Fn2155FrSfgZXruSc3N/56UR6N1mbUdJ0fOdm83vfi hlmVOErujrCkx5S8zSALf7UgTfDT3aPsCyLmy6wy+keNUhpDp5jY2Kvzfm133PIM YIxKM93rPA+IZb99h2BHRNOQjGIcIIM5cWhQ+NSd1lrRmSKZHFvvfVRvKbjb7uxL A+JJ86A3QEsfJm9Krch55KKYpWoom3l53xw+EMLBsO6Surerc6hZcsZsEhPaK/sq GiM33nGZ7DUulJE3OW3lKgilSZY07d3C7ol1fPhovsI20XN3ESdaHAliOSQdT4hn VqomH8qw8rWxKR1omP6MGfvWw1Sg8d8NylvyehylTOwLHO1iRGKT/HmzqEJSEVzb TReA9r85d35tIRlnuuNcHPIdAQreH1fp4Pz1F3sCzn3at9Y2WHNvc9ySHaZXMo6M /KvfdUFGQlDMtWIE3moK1mz5/IsIgDQiZm6Jc+hTcOTXueZ1RTIynLD4n6BHih6r UrdCdHdwIb5WGLyQbO+scn5YybmYSLtbcc5UBS1PvgdQr61/QA9J0XI8SeRUrSX+ gNFhUh3T5bfrnA0eXnaq =GZx9 -----END PGP SIGNATURE----- ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
-- http://galaxyproject.org/ http://getgalaxy.org/ http://usegalaxy.org/ http://wiki.galaxyproject.org/
participants (2)
-
Dave Clements -
Eric Rasche