I've set up a virtual machine running Centos 7 and VSFTPD.
VSFTPD is working great when connecting with local users. It chroots the user into his previously created home in /ftp/pub/{user_name} with "useradd -d". I've added TLS encryption which is working great too (disabled here in order to see what was wrong). I've set SElinux context of /ftp to public_content_t ; /ftp/pub(/.*)? to public_content_rw_t and set 755 rights on /ftp/pub
Recently, I tried to add LDAP auth to the VSFTPD server by doing this:
authconfig --enableldap --enableldapauth --ldapserver=name_of_my_server --ldapbasedn="dc=item1,dc=item2,dc=item3" --enablemkhomedir --update but it only adds authentication to the server itself (I can ssh to the server with a non-local account), not to the service (vsftp), so I came accross a :
500 OOPS: cannot change directory:/home/default/path
What I understand from this error is that it tries to log in in the default home (which obviously doesn't exist) without creating a new one. What I want to do is when a non-local user tries to FTP on my server, it creates him a new home in /ftp/pub/{user_name} and chroot him in it.
Here is pam.d/login:
#%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth substack system-auth auth include postlogin account required pam_nologin.so account include system-auth password include system-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session required pam_namespace.so session optional pam_keyinit.so force revoke session include system-auth session include postlogin -session optional pam_ck_connector.so pam.d/vsftpd :
#%PAM-1.0 session optional pam_keyinit.so force revoke auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed auth required pam_shells.so auth include password-auth account include password-auth session required pam_loginuid.so session include password-auth vsftpd.conf:
anonymous_enable=NO #Permet aux utilisateurs locaux de RW local_enable=YES write_enable=YES local_umask=022 pasv_enable=YES pasv_max_port=1026 pasv_min_port=1025 dirmessage_enable=YES connect_from_port_20=YES ascii_download_enable=YES ascii_upload_enable=YES ftpd_banner=Welcome to blah FTP service. #Partie chroot chroot_local_user=YES allow_writeable_chroot=YES local_root=/ftp/pub/$USER user_sub_token=$USER # (default follows) #chroot_list_file=/etc/vsftpd/chroot_list #logs xferlog_enable=YES xferlog_std_format=NO log_ftp_protocol=YES listen=YES listen_ipv6=NO pam_service_name=vsftpd userlist_enable=YES tcp_wrappers=YES # Ajouts use_localtime=YES rsa_cert_file=/etc/ssl/private/vsftpd.pem rsa_private_key_file=/etc/ssl/private/vsftpd.pem require_ssl_reuse=NO ssl_ciphers=HIGH ssl_enable=NO allow_anon_ssl=NO force_local_data_ssl=YES force_local_logins_ssl=YES ssl_tlsv1=YES ssl_sslv2=YES ssl_sslv3=YES I'm really stuck on that ldap auth for VSFTPD and couldn't find what I should do on other posts on serverfault. If someone could help me or recommend documentation, it would be greatly appreciated.
EDIT: SSH login creates successfuly a home for the user in the default path (/home), FTP login neither create it in /home, nor in /ftp/pub my goal is to create a home for the user on FTP login in /ftp/pub
EDIT2: As suggested by mxttie I could use pam_exec, but it would be more "getting around" the problem without really solving it. I would have to create a folder in "/home", then a folder in "/ftp/pub" for each user who would connect in order to solve the two consecutive 500 OOPS errors
