Searching for a FTP daemon with LDAP support

One of my latest interests is finding services which are designed with the UNIX philosophy, which is to do one thing well and leave the rest to other systems. The collaboration should be done over well defined and time enduring protocols.

List of FTPds considered:

Aspects considered:

  • Support by Arch and Ubuntu Linux.
  • Support for LDAP authentication.
  • Simplicity and longevity of configuration.
  • Support for popular low-profile architectures like ARM.
  • Bonus: Support for extension via external systems via standard protocols.

LDAP support

Vsftpd does not have LDAP support directly, but only via PAM module. This could be regarded as superior design, as vsftpd‘s developers have chosen to leave advanced authentications to external systems. This keeps vsftpd’s esoteric to-the-point.

Proftpd and pureftpd support LDAP via modules, directly.

On Ubuntu

Ubuntu offers proftpd-mod-ldap and pure-ftpd-ldap along with their respective base packages.

There are ARM packages which can be found on launchpad. Pure-ftpd and proftpd.

On Arch

Arch for x86(-64) and ARM has support for vsftpd from the standard repositories. AUR provides proftpd and pure-ftpd.

Generally both Arch and Ubuntu provide good support for all packages, on both architectures, one way or another. All hail C’s portability!

Configuration

Proftpd doesn’t require configuration files if all is needed is access for the system users. Some of the configurable features are:

  • Single main configuration file, with directives and directive groups which are intuitive to any administrator who has ever used the Apache web server.
  • Per directory “.ftpaccess” configuration similar to Apache’s “.htaccess”.
  • Easy to configure multiple virtual FTP servers and anonymous FTP services.
  • Designed to run either as a stand-alone server or from inetd/xinetd, depending on system load.
  • Anonymous FTP root directories do not require any specific directory structure, system binaries or other system file.

Pure-ftpd doesn’t need configuration to get working right after installation either. It does not actually read itself any configuration files (except for LDAP and SQL). So the daemon is configured by the flags it is called with, be it by the wrapper script they provide, an init file or some other script. Some of each features are:

  • System accounts can immediately have FTP access. Authentication via PAM modules is also supported. Accounts below an uid (e.g. < 500 for daemon accounts) can be disallowed.
  • All accounts can be easily chrooted by default. For easy administration, a “trusted” group with no chroot can be defined.
  • FTP accounts can be distinct from system accounts, stored in an independant database. Multiple accounts can share the same system id. A built-in indexing database allows very fast lookups. System accounts can be copied to virtual FTP accounts, so that users can have different passwords for shell access and FTP access.
  • LDAP authentication is also fully supported. Plaintext, Crypt, MD5, SMD5, SHA and SSHA crypto hash functions are implemented. Pure-FTPd was successfully tested with OpenLDAP and iPlanet Directory Server. It uses standard posixAccounts classes.

For vsftpd comes with a configuration file with a typical, directive based .conf file. Here is a link to the documentation. For PAM .pam extention found in the package. Some of the more basic features are:

  • Virtual IP configurations
  • Virtual users
  • Standalone or inetd operation
  • Powerful per-user configurability

General notes

Proftpd has a few dated pages and documents on their website. This could either be a sign of the design’s longevity or lack of developer resources.

Leave a Reply