Author Topic: Groups AD  (Read 220 times)

Offline moisesdasilvadeoliveira

  • New user
  • *
  • Posts: 5
    • View Profile
Groups AD
« on: November 22, 2016, 12:21:42 pm »
Hi guys,


I'm trying to authenticate without advertisement, but it gave me access denied. Using Centos7 and Samba4.
Here is my file and error.

Error: (Login failed): Limit access denies login

proftpd.conf
ServerName "FTP YGGNET"
DefaultServer on
ServerType standalone
Port 21
Umask 022
DefaultRoot /var/ftp
RequireValidShell off
UseFtpUsers off
PersistentPasswd off
PassivePorts 60000 65535

User ftp
Group ftp
LoadModule mod_ldap.c
<IfModule mod_ldap.c>
 AuthOrder mod_ldap.c
 LDAPServer ldap://192.168.2.2/??sub
 LDAPAttr uid sAMAccountname
 LDAPAttr gidNumber primaryGroupID
 LDAPBindDN "cn=Administrator,cn=Users,dc=yggnet,dc=com" "mypassword"
 LDAPAuthBinds on
 LDAPDefaultGID 3000023
 LDAPDefaultUID 14
 LDAPGenerateHomedir on
 LDAPGenerateHomedirPrefix /var/ftp
 CreateHome on 0775
 LDAPGenerateHomedir on 0775
 LDAPForceGeneratedHomedir on
 LDAPUsers "OU=usuarios,OU=yggnet,DC=yggnet,DC=com" (sAMAccountname=%v) (uidNumber=%u)
 LDAPGroups "CN=g_ftp,OU=membros,OU=yggnet,DC=yggnet,DC=com"
</IfModule>
<Limit LOGIN>
 AllowGroup g_ftp
 DenyAll
</Limit>



Online castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5192
    • View Profile
    • http://www.castaglia.org/
Re: Groups AD
« Reply #1 on: November 22, 2016, 02:54:25 pm »
If you configure an LDAPLog:

  http://www.proftpd.org/docs/contrib/mod_ldap.html#LDAPLog

what does it show?

Offline moisesdasilvadeoliveira

  • New user
  • *
  • Posts: 5
    • View Profile
Re: Groups AD
« Reply #2 on: November 23, 2016, 10:39:47 am »
Hi,

I set the parameter to log in, but did not play anything in the file. Any other options?

LDAPLog file|"/var/log/ldap.log"

Online castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5192
    • View Profile
    • http://www.castaglia.org/
Re: Groups AD
« Reply #3 on: November 23, 2016, 04:32:18 pm »
That's the incorrect syntax to use.  It would be:

  LDAPLog /var/log/ldap.log

Offline moisesdasilvadeoliveira

  • New user
  • *
  • Posts: 5
    • View Profile
Re: Groups AD
« Reply #4 on: November 23, 2016, 05:04:31 pm »
 try now

Offline moisesdasilvadeoliveira

  • New user
  • *
  • Posts: 5
    • View Profile
Re: Groups AD
« Reply #5 on: November 23, 2016, 05:23:01 pm »
2016-11-23 15:21:21,477 mod_ldap/2.9.4[5389]: not unbinding to an already unbound connection
2016-11-23 15:21:21,477 mod_ldap/2.9.4[5389]: not unbinding to an already unbound connection
2016-11-23 15:21:21,479 mod_ldap/2.9.4[5389]: not unbinding to an already unbound connection
2016-11-23 15:21:21,479 mod_ldap/2.9.4[5389]: not unbinding to an already unbound connection
2016-11-23 15:21:21,479 mod_ldap/2.9.4[5389]: generated filter OU=usuarios,OU=yggnet,DC=yggnet,DC=com,DC=br from template OU=usuarios,OU=yggnet,DC=yggnet,DC=com,DC=br and value moises
2016-11-23 15:21:21,479 mod_ldap/2.9.4[5389]: generated filter (sAMAccountname=moises) from template (sAMAccountname=%v) and value moises
2016-11-23 15:21:21,479 mod_ldap/2.9.4[5389]: attempting connection to URL ldap://10.90.1.80/??sub
2016-11-23 15:21:21,479 mod_ldap/2.9.4[5389]: set LDAP protocol version to 3
2016-11-23 15:21:21,479 mod_ldap/2.9.4[5389]: connected to URL ldap://10.90.1.80/??sub
2016-11-23 15:21:21,491 mod_ldap/2.9.4[5389]: successfully bound as DN 'cn=Administrator,cn=Users,dc=yggnet,dc=com,dc=br' with password (see config)
2016-11-23 15:21:21,491 mod_ldap/2.9.4[5389]: set dereferencing to 0
2016-11-23 15:21:21,491 mod_ldap/2.9.4[5389]: set query timeout to 5 secs
2016-11-23 15:21:21,491 mod_ldap/2.9.4[5389]: searched under base DN OU=usuarios,OU=yggnet,DC=yggnet,DC=com,DC=br using filter (sAMAccountname=moises)
2016-11-23 15:21:21,491 mod_ldap/2.9.4[5389]: fetching values for attribute sAMAccountname
2016-11-23 15:21:21,491 mod_ldap/2.9.4[5389]: fetching values for attribute uidNumber
2016-11-23 15:21:21,491 mod_ldap/2.9.4[5389]: no values for attribute uidNumber, trying defaults
2016-11-23 15:21:21,491 mod_ldap/2.9.4[5389]: using LDAPDefaultUID 14
2016-11-23 15:21:21,491 mod_ldap/2.9.4[5389]: fetching values for attribute primaryGroupID
2016-11-23 15:21:21,491 mod_ldap/2.9.4[5389]: fetching values for attribute homeDirectory
2016-11-23 15:21:21,491 mod_ldap/2.9.4[5389]: no values for attribute homeDirectory, trying defaults
2016-11-23 15:21:21,491 mod_ldap/2.9.4[5389]: using default homedir /var/ftp/moises
2016-11-23 15:21:21,491 mod_ldap/2.9.4[5389]: fetching values for attribute loginShell
2016-11-23 15:21:21,491 mod_ldap/2.9.4[5389]: no values for attribute loginShell, trying defaults
2016-11-23 15:21:21,492 mod_ldap/2.9.4[5389]: found user moises, UID 14, GID 513, homedir /var/ftp/moises, shell
2016-11-23 15:21:21,492 mod_ldap/2.9.4[5389]: generated filter (&(primaryGroupID=513)(objectclass=posixGroup)) from template (&(primaryGroupID=%v)(objectclass=posixGroup)) and value 513
2016-11-23 15:21:21,492 mod_ldap/2.9.4[5389]: searched under base DN CN=g_ftp,OU=membros,OU=yggnet,DC=yggnet,DC=com,DC=br using filter (&(primaryGroupID=513)(objectclass=posixGroup))
2016-11-23 15:21:21,492 mod_ldap/2.9.4[5389]: no group entries for filter (&(primaryGroupID=513)(objectclass=posixGroup))
2016-11-23 15:21:21,492 mod_ldap/2.9.4[5389]: generated filter OU=usuarios,OU=yggnet,DC=yggnet,DC=com,DC=br from template OU=usuarios,OU=yggnet,DC=yggnet,DC=com,DC=br and value moises
2016-11-23 15:21:21,492 mod_ldap/2.9.4[5389]: generated filter (sAMAccountname=moises) from template (sAMAccountname=%v) and value moises
2016-11-23 15:21:21,493 mod_ldap/2.9.4[5389]: searched under base DN OU=usuarios,OU=yggnet,DC=yggnet,DC=com,DC=br using filter (sAMAccountname=moises)
2016-11-23 15:21:21,493 mod_ldap/2.9.4[5389]: fetching values for attribute sAMAccountname
2016-11-23 15:21:21,493 mod_ldap/2.9.4[5389]: fetching values for attribute uidNumber
2016-11-23 15:21:21,493 mod_ldap/2.9.4[5389]: no values for attribute uidNumber, trying defaults
2016-11-23 15:21:21,493 mod_ldap/2.9.4[5389]: using LDAPDefaultUID 14
2016-11-23 15:21:21,493 mod_ldap/2.9.4[5389]: fetching values for attribute primaryGroupID
2016-11-23 15:21:21,493 mod_ldap/2.9.4[5389]: fetching values for attribute homeDirectory
2016-11-23 15:21:21,493 mod_ldap/2.9.4[5389]: no values for attribute homeDirectory, trying defaults
2016-11-23 15:21:21,493 mod_ldap/2.9.4[5389]: using default homedir /var/ftp/moises
2016-11-23 15:21:21,493 mod_ldap/2.9.4[5389]: fetching values for attribute loginShell
2016-11-23 15:21:21,493 mod_ldap/2.9.4[5389]: no values for attribute loginShell, trying defaults
2016-11-23 15:21:21,493 mod_ldap/2.9.4[5389]: found user moises, UID 14, GID 513, homedir /var/ftp/moises, shell
2016-11-23 15:21:21,493 mod_ldap/2.9.4[5389]: generated filter (&(primaryGroupID=513)(objectclass=posixGroup)) from template (&(primaryGroupID=%v)(objectclass=posixGroup)) and value 513
2016-11-23 15:21:21,494 mod_ldap/2.9.4[5389]: searched under base DN CN=g_ftp,OU=membros,OU=yggnet,DC=yggnet,DC=com,DC=br using filter (&(primaryGroupID=513)(objectclass=posixGroup))
2016-11-23 15:21:21,494 mod_ldap/2.9.4[5389]: no group entries for filter (&(primaryGroupID=513)(objectclass=posixGroup))
2016-11-23 15:21:21,494 mod_ldap/2.9.4[5389]: unable to determine group name for user moises primary GID 513, skipping
2016-11-23 15:21:21,494 mod_ldap/2.9.4[5389]: generated filter (&(memberUid=moises)(objectclass=posixGroup)) from template (&(memberUid=%v)(objectclass=posixGroup)) and value moises
2016-11-23 15:21:21,494 mod_ldap/2.9.4[5389]: searched under base DN CN=g_ftp,OU=membros,OU=yggnet,DC=yggnet,DC=com,DC=br using filter (&(memberUid=moises)(objectclass=posixGroup))
2016-11-23 15:21:21,494 mod_ldap/2.9.4[5389]: no entries found for filter (&(memberUid=moises)(objectclass=posixGroup))
^C

Online castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5192
    • View Profile
    • http://www.castaglia.org/
Re: Groups AD
« Reply #6 on: November 23, 2016, 09:30:23 pm »
So the LDAPLog shows that mod_ldap couldn't find the group name for your logging-in user's primary group ID:

  no group entries for filter (&(primaryGroupID=513)(objectclass=posixGroup))

which, in turn, means that your <Limit LOGIN> section, which only allows users in group "g_ftp" (by name), will deny the login.

To address this, then, you'll need to update your LDAP object for that user, so that the expected name for that primary group ID can be found.

Offline moisesdasilvadeoliveira

  • New user
  • *
  • Posts: 5
    • View Profile
Re: Groups AD
« Reply #7 on: November 24, 2016, 12:33:29 pm »
Hi,

How would I do it? This group exists in active directory, I have changed the id of the user and the group in ad for it to be able to find, but still it did not, what could I do?

 

sighted planning