Author Topic: Incorrect password  (Read 472 times)

Offline daveyfx

  • New user
  • *
  • Posts: 2
    • View Profile
Incorrect password
« on: June 15, 2017, 02:38:21 am »
Hi all -

I'm trying to get my mod_ldap configuration to successfully authenticate my Active Directory user account and am not having any success.  Domain controllers are 2012 R2.

Here's what is logged in sys-proftpd.log

Code: [Select]
2017-06-14 22:20:59,219 ftp1.atlprod.amc proftpd[31963] 172.16.13.219 (172.16.13.1[172.16.13.1]): FTP session opened.
2017-06-14 22:21:01,676 ftp1.atlprod.amc proftpd[31963] 172.16.13.219 (172.16.13.1[172.16.13.1]): USER XXXXXXX (Login failed): Incorrect password
2017-06-14 22:21:01,678 ftp1.atlprod.amc proftpd[31963] 172.16.13.219 (172.16.13.1[172.16.13.1]): FTP session closed.

Here's what is logged in ldap.log

Code: [Select]
2017-06-14 22:22:13,603 mod_ldap/2.9.4[32075]: not unbinding to an already unbound connection
2017-06-14 22:22:13,603 mod_ldap/2.9.4[32075]: not unbinding to an already unbound connection
2017-06-14 22:22:13,604 mod_ldap/2.9.4[32075]: not unbinding to an already unbound connection
2017-06-14 22:22:13,604 mod_ldap/2.9.4[32075]: not unbinding to an already unbound connection
2017-06-14 22:22:13,604 mod_ldap/2.9.4[32075]: generated filter OU=CompanyUsers,DC=XXXXXXX,DC=com from template OU=CompanyUsers,DC=XXXXXXX,DC=com and value XXXXXXX
2017-06-14 22:22:13,604 mod_ldap/2.9.4[32075]: generated filter (&(sAMAccountName=XXXXXXX)(objectclass=user)) from template (&(sAMAccountName=%u)(objectclass=user)) and value XXXXXXX
2017-06-14 22:22:13,604 mod_ldap/2.9.4[32075]: attempting connection to URL ldap://dc2.XXXXXXX.com/??sub
2017-06-14 22:22:13,605 mod_ldap/2.9.4[32075]: set LDAP protocol version to 3
2017-06-14 22:22:13,605 mod_ldap/2.9.4[32075]: connected to URL ldap://dc2.XXXXXXX.com/??sub
2017-06-14 22:22:13,607 mod_ldap/2.9.4[32075]: successfully bound as DN 'CN=binduser,OU=ServiceAccounts,DC=XXXXXXX,DC=com' with password (see config)
2017-06-14 22:22:13,607 mod_ldap/2.9.4[32075]: set dereferencing to 0
2017-06-14 22:22:13,607 mod_ldap/2.9.4[32075]: set query timeout to 5 secs
2017-06-14 22:22:13,607 mod_ldap/2.9.4[32075]: searched under base DN OU=CompanyUsers,DC=XXXXXXX,DC=com using filter (&(sAMAccountName=XXXXXXX)(objectclass=user))
2017-06-14 22:22:13,607 mod_ldap/2.9.4[32075]: fetching values for attribute sAMAccountName
2017-06-14 22:22:13,607 mod_ldap/2.9.4[32075]: fetching values for attribute uidNumber
2017-06-14 22:22:13,607 mod_ldap/2.9.4[32075]: no values for attribute uidNumber, trying defaults
2017-06-14 22:22:13,607 mod_ldap/2.9.4[32075]: using LDAPDefaultUID 65533
2017-06-14 22:22:13,607 mod_ldap/2.9.4[32075]: fetching values for attribute gidNumber
2017-06-14 22:22:13,607 mod_ldap/2.9.4[32075]: no values for attribute gidNumber, trying defaults
2017-06-14 22:22:13,607 mod_ldap/2.9.4[32075]: using LDAPDefaultGID 65533
2017-06-14 22:22:13,607 mod_ldap/2.9.4[32075]: fetching values for attribute homeDirectory
2017-06-14 22:22:13,607 mod_ldap/2.9.4[32075]: fetching values for attribute loginShell
2017-06-14 22:22:13,607 mod_ldap/2.9.4[32075]: no values for attribute loginShell, trying defaults
2017-06-14 22:22:13,607 mod_ldap/2.9.4[32075]: found user XXXXXXX, UID 65533, GID 65533, homedir /home/ftp, shell
2017-06-14 22:22:16,216 mod_ldap/2.9.4[32075]: connection successfully unbound
2017-06-14 22:22:16,216 mod_ldap/2.9.4[32075]: not unbinding to an already unbound connection

And here's my proftpd.conf

Code: [Select]
LoadModule mod_ldap.c
LoadModule mod_vroot.c

ServerName                      "TheXXXXXXXX.com FTP site"
MasqueradeAddress               ftp.theXXXXXXXX.com
PassivePorts                    60000 65535
ServerIdent                     on "FTP Server ready."
ServerAdmin                     it@xxxxxxxx.com
DefaultServer                   on
AccessGrantMsg                  "User %u logged in."
DeferWelcome                    off
AllowForeignAddress             on

# Log format and location
LogFormat               default "%t %h %a %s %m %f %b %T \"%r"\"
ExtendedLog             /var/log/proftpd/ext-proftpd.log ALL default
SyslogLevel             debug
SystemLog               /var/log/proftpd/sys-proftpd.log ALL default
TransferLog             /var/log/proftpd/trf-proftpd.log ALL default

VRootEngine                     on
DefaultRoot                     ~ !adm
VRootAlias                      /etc/security/pam_env.conf etc/security/pam_env.conf

# Use pam to authenticate (default) and be authoritative
AuthPAMConfig                   proftpd
AuthOrder                       mod_ldap.c mod_auth_pam.c* mod_auth_unix.c

# Don't do reverse DNS lookups (hangs on DNS problems)
IdentLookups                    off
UseReverseDNS                   off

# Set the user and group that the server runs as
User                            nobody
Group                           nobody

MaxInstances                    10

# Disable sendfile by default since it breaks displaying the download speeds in
# ftptop and ftpwho
UseSendfile                     off

# Define the log formats
LogFormat                       default "%h %l %u %t \"%r\" %s %b"
LogFormat                       auth    "%v [%P] %h %t \"%r\" %s"

# TLS
# Explained at http://www.castaglia.org/proftpd/modules/mod_tls.html
TLSEngine                      on
#TLSRequired                    on
TLSRSACertificateFile          /etc/proftpd/ftp.theXXXXXXXX.com.crt
TLSRSACertificateKeyFile       /etc/proftpd/ftp.theXXXXXXXX.com.key
TLSCipherSuite                 ALL:!ADH:!DES
#TLSProtocol                   SSLv3 TLSv1
TLSOptions                     NoCertRequest
TLSOptions                     NoSessionReuseRequired
TLSVerifyClient                off
##TLSRenegotiate                ctrl 3600 data 512000 required off timeout 300
TLSLog                         /var/log/proftpd/tls.log

<IfDefine DYNAMIC_BAN_LISTS>
  LoadModule                    mod_ban.c
  BanEngine                     on
  BanLog                        /var/log/proftpd/ban.log
  BanTable                      /var/run/proftpd/ban.tab

  # If the same client reaches the MaxLoginAttempts limit 2 times
  # within 10 minutes, automatically add a ban for that client that
  # will expire after one hour.
  BanOnEvent                    MaxLoginAttempts 2/00:10:00 01:00:00

  # Allow the FTP admin to manually add/remove bans
  BanControlsACLs               all allow user ftpadm
</IfDefine>

<IfModule mod_ldap.c>
# Connection strings
LDAPServer "ldap://dc2.XXXXXXX.com/??sub"
LDAPAttr uid sAMAccountName
LDAPDefaultUID 65533
LDAPDefaultGID 65533
LDAPForceGeneratedHomedir on
LDAPGenerateHomedir on
LDAPGenerateHomedirPrefix /home/ftp
LDAPGenerateHomedirPrefixNoUsername on
CreateHome off
RequireValidShell off
LDAPAuthBinds on

# User info
LDAPBindDN "CN=binduser,OU=ServiceAccounts,DC=XXXXXXX,DC=com" "binduser"
LDAPUsers OU=CompanyUsers,DC=XXXXXXX,DC=com (&(sAMAccountName=%u)(objectclass=user))

# Log
LDAPLog /var/log/proftpd/ldap.log
</IfModule>

# Global Config - config common to Server Config and all virtual hosts
# See: http://www.proftpd.org/docs/howto/Vhost.html
<Global>

  # Umask 022 is a good standard umask to prevent new dirs and files
  # from being group and world writable
  Umask                         022

  # Allow users to overwrite files and change permissions
  AllowOverwrite                yes
  <Limit ALL SITE_CHMOD>
    AllowAll
  </Limit>

<Directory /XXXXXXX/magazine>
        HideNoAccess on
        <Limit ALL>
         AllowUser atlantic
         DenyAll
        </Limit>

       <Limit CWD PWD DIRS READ>
        AllowGroup atlanticmag
       </Limit>

</Directory>

<Directory /XXXXXXX/magazine/*>
        HideNoAccess on
        <Limit ALL>
         AllowUser atlantic
         DenyAll
        </Limit>

       <Limit CWD PWD DIRS READ>
        AllowGroup atlanticmag
       </Limit>
</Directory>

<Directory /XXXXXXX/blog>
        HideNoAccess on
        <Limit ALL>
         AllowUser atlantic
         DenyAll
        </Limit>

       <Limit CWD PWD DIRS READ>
        AllowGroup atlanticblog
       </Limit>
</Directory>

<Directory /XXXXXXX/blog/*>
        HideNoAccess on
        <Limit ALL>
         AllowUser atlantic
         DenyAll
        </Limit>

       <Limit CWD PWD DIRS READ>
        AllowGroup atlanticblog
       </Limit>
</Directory>

<Directory /XXXXXXXXXXXXXX/blog>
        HideNoAccess on
        <Limit ALL>
         AllowUser atlantic
         DenyAll
        </Limit>

       <Limit CWD PWD DIRS READ>
        AllowGroup citiesblog
       </Limit>
</Directory>

<Directory /XXXXXXXXXXXXXX/blog/*>
        HideNoAccess on
        <Limit ALL>
         AllowUser atlantic
         DenyAll
        </Limit>

       <Limit CWD PWD DIRS READ>
        AllowGroup citiesblog
       </Limit>
</Directory>

<Directory /XXXXXXXXXXXXXX/blog>
        HideNoAccess on
        <Limit ALL>
         AllowUser atlantic
         DenyAll
        </Limit>

       <Limit CWD PWD DIRS READ>
        AllowGroup wireblog
       </Limit>
</Directory>

<Directory /XXXXXXXXXXXXXX/blog/*>
        HideNoAccess on
        <Limit ALL>
         AllowUser atlantic
         DenyAll
        </Limit>

       <Limit CWD PWD DIRS READ>
        AllowGroup wireblog
       </Limit>
</Directory>

<Directory /emerson/*>
        HideNoAccess on
        <Limit ALL>
         AllowUser ads_thirdparty
         DenyAll
        </Limit>

        <Limit DIRS READ WRITE>
         AllowGroup ads_thirdparty
        </Limit>
</Directory>

<Directory /daybook/*>
        HideNoAccess on
        <Limit ALL>
         AllowUser daybook
         DenyAll
        </Limit>

        <Limit DIRS READ WRITE>
         AllowGroup daybook
        </Limit>
</Directory>

<Directory /loguploader/*>
        HideNoAccess on
        <Limit ALL>
         AllowUser loguploader
         DenyAll
        </Limit>

        <Limit DIRS READ WRITE>
         AllowGroup loguploader
         AllowGroup bscott
        </Limit>
</Directory>

</Global>

Does anyone have any insight into the incorrect password issue?

Thank you

Offline daveyfx

  • New user
  • *
  • Posts: 2
    • View Profile
Re: Incorrect password
« Reply #1 on: June 15, 2017, 03:13:37 am »
Nevermind, I'm a fool.  Just noticed I have "mod_auth_pam.c*" and I have no need for that to be authoritative.

Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5359
    • View Profile
    • http://www.castaglia.org/
Re: Incorrect password
« Reply #2 on: June 18, 2017, 12:27:34 am »
Not a fool at all.  I'm glad to hear that you were able to get it working!