Hello,

I do not know if this is the place to ask but maybe some of you have already had this configuration.

I have a problem configuring ProFTP to use LDAP over SSL (i.e. ldaps on port 636).

In short:

• ProFTP without TLS (TLSEngine off) DOES authenticate with LDAP without SSL (LDAPServer 1.2.3.4:389)  
• ProFTP with TLS (TLSEngine on, path to the ftp-ssl certificates) DOES authenticate with LDAP without SSL (LDAPServer 1.2.3.4:389)  
• ProFTP with TLS (TLSEngine on, path to the ftp-ssl certificates) DOES NOT authenticate with LDAP with SSL (LDAPUseTLS on; LDAPServer 1.2.3.4:636)  

The procedure is  a 2 way SSL with 2 certificates:

filezilla (for example) (acting as client for ProFTP) ->SSL(cert_ftp)-> ProFTP (acting as server for filezilla, cert_ftp)
ProFTP (acting as client for LDAP) ->SSL(cert_LDAP)-> LDAP (acting as server for the ProFTP, cert_LDAP).

If I look in the logs I see that the ProFTP Server connects to the LDAP server on the correct port, the LDAP server accepts the connection but the TLS fails!

In principle for me it is obvious because in the ProFTP configuration I do give the path to the FTP-SSL certificates and keys but I do not input any path for the LDAP-SSL certificates i.e. in my opinion it can not work like this.

So my question is how to make it work? As I have said in my opinion the key point is to be able to set the path where the ProFTP server finds the certificates for the LDAP server.

I do not find any hint whatsoever in the net.


The steps I have done:

LDAP Server:

• The LDAP Server IP (say) 1.2.3.4
• The LDAP Server listens to port 636 (ldaps) and port (ldap).
• I have created a certificate for the LDAP server (slapd.pem, slapd.key)
• The LDAP server itself is fully functioning on both ldap and ldaps (for example ldaps with apache ok)

ProFTP Server:

• The ProFTP Server IP (say) 5.6.7.8
• I have created a certificate for the ProFTP server (ftp2.pem, ftp2.key)
• I have copied locally the certificates of the LDAP server (slapd.pem)

This is exactly what you do with apache (and it works) provided one gives the path for "both" certificates

LDAPTrustedGlobalCert CA_BASE64 /apache/conf/ssl_certs/slapd.pem
....
....
SSLCertificateFile /apache/conf/ssl_certs/apache.pem
SSLCertificateKeyFile /apache/conf/ssl_certs/apache.key


This is the ProFTP configuration (mod_tls and mod_ldap parts)

<IfModule mod_tls.c>
TLSEngine                       on
TLSLog                          /ftp2/logs/tls.log
TLSProtocol                     SSLv23
TLSOptions                      NoCertRequest
TLSRSACertificateFile           /ftp2/conf/ssl_certs/ftp2.pem
TLSRSACertificateKeyFile        /ftp2/conf/ssl_certs/ftp2.key
TLSCACertificateFile            /ftp2/conf/ssl_certs/ftp2.pem
TLSVerifyClient                 off
TLSRequired                     on
TLSRenegotiate                  required off
</IfModule>

<IfModule mod_ldap.c>
#LDAPServer    1.2.3.4:389
LDAPUseTLS  on
LDAPServer    1.2.3.4:636
LDAPDoAuth     on "ou=bbb,dc=aaa,dc=de" "(&(uid=%v)(objectclass=posixAccount))"
LDAPDNInfo "uid=1234,dc=aaa,dc=de" root
LDAPAuthBinds     on
LDAPDoUIDLookups   on "ou=bbb,dc=aaa,dc=de"
LDAPSearchScope subtree
</IfModule>

Both LDAP server and ProFTP (proftp-ldap) server are:
Linux version 2.6.18-6-amd64 (Debian 2.6.18.dfsg.1-18etch1) (waldi@debian.org) (gcc version 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)) #1 SMP Sun Feb 10 17:50:19 UTC 2008

OpenLDAP server (slapd)
dpkg -l | grep slapd
ii  slapd                            2.3.30-5+etch1

I have used the ProFTP with precompiled LDAP (proftp-ldap)
dpkg -l | grep proftp
ii  proftpd                           1.3.0-19                             Versatile, virtual-hosting FTP daemon
ii  proftpd-ldap                      1.3.0-19                             Versatile, virtual-hosting FTP daemon

Error in /var/log/syslog from slapd

May 27 10:54:05 ftp1test slapd[7323]: daemon: activity on 1 descriptor
May 27 10:54:05 ftp1test slapd[7323]: daemon: listen=9, new connection on 19
May 27 10:54:05 ftp1test slapd[7323]: daemon: added 19r (active) listener=(nil)
May 27 10:54:05 ftp1test slapd[7323]: conn=106 fd=19 ACCEPT from IP=5.6.7.8:42564 (IP=0.0.0.0:636)
May 27 10:54:05 ftp1test slapd[7323]: daemon: select: listen=6 active_threads=0 tvp=NULL
May 27 10:54:05 ftp1test slapd[7323]: daemon: select: listen=7 active_threads=0 tvp=NULL
May 27 10:54:05 ftp1test slapd[7323]: daemon: select: listen=8 active_threads=0 tvp=NULL
May 27 10:54:05 ftp1test slapd[7323]: daemon: select: listen=9 active_threads=0 tvp=NULL
May 27 10:54:05 ftp1test slapd[7323]: daemon: activity on 1 descriptor
May 27 10:54:05 ftp1test slapd[7323]: daemon: activity on:
May 27 10:54:05 ftp1test slapd[7323]:  19r
May 27 10:54:05 ftp1test slapd[7323]:
May 27 10:54:05 ftp1test slapd[7323]: daemon: read activity on 19
May 27 10:54:05 ftp1test slapd[7323]: daemon: removing 19
May 27 10:54:05 ftp1test slapd[7323]: conn=106 fd=19 closed (TLS negotiation failure)

Please Help

Thanks.