通过LDAP管理VSFTP帐户

yum install -y openldap openldap-servers openldap-clients pam_ldap nss-pam-ldapd vsftpd

slappasswd #记录备用 {SSHA}70WfjeJVZhmGy0wfSUKcOGsKPgLR7/ae

cp /usr/share/openldap-servers/slapd.conf.obsolete /etc/openldap/slapd.conf

vi /etc/openldap/slapd.conf
修改
suffix "dc=dsideal,dc=com"
rootdn "cn=admin,dc=dsideal,dc=com"
rootpw {SSHA}O8cf4DWh2Lg4hbGDya6d2bj0apPWJLoA

#测试配置文件
slaptest -u -f /etc/openldap/slapd.conf
提示：config file testing succeeded

rm -rf /etc/openldap/slapd.d/
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown ldap.ldap /var/lib/ldap/DB_CONFIG

#启动
/etc/init.d/slapd start

authconfig-tui

vi /etc/openldap/ldap.conf
#增加
URI ldap://127.0.0.1
BASE dc=dsideal,dc=com

mkdir /usr/local/ldapuser

vi /usr/local/base.ldif

dn:dc=dsideal,dc=com
dc:dsideal
objectClass:top
objectClass:domain

dn:ou=ftpPeople,dc=dsideal,dc=com
ou:ftpPeople
objectClass:top
objectClass:organizationalUnit

dn:ou=ftpGroup,dc=dsideal,dc=com
ou:ftpGroup
objectClass:top
objectClass:organizationalUnit

#执行
ldapadd -x -D "cn=admin,dc=dsideal,dc=com" -w dsideal -f /usr/local/base.ldif

vi /usr/local/ftpgroup.ldif

dn:cn=ldapftp,ou=ftpGroup,dc=dsideal,dc=com
objectClass:posixGroup
objectClass:top
cn:ldapftp
gidNumber:1500

#执行
ldapadd -x -D "cn=admin,dc=dsideal,dc=com" -w dsideal -f /usr/local/ftpgroup.ldif

vi /usr/local/ftpuser.ldif

dn:uid=ftpuser1,ou=ftpPeople,dc=dsideal,dc=com
uid:ftpuser1
cn:ftpuser1
objectClass:account
objectClass:posixAccount
objectClass:top
objectClass:shadowAccount
userPassword:123456
shadowLastChange:13048
shadowMax:99999
shadowWarning:7
loginShell:/sbin/nologin
uidNumber:1500
gidNumber:1500
homeDirectory:/usr/local/ldapuser
gecos:ldapuser

#执行
ldapadd -x -D "cn=admin,dc=dsideal,dc=com" -w dsideal -f /usr/local/ftpuser.ldif

#执行
ldapsearch -x -D "cn=admin,dc=dsideal,dc=com" -w dsideal
ldapsearch -x -D "cn=admin,dc=dsideal,dc=com" -w dsideal -b "uid=ftpuser1,ou=ftpPeople,dc=dsideal,dc=com"

#检查LDAP用户
getent passwd ftpuser1

vi /etc/pam.d/vsftpd
增加2行

#把这行放在第一个auth项
auth sufficient pam_ldap.so
#把这行放在第一个account项
account sufficient pam_ldap.so

vi /etc/vsftpd/vsftpd.conf

#修改如下配置
anonymous_enable=NO #不允许匿名用户访问
anon_upload_enable=YES
anon_mkdir_write_enable=YES #开启这项和上一项才能上传文件和文件夹
chroot_local_user=YES
#增加下面一行
local_root=/usr/local/ldapuser

/etc/init.d/vsftpd restart