when trying to log into my proftpd server using a username that is in LDAP I get a 530 error message saying "Login incorrect". Running the daemon with debugging enabled gets me this message: "tank.mainframe.ath.cx (10.0.1.1[10.0.1.1]) - mod_ldap: pr_ldap_connect(): ldap_simple_bind() as cn=Manager,dc=mainframe,dc=ath.cx failed: Operations error" The dn is correct, and the password in the configuration file is also correct for this dn. Reproducible: Always Steps to Reproduce: 1.configure proftpd to use ldap 2.start the daemon 3.try to login with a user that is in ldap Actual Results: receive "530 Login incorrect" instead of logging into the ftp server with the credentials supplied. Expected Results: the directory should display using the credentials supplied proftpd version 1.2.10-r1 openldap version 2.1.30-r4
I am also experiencing this. When attempting to login I also receive this error message in the slapd log: RESULT tag=97 err=2 text=requested protocol version not allowed Versions of the proftpd mod_ldap module prior to 2.8.13 (current version in proftp-1.2.10-r1 appears to be 2.8.12) use LDAPv2. This seems to be what is causing the problem.
I don't have access to my gentoo machine right now, but I remember from some ldap configure tutors, that they often add something like this into slapd config: allow bind v2
I am no longer trying to use this method of connecting, so I cannot confirm whether this fixes the problem or not. I had no end of troublews with LDAP, so I quit using it completely
The ldap module for proftpd does indeed attempt a v2 bind by default. There is a definition that can be uncommented in the source to allow v3 binds with SASL. I am running slapd on the same server as proftpd, so I don't require SASL, and since the standard enabling of v3 binds fails if it can't initiate an SASL connection, I've just enabled v3 binds without SASL. See the attached patches to the net-ftp/proftpd-1.2.10-r7 ebuild, to enable v3+sasl, just rename proftpd-ldapv3bind-sasl.patch to proftpd-ldapv3bind.patch and use that instead of the standard one. Hope this helps some people, and the maintainer (gustavoz?) might want to have a look at the patches (they're quite simple) and decide which/whether to include.
Created attachment 71845 [details, diff] Patch against proftpd-1.2.10-r7.ebuild add use flag ldapv3bind
Created attachment 71846 [details, diff] Patch against proftpd-1.2.10-r7 to add v3 ldap binds without TLS
Created attachment 71847 [details, diff] Patch against proftpd-1.2.10-r7 to add v3 ldap binds with standard TLS dependancy
Umm, and just so you don't get confused, please s/SASL/TLS/g in all my previous posts :P Sorry bout that, slight brain malfunction...
Can you please try with proftpd-1.3.0-r2, if it still breaks without the patches? I don't have any OpenLDAP install where I could really test this... Thanks! Best regards, CHTEKK.
