ProFTPD
What is ProFTPD
ProFTPD is a high-performance, open-source FTP server software designed for Unix and Linux systems. It supports various features, including IPv6, SSL/TLS encryption, virtual hosting, advanced logging, and supports various authentication methods, including LDAP and MySQL.
This integration leverages authentik's LDAP for the identity provider to achieve an SSO experience. See ldap provider generic setup for setting up the LDAP provider.
Preparation
The following placeholders will be used:
authentik.company
is the FQDN of the authentik install.
authentik Configuration
Step 1 - Service account
Create a new user account (or re-use an existing one) for ProFTPD to use for LDAP bind under Directory -> Users -> Create and give the account a name, such as ldapservice
.
On default provider settings, the DN of this user will be cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io
This user must be part of a group which allows LDAP search queries. If you don't have a group for that yet, create one (e.g. LDAPServiceUsers
) and add the user ldapservice
to that group. You can specify that group during the provider creation below.
If you are unfamiliar with LDAP: A bind account is used for authentication against the LDAP server itself - similar to an API key in modern applications.
Step 2 - LDAP Provider
In authentik, create a LDAP provider (under Applications/Providers). This is an example for the settings:
- Name :
provider-ldap
- or choose any - Bind DN :
DC=ldap,DC=goauthentik,DC=io
- Search group :
LDAPServiceUsers
- Certificate :
authentik Self-signed Certificate
Step 3 - Application
In authentik, create an application (under Resources/Applications) with these settings :
- Name:
FTP
- or choose any - Provider: Choose the provider you created in Step 2
Step 4 - Outpost
If not done yet, create an outpost (under Applications/Outposts) of type LDAP
that includes the LDAP Application you created in Step 3. You can also use an existing outpost, just make sure to edit it and to also include the just created application in the respective field.
Step 5 - Create a group for restricting access
Optionally, create a new group like ftpusers
to scope access to the ftp server.
ProFTPD configuration
Ensure that the ProFTPD LDAP plugin is installed, which may be included in the distribution package proftpd-ldap
.
Check that LoadModule mod_ldap.c
is not commented out in /etc/proftpd/modules.conf
.
Edit your ProFTPD configuration, usually located under /etc/proftpd.conf
. You can use the following LDAP configuration as a starting point.
DefaultRoot /your/ftp/storage/dir
<IfModule mod_ldap.c>
LDAPAuthBinds on
# Replace this with the server-url:port of your LDAP outpost
LDAPServer authentik.company:389
# The LDAP Bind account must be specified here
LDAPBindDN cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io PASSWORDOFLDAPSERVICE
# The second parameter is optional
# In this case I am restricting access to the group ftpusers
# Instead you could also create bind policies in your created authentik application
LDAPUsers ou=users,dc=ldap,dc=goauthentik,dc=io (&(objectClass=user)(cn=%u)(memberOf=cn=ftpusers,ou=groups,dc=ldap,dc=goauthentik,dc=io))
# In this example, I am forcing the permission of all files to the system user/group 1000
LDAPDefaultUID 1000
LDAPDefaultGID 1000
LDAPForceDefaultUID on
LDAPForceDefaultGID on
# This way I am making a shared folder, which all ftp users share
LDAPGenerateHomedir on
LDAPGenerateHomedirPrefix /your/ftp/storage/dir
LDAPGenerateHomedirPrefixNoUsername on
LDAPLog /var/log/mod_ldap.log
RequireValidShell off
LDAPAttr uid cn
LDAPSearchScope subtree
</IfModule>
In this example, every user shares a single folder. If you want to have separate folders for each user, you can adapt the LDAPGenerateHomedirPrefixNoUsername
setting.
Additionally, note that each file will have Linux user and group ID 1000
. Beforehand, make sure that the respective Linux user exists (usually the first Linux user created receives ID 1000
). Check /etc/passwd
and create a user if necessary.
If you do not set LDAPForceDefaultUID
/LDAPForceDefaultGID
, Authentik's uidNumber
field will be used. If you do not set LDAPGenerateHomedir
, Authentik's homeDirectory
field will be used (/home/$username
). For more information about default attributes provided by Authentik, refer to the LDAP Provider documentation.
Make sure to read ProFTPD's available LDAP options.
Finally, after adding the configuration, restart ProFTPD.
If login fails, make sure to check the logs of the LDAP plugin: tail -f /var/log/mod_ldap.log
.