New User Seeks LDAP and Multi-Server Recommendations

Submitted by sonoracomm on Mon, 08/09/2010 - 16:25 Pro Licensee

Hi,

I just bought a Pro license today and I have not really used the GPL version either, but I like what I see so far. The installation script was fantastic and I think the base installation is fine. I have created and deleted a single Virtual Server, if that matters.

We want to move from ISPConfig v2 to Virtualmin (and maybe Cloudmin later). Based on previous experience, we have purchased far more capable hardware which we have installed in a far better colo facility. We are using Citrix XenServer 5.6 on a single 8-core highly-available server, for now. We generally use and prefer Centos 5 for VMs.

We also (re)sell DSL services, in addition to web, mail and DNS hosting, so we need a reliable RADIUS server.

Unless we get feedback from you to the contrary, we plan to implement a separate VM for core services that must stay up: LDAP, RADIUS, NTP, etc. We are still evaluating the exact details of this plan and I request your input.

Should we use Webmin on the new core services VM on a base Centos 5 install? Or should we use something like 389 Directory Server, Fedora Directory Server or Centos Directory Server?

I have seen the Module Config option to Store users and groups in LDAP, but I found no documentation on how to implement this. I would particularly appreciate advice on configuring this for a separate LDAP server, if that is in fact a good idea.

Finally, we plan to rent a VPS in another data center where we plan to replicate our most important core services: LDAP, RADIUS, billing system, etc.

I would also very much appreciate any advice you could give me as to LDAP replication.

Thanks in advance,

G

Status: 
Closed (fixed)

Comments

Submitted by JamieCameron on Tue, 08/10/2010 - 00:34

You might want to look at the Virtualmin + LDAP documentation, at http://www.virtualmin.com/documentation/id,combining_virtualmin_and_ldap/

This explains how to setup an LDAP server and configure Virtualmin to use it. Typically this is combined with some kind of shared storage like NFS to potentially offload mail or other services to a separate machine..

Please take a look, and let us know if it answers your questions.

Submitted by sonoracomm on Thu, 08/12/2010 - 13:45 Pro Licensee

Hi.

Thanks for getting back to me on this.

I have spent quite a bit of time on this issue, and I think I have made quite a bit of headway.

The link you sent to me is no longer accurate for use with Centos 5.5 and the latest Virtualmin Pro. However, it contains a lot of valuable information that I used. It would be nice if that document was updated and took into account the possibility or running LDAP on a separate server.

As I tried to explain, I'm not trying to do a lot of high-availability modifications...I mostly just want to use LDAP on a separate server (where I'll also install RADIUS and use LDAP replication to another machine in another data center).

You did not answer these questions/requests:

Should we use Webmin on the new core services VM on a base Centos 5 install? Or should we use something like 389 Directory Server, Fedora Directory Server or Centos Directory Server?

Lacking advice, I started with another clean Centos 5 installation (in another VM). I installed OpenLDAP and I worked through getting it running with Virtualmin.

I would also very much appreciate any advice you could give me as to LDAP replication.

I understand this may beyond your purview, but if you have any tips they would be appreciated.

At this point, my primary stumbling block is FTP logins ("no such user"). As a domain owner, I can log in via Webmin, Usermin and SSH. However, it does not appear that ProFTPd is attempting to authenticate via LDAP.

A little Googling brings up mod_ldap and some proftpd.conf directives:

LDAPServer localhost
LDAPDNInfo cn=your-dn,dc=horde,dc=net dnpass
LDAPDoAuth on "dc=users,dc=horde,dc=net"

The existing proftpd.conf doesn't appear to contain any LDAP directives.

Searching the filesystem finds:

/usr/libexec/webmin/proftpd/mod_ldap.pl

but i'm not sure what it does or what it's for.

Can you shed a little light on this for me please?

Thanks in advance,

G

Submitted by JamieCameron on Thu, 08/12/2010 - 17:44

Running LDAP on a separate server will work fine, assuming that you adjust the settings in the "LDAP Users and Groups" and "LDAP Client" modules to talk to that server.

As for ProFTPd, I have seen this before, and been unable to solve it :-( It seems that ProFTPd has a bug that prevents it from use LDAP for PAM authentication, even though every other service on the system works fine.

The work-around is to remove ProFTPd and install vsftpd instead. The only downside is that this will prevent Virtualmin from setting up per-domain anonymous FTP sites, but hardly anyone uses those anymore anyway.

Submitted by sonoracomm on Tue, 08/17/2010 - 15:01 Pro Licensee

Well, I didn't want to switch to vsftpd without at least trying to make it work.

I fixed the proFTPd LDAP authentication problem. I didn't use PAM. However, I'm a newbie with Virtualmin. Can you please take a look at this and let me know if there are any pitfalls (short term or long term) that I might have accidentally created for myself?

Also, I note that FTP logging is not enabled with Virtualmin Pro. Evidently some logging is done to syslog? Why is that? Is there a reason that logging is not done to /var/log/proftpd and log rotation enabled? Should I do these things myself?

I would also appreciate your opinions and suggestions about configuring the LDAP connections for SSL.

I look forward to your input...

Thanks,

G

Centos 5.5

ProFTPd LDAP Authentication

Edit /etc/proftpd.conf:

<IfModule mod_ldap.c>
LDAPServer yourldapserver.yourdomain.com
LDAPDNInfo cn=yourrootuser,dc=yourdomain,dc=com yourrootuserpassword
LDAPDoAuth on "dc=Users,dc=yourdomain,dc=com" (&(uid=%v)(objectclass=posixAccount))
LDAPDoUIDLookups on "dc=Users,dc=yourdomain,dc=com"
LDAPDoGIDLookups on "dc=Groups,dc=yourdomain,dc=com"
</IfModule>

Fix Passive Mode

modprobe ip_conntrack_ftp

vim /etc/sysconfig/iptables-config

IPTABLES_MODULES="ip_conntrack_netbios_ns ip_conntrack_ftp

Debugging

proftpd -nd9

DebugLevel 9        # <0-9>    in proftpd.conf

Logging

# Set logging options
#TransferLog /var/log/proftpd/xferlog
#SystemLog   /var/log/proftpd/proftpd.log
#DebugLevel 9

Submitted by JamieCameron on Tue, 08/17/2010 - 16:35

Cool, that use of mod_ldap is a good work-around. Ideally it shouldn't be needed, as users in LDAP should appear as regular LDAP users that ProFTPd should automatically pick up, but for whatever reason that isn't happening :-(

As for the log file, the only line you need is :

TransferLog /var/log/proftpd/xferlog

Submitted by sonoracomm on Wed, 11/10/2010 - 16:12 Pro Licensee

For the logging, I ended up leaving the xferlog at the default /var/log/xferlog because that's where logrotate is configured for by default.

I did change the proftpd.log location to /var/log/proftpd/proftpd.log (matches default logrotate config).

I also symlinked the original xferlog to /var/log/proftpd/xferlog for better visibility.

# Set logging options in /etc/proftpd.conf
SystemLog   /var/log/proftpd/proftpd.log
#DebugLevel 9 # So that ProFTP logging is all visible in one logical place
ln -sf /var/log/xferlog /var/log/proftpd/

G