Using LDAP for user authentication in VSFTPD in RHEL8

Question

I want to set up a new ftp server using vsftpd on RHEL8, for user authentication we would like to use LDAP(389 directory server). As I understood ldap_pam.so module is deprecated in RHEL8, so I'm wondering how to connect the remote LDAP server to my vsftpd service without PAM module?

Answer 1

Here is the full setup for connection between vsftpd and ldap in rhel8:

in /etc/vsftpd/vsftpd.conf

pam_service_name=vsftpd

in /etc/pam.d/vsftpd:

#%PAM-1.0
auth required pam_sss.so domains=vsftpd 
account required pam_sss.so 

in /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam
domains = vsftpd
[domain/vsftpd] 
id_provider = ldap
sudo_provider = none
auth_provider = ldap 
ldap_uri = ldap://example.com
ldap_search_base = ou=example1,ou=example2

Answer 2

The standalone pam_ldap and libnss_ldap modules (developed by PADL) are obsolete, but they have near-drop-in replacements that come with the nslcd daemon and are also called pam_ldap and libnss_ldap. They might be found in the "nss-pam-ldapd" package.

(The old modules were removed in part because they performed LDAP requests in-process, requiring libldap and all its dependencies to be loaded into every single process that performed user lookups, which caused all kinds of problems. The newer variant of pam_ldap that comes with nslcd/nss-pam-ldapd does not have such issues.)

However, Red Hat's preferred option is probably the sssd service, which uses pam_sss and libnss_sss modules. It is somewhat optimized for MS AD and FreeIPA, but can still work with any generic LDAP (and Kerberos) server.