Univention Bugzilla – Bug 38753
univention-ftp: broken firewall
Last modified: 2019-01-03 07:17:26 CET
1. univention-ftp provides no proper LDAP integration 2. The firewall configuration is broken: - In active mode the server opens an *outgoing* connection from TCP port 20 - In passive mode the server requires to open unprivileged ports >=1024 for incoming connections. In any case opening port 20 for *incoming* connections is wrong. Using "nf_conntrack_ftp.ko" should be considered as well. <https://de.wikipedia.org/wiki/File_Transfer_Protocol#Verbindungsarten> Perhaps the package should be removed?
Well, the wiki document "LDAP authentication with ProFTP" is not valid for ucs-4.x anymore. The proftpd team changed the ldap configuration completely. I'd to change the config lines from the wiki to the following: # Only use LDAP Auth AuthOrder mod_ldap.c <IfModule mod_ldap.c> # The LDAP server istself (with or without TLS) LDAPServer <fqdn of the DC master/backup/slave>:7389 LDAPBindDN <DN of the authentication account> <Password of the authentication account> # GID to name in dir listing LDAPGroups cn=groups,$ldap_base # UID to name in dir listing LDAPUsers cn=users,$ldap_base (uid=%u) (uidNumber=%u) # TLS on/off LDAPUseTLS on # Create homedir if not exists CreateHome on 711 skel /etc/skel LDAPGenerateHomedir on </IfModule> That works... @Philipp: don't remove, please!
base/univention-pam/conffiles/etc/pam.d/ftp is not used by ProFTPd - it uses /etc/pam.d/proftpd which is not UCRified. Again: time for removal?
This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016. Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.