Has anyone had success using Open Directory groups to control access to folders with PureFTPd?
We are currently running Lion Server as an OD master and have been using PureFTPd to give OD users access to their home folders and specific shared folders. We use Server.app, Server Admin, and Workgroup Manager to manage all users and manage folder access. Everything works wonderfully until a user is part of more than 3 groups in Workgroup Manager.
Looking at the output when logging in, PureFTPd restricts a user to be part of no more than 16 groups. If a user is part of more than 16 groups, PureFTPd recognizes 16 and ignores the rest. However, PureFTPd is also reading 12 groups from somewhere else (not listed in Workgroup Manager or Server.app), and it counts the default group towards the limit, meaning that a user can be part of no more than 3 groups in Workgroup Manager. Here is a sample of the output:
331 User testuser OK. Password required
230-User testuser has group access to: com.appl com.appl com.appl odgroup_1
230- netaccou everyone com.appl com.appl com.appl com.appl com.appl odgroup_2
230- com.appl odgroup_3 com.appl all_user
The groups odgroup_1, odgroup_2, and odgroup_3 are the only ones that show in Workgroup Manager, and all_user is the default user group.
The problem is that if we add the user to one more group (let’s call it odgroup_4), PureFTPd won’t recognize it, because it exceeds the limit, meaning that the user won’t have access to the folder that that group controls.
I’ve gone through all the documentation for PureFTPd, but there is nothing that mentions group access restrictions. The only other thing that I think would cause the problem is the Open Directory PAM module needed to authenticate Open Directory users.
I copied the Apple-supplied FTP PAM directives for use with PureFTPd, so in /etc/pam.d/ the file pure-ftpd contains this:
# pure-ftpd: auth account password session
auth required pam_opendirectory.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
This works as it should, except for the obvious group restriction thing. Looking at the documentation for pam_opendirectory.so, I found an option that allows you to change the refresh time for checking group membership. Aha! That must be it! But, alas, it is only for the “account” function class not the “auth” class. Changing the “account” directive above to also use the OD PAM module and this newfound option has no effect on the group restriction problem:
account required pam_opendirectory.so refresh=1 # This doesn't work either
That’s where I get stuck. I can’t think of any other solution. The only “workaround” is to not allow a user to be part of more than 3 groups. I’ve gone through all the entires in Directory Utility to see if I could find all the com.appl groups that PureFTPd is reading, but they’re not there, and I’m not well versed enough with dscl to see if I could poke around somewhere else, but that’s where I’m going to try next.
If you’re still reading this, I am extremely thankful! I would really appreciate any insight you might have to offer.
I should mention that everything works perfectly over AFP, if that helps in any way.