lest the tubes become overfull…

Enabling Filezilla Server integration with Active Directory authentication 2009-10-22

64px-Filezilla_logo

updated 2010-08-19  It looks like the fine folk over at Filezilla have added a beta LDAP integration capability into the server product. See the bottom of this forum post http://forum.filezilla-project.org/viewtopic.php?f=6&t=11146&start=15 for more information on that. You may want to use their new capability rather than adding a third party piece like I have done below. Thanks to reader tomczyk for clueing me in.

Filezilla has to be one of my favourite SourceForge projects. I have been using the client and the server for many years, and the ONLY thing I could wish for is that the server would support SFTP (FTP over SSH) connections. That aside, I’ve got nothing but love for the products. Recently, I needed to setup a Filezilla server that would authenticate against Active Directory instead of its local accounts store. This is fairly straight-forward, as detailed below. Using these steps, users will authenticate using AD credentials (either sAMAccountName or UPN), authentication is dependent on valid, active accounts, and no credentials are transmitted in the clear from the Filezilla server to the doman controller.

Filezilla

Since you will be using domain credentials to access the server, you SHOULD NOT use FTP! Remember that FTP is a cleartext protocol, including authentication. Filezilla supports FTP over SSL/TLS, and this is what you should be using to protect credentials and data in transit.

  1. Download and install Filezilla server if you have not already. Check the version. As of this post, that is 0.9.33.
  2. Once installed, stop the service using the menu item, or
    net stop “filezilla server ftp server” [enter]
  3. Download the appropriate zip file for your version from the link in this forum post. As I am using 0.9.33, the link to the correct zip file is here.
  4. Extract those files, and copy them to the c:\program files\filezilla server directory. I opted to rename the original “filezilla server.exe” just in case, but you can choose to overwrite it if you wish.
  5. Open the oldapcheck.ini file in a text editor, and configure it for your environment. As an example, where internal.tld is the DNS name for my domain (think DNS round-robin) and @internal.tld is my domain UPN suffix, and I do have certificates on my domain controllers…
    [settings]
    server=internal.tld
    domain=@internal.tld
    TLS=Y
  6. This next part seems a bit strange, but all we are doing is fooling the process into NOT checking for a valid cert. For an internal purpose, I find this acceptable, and it keeps me from having to download the server certificate and the convert it to PEM format.
  7. Create an empty directory structure as follows
    C:\OpenLdap\sysconf\
    and create a file in that directory called ldap.conf.
  8. Paste the following into that file
    TLS_REQCERT never
    #TLS_CACERT C:\OpenLdap\sysconf\certs\my_ldap_cert.pem
  9. Restart the Filezilla service.

Now, the way this works is that when a user connects, Filezilla will first check to make sure the user exists in Filezilla…meaning that you still have to provision the user in Filezilla, with a username that matches his/her AD samAccountName. If the user exists in the Filezilla account store, Filezilla first tries to authenticate against that, and only if that fails will the server then try AD. So make sure you create a user account in Filezilla with a bogus password. If the username does not exist in Filezilla, you will lasso the fail whale when the user tries to connect. All FTP rights must still be set using the Filezilla interface…nothing changes there.

That is all there is to it. Remember, FTP is a cleartext protocol, so if you are setting this up for your domain users, use FTPS. If this is only for external users contained within an LDAP store like ADAM, LDS, or an extranet domain, I suppose you can do this if you need, but since Filezilla supports FTPS on both client and server, there is really no need, is there? I hope this helps you.

Special thanks to jcarlos # albacete.org for his original post in the Filezilla forum and all his work on this. Check out his site at http://www.dreamcamip.com/?l=en.
keywords: filezilla, active directory, ldap, authentication


%d bloggers like this: