[PLUG] vsftpd + ldap folks around?

[drew wymore]

I apologize in advance for the length of the message but I'm trying to
provide as much information as I possibly can.


I have been running openldap for about 5 years now and until now have never
had a problem. Specifically attempting to authenticate an FTP session is
failing in ways that I do not understand.

I am intermittently seeing this happen when attempting an ftp login ( yeah I
know ... from a Windows box -sigh- )

C:\Users\drew\Desktop>ftp
ftp> open techiekb.com
Connected to techiekb.com.
220 (vsFTPd 2.0.5)
User (techiekb.com:(none)): drew
331 Please specify the password.
Password:
500 OOPS: cannot locate user entry:drew
500 OOPS: child died
Connection closed by remote host.
ftp>

What I have been able to track down so far is that vsftpd is now looking for
users in /etc/passwd instead of using LDAP auth. I have LDAP configured via
nsswitch.conf which has worked wonderfully for years. All other services
that use LDAP (SSH, Apache, Squid) are all working fine.

When I don't receive that particular error message, I am able to login
(which tells me that vsftpd is talking to ldap somehow) but it's not pulling
proper group permissions so I can't upload anything to the server nor can
any of the people who are hosted on this machine.

There haven't been any recent package changes. And the configuration files
for vsftpd, inetd (which is what vsftpd was being run from until I decided
to run it in stand alone mode) are the same and nothing has changed in them
in _forever_, the LDAP configs have been changed recently to allow for TLS
support but the FTP service was working after those changes were made and
after LDAP was restarted with the new config, at the time of those changes
FTP was running out of inetd which had also been restarted and was working
fine.

The logs show that up until at least last Tuesday that authentication was
working as expected.

I did do the upgrade of vsftpd/inetd packages for my distro (Slackware) just
for grins and saw the same behaviour and went back to the original stock
packages that shipped with the version I'm running.

I enabled logging for vsftpd transactions and what is weird to me, is that
it shows the request, the response and OK event when the child spawned to
handle my request commits suicide, they seem to indicate that the client is
terminating the connection and not the host which is not the case. When it
*does* authenticate me and I attempt an upload, the logs show an OK status
as well even though the client reports that there was permission denied due
to the fact that the group/user perms aren't being pulled from the LDAP
server.

I'm stumped. I even ran strace on the binary while performing client to
server interaction and didn't see anything that looked out of place for the
behaviour I was seeing.

I have googled for the issue and there are various posts/solutions for it,
none of which have worked in my case. All the documentation I have found so
far indicates that PAM is required for this to work which I know to not be
the case since up until sometime last week apparently it was working fine. I
don't have PAM installed and won't install it unless I absolutely *have* to.
It's ommited from Slackware because of the numerous security flaws its been
a part of in the past, I'm not trying to start a my distro is better then
your distro conversation here though. The less complicated the better and
PAM just complicates things IMHO.

I have even restarted the box on the off chance something else was
interferring and that didn't help the cause either, other then losing 295
days of uptime =*(

Any thoughts, ideas, advice, voodoo chants?

Cheers,
Drew-

P.S.
Rich, we really need to go have that beer or 10.