SFTP Gateway 2.0 External LDAP Integration
SFTP Gateway version 2.0 introduces an LDAP based directory feature for user management. By default, SFTP Gateway will reate its own instance of an internal directory service for user management, authentication, and high availability support.
Schema Expansion
SFTP Gateway stores unique user properties in the LDAP directory. To make full use of SFTP Gateway features, the directory schema for POSIX users or accounts will need to be expanded.
This schema expansion will add the following attributes:
- sshPublicKey - a multi-value attribute with string(unicode) syntax
- bucketName - a single-value attribute with string(unicode) syntax
- uploadPath - a single-value attribute with string(unicode) syntax
- downloadDir - a single-value attribute with Boolean syntax
- sharedDir - a single-value attribute with Boolean syntax
- encrytionOption - a single-value attribute with string(unicode) syntax
This schema expansion will also add the following class:
- sftpUser - this is a sub class of the PosixUser or Posix account (depending on the directory specification) that adds the above attributes as mayContain field
A copy of a working Active Directory expansion ldif file can be downloaded and modified to fit your use case, here ad_sftpuser.ldif
Configure SFTP Gateway instance
To configure an SFTP Gateway server to authenticate to an external LDAP directory such as Active Directory:
Install the following packages
sudo yum -y install sssd sssd-ad realmd krb5-workstation
Join the server to your domain
sudo realm join --user=<admin_user> <your_directory> --verbose
Enter the password
Configure the authorization
authconfig --enableldap --enableldapauth --enablesssd --enablesssdauth --ldapserver="ldap://<your_directory_uri>/" --ldapbasedn="<DC=sftpgateway,DC=com>" --enablemkhomedir --update
Note: replace <DC=sftpgateway,DC=com> with your domain base DN and <your_directory_uri> with your domain URI or DNS name.
Edit the
/usr/local/bin/pamwrapper.sh
script to read as follows#!/bin/sh user=${PAM_USER} # Only run if the user is a member of the sftponly group if [[ $(groups $user) != *"sftponly"* ]]; then exit 0 fi if [[ "$PAM_TYPE" == "close_session" ]]; then (/usr/local/bin/ts -n bash -c '${0} ${1+"$@"}' /usr/local/bin/userfolderscan "$user") & exit 0 elif [[ "$PAM_TYPE" == "open_session" ]]; then usersetup "$user" chown root:${user}Group /home/${user} fi
Edit the ssd config file sudo vim /etc/sssd/sssd.conf and modify the following items under your domain section
[domain/domain-name] use_fully_qualified_names = False fallback_homedir = /home/%u
Restart the sssd service sudo service sssd restart
Update the application properties file with your domian user user credentails -
/opt/sftpgw/application.properties
admin.connect.string=<cn=admin,ou=users,dc=sftpgateway,dc=com> spring.ldap.password=<your_admin_password>
Note: replace the <cn=admin,ou=users,dc=sftpgateway,dc=com> with your domain admin user's DN and <your_admin_password> with your domain admin's password.
Configure users
First, you will need to create a new group in your directory called sftponly. SFTP Gateway requires users to be a member of this group in order to create and configure the user’s home directory with the SFTP Gateway uploads directory, downloads directory (if configured), and shared directory (if configured). SFTP Gateway will also use this group to force the SFTP connection protocol, and isolate the user in their own home directory. Without this group, the users will have no SFTP Gateway functionality.
Next, you will need to create a group for each user that is named <username>Group
. This will be used to set
permissions for the user to traverse their home directory. For example, a user named bob should have a group called
bobGroup
and bob should be the only member of this group.
Now you can set the user configurations as desired on a per user basis in the directory.
- The sshPublicKey attribute can be set with multiple SSH public keys to allow for user authentication
- The bucketName attribute and be left blank to use the default SFTP Gateway bucket configured for the server, or can be set the the bucket name of any existing bucket in your AWS account or one that you would like to create in your AWS account.
- The uploadPath attribute will be a sub folder structure in the specified bucket where you would like to map that user’s uploads to.
- The downloadDir attribute is a true/false value that determines if the user has a private downloads directory.
- The sharedDir attribute is a true/false value that determines if the user will have access to the shared directory.
- The encrytionOption attribute contains a value of 1 - for SSE-S3, or an AWD KMS ARN.