SFTP Gateway version 2.0 introduces an LDAP based directory feature for user management. By default, SFTP Gateway will reate its own instance of an internal directory service for user management, authentication, and high availability support.
SFTP Gateway stores unique user properties in the LDAP directory. To make full use of SFTP Gateway features, the directory schema for POSIX users or accounts will need to be expanded.
This schema expansion will add the following attributes:
- sshPublicKey - a multi-value attribute with string(unicode) syntax
- bucketName - a single-value attribute with string(unicode) syntax
- uploadPath - a single-value attribute with string(unicode) syntax
- downloadDir - a single-value attribute with Boolean syntax
- sharedDir - a single-value attribute with Boolean syntax
- encrytionOption - a single-value attribute with string(unicode) syntax
This schema expansion will also add the following class:
- sftpUser - this is a sub class of the PosixUser or Posix account (depending on the directory specification) that adds the above attributes as mayContain field
A copy of a working Active Directory expansion ldif file can be downloaded and modified to fit your use case, here ad_sftpuser.ldif
Configure SFTP Gateway instance
To configure an SFTP Gateway server to authenticate to an external LDAP directory such as Active Directory:
Install packages sudo yum -y install sssd sssd-ad realmd krb5-workstation
Join the domain sudo realm join —verbose —user=admin sftpgateway.com -> Enter password
Edit the ssd config file sudo vim /etc/sssd/sssd.conf and modify the following items under your domain section
[domain/domain-name] use_fully_qualified_names = False fallback_homedir = /home/%u
Restart the sssd service sudo service sssd restart
Edit the ldap config file sudo vim /etc/openldap/ldap.conf
URI ldap://sftpgateway.com/ BASE ou=sftpgateway,dc=sftpgateway,dc=com
Edit the nslcd config sudo vim /etc/nslcd.conf
uri ldap://sftpgateway.com/ base ou=sftpgateway,dc=sftpgateway,dc=com binddn cn=admin,ou=users,ou=sftpgateway,dc=sftpgateway,dc=com bindpw password
Restart nslcd service sudo service nslcd restart
Edit pam ldap config sudo vim /etc/pam_ldap.conf
base ou=sftpgateway,dc=sftpgateway,dc=com uri ldap://sftpgateway.com/ binddn cn=admin,ou=users,ou=sftpgateway,dc=sftpgateway,dc=com bindpw password
Edit application properties sudo vim /opt/sftpgw/application.properties
First, you will need to create a new group in your directory called sftponly. SFTP Gateway requires users to be a member of this group in order to create and configure the user’s home directory with the SFTP Gateway uploads directory, downloads directory (if configured), and shared directory (if configured). SFTP Gateway will also use this group to force the SFTP connection protocol, and isolate the user in their own home directory. Without this group, the users will have no SFTP Gateway functionality.
Now you can set the user configurations as desired on a per user basis in the directory.
- The sshPublicKey attribute can be set with multiple SSH public keys to allow for user authentication
- The bucketName attribute and be left blank to use the default SFTP Gateway bucket configured for the server, or can be set the the bucket name of any existing bucket in your AWS account or one that you would like to create in your AWS account.
- The uploadPath attribute will be a sub folder structure in the specified bucket where you would like to map that user’s uploads to.
- The downloadDir attribute is a true/false value that determines if the user has a private downloads directory.
- The sharedDir attribute is a true/false value that determines if the user will have access to the shared directory.
- The encrytionOption attribute contains a value of 1 - for SSE-S3, or an AWD KMS ARN.