SFTP Gateway 2.0 External LDAP integration

SFTP Gateway version 2.0 introduces an LDAP based directory feature for user management. By default, SFTP Gateway will create its own instance of an internal directory service for user management, authentication, and high availability support.

Schema Expansion

SFTP Gateway stores unique user properties in the LDAP directory. To make full use of SFTP Gateway features, the directory schema for POSIX users or accounts will need to be expanded.

This schema expansion will add the following attributes:

• sshPublicKey - a multi-value attribute with string(unicode) syntax

• bucketName - a single-value attribute with string(unicode) syntax

• uploadPath - a single-value attribute with string(unicode) syntax

• downloadDir - a single-value attribute with Boolean syntax

• sharedDir - a single-value attribute with Boolean syntax

• encrytionOption - a single-value attribute with string(unicode) syntax

This schema expansion will also add the following class:

• sftpUser - this is a sub class of the PosixUser or Posix account (depending on the directory specification) that adds the above attributes as mayContain fields

A copy of a working Active Directory expansion ldif file can be downloaded and modified to fit your use case, here ad_sftpuser.ldif

Configure SFTP Gateway instance

To configure an SFTP Gateway server to authenticate to an external LDAP directory such as Active Directory:

• Install packages sudo yum -y install sssd sssd-ad realmd krb5-workstation

• Join the domain sudo realm join —verbose —user=admin sftpgateway.com -> Enter password

• Edit the ssd config file sudo vim /etc/sssd/sssd.conf and modify the following items under your domain section

[domain/domain-name]use_fully_qualified_names = Falsefallback_homedir = /home/%u

• Restart the sssd service sudo service sssd restart

• Edit the ldap config file sudo vim /etc/openldap/ldap.conf

URI ldap://sftpgateway.com/BASE ou=sftpgateway,dc=sftpgateway,dc=com

• Edit the nslcd config sudo vim /etc/nslcd.conf

uri ldap://sftpgateway.com/base ou=sftpgateway,dc=sftpgateway,dc=combinddn cn=admin,ou=users,ou=sftpgateway,dc=sftpgateway,dc=combindpw password

• Restart nslcd service sudo service nslcd restart

• Edit pam ldap config sudo vim /etc/pam_ldap.conf

base ou=sftpgateway,dc=sftpgateway,dc=comuri ldap://sftpgateway.com/binddn cn=admin,ou=users,ou=sftpgateway,dc=sftpgateway,dc=combindpw password

• Edit application properties sudo vim /opt/sftpgw/application.properties

admin.connect.string=cn=admin,ou=users,ou=sftpgateway,dc=sftpgateway,dc=comspring.ldap.password=password

Configure users

First you will need to create a new group in your directory called sftponly. SFTP Gateway requires users to be a member of this group in order to create and configure the user’s home directory with the SFTP Gateway uploads directory, downloads directory (if configured), and shared directory (if configured). SFTP Gateway will also use this group to force the SFTP connection protocol, and isolate the user in their own home directory. Without this group, the users will have no SFTP Gateway functionality.

Now you can set the user configurations as desired on a per user basis in the directory.

• The sshPublicKey attribute can be set with multiple SSH public keys to allow for user authentication

• The bucketName attribute and be left blank to use the default SFTP Gateway bucket configured for the server, or can be set the the bucket name of any existing bucket in your AWS account or one that you would like to create in your AWS account.
  The uploadPath attribute will be a sub folder structure in the specified bucket where you would like to map that user’s uploads to.

• The downloadDir attribute is a true/false value that determines if the user has a private downloads directory.

• The sharedDir attribute is a true/false value that determines if the user will have access to the shared directory.

• The encrytionOption attribute contains a value of 1 - for SSE-S3, or an AWD KMS ARN.