[NCLUG] Is it possible to have LDAP use a different password field by service

[Stephen Warren]

Kevin H. Olson wrote:
>   I have a server utilizing ldap for user authentication. For SSH, it is
> working perfectly. I want to make an FTP server that is accessible to
> the individuals who are in the ldap directory. However, I would like to
> use a different password field, such that the password used for the FTP
> server is different than the password used for the ssh. Basically, I
> don't want people to send in the clear text of FTP the same password the
> user would enter in the ssh.

Why use regular ftp at all? Why not use sftp; works basically the same, 
but uses SSH as the transport. You can even use public keys instead of 
passwords too. Alternatively, there's ftps (FTP over SSL) which 
negotiates SSL first, then logs in. Alternatively again, you could share 
the files over HTTPS (HTTP over SSL) and add authentication to that, and 
even allow uploads and "mounting" the share over WebDAV.

>   I was hoping that it is possible to specify in the /etc/pam.d/vsftpd
> file a parameter for the attribute in the ldap service to utilize for
> the password. I've looked at what documentation I could find, and the
> only parameters noted were "try_first_pass" and "use_first_pass".

Typically when you use LDAP-based authentication, you configure the 
"NSS" system (e.g. via /etc/nsswitch.conf, and other LDAP-specific conf 
files) to search LDAP. In that case, I don't think you'll find a way to 
use per-service passwords. If your server application can talk to LDAP 
directly (e.g. apache can for HTTP(S) services), the you may be able to 
configure each individual app differently.