Most system I have seen use a almost totally open ftp server. I feel comfortable with the ProFTPd server, so that's what is going to be installed.
As with everything Debian, we add packages to the system:
apt-get install proftpd-ldap
And that should be it...
I don't need much in the way of configuration. I want my www-users to be restricted to their home directories, and I need to be able to authenticate by an LDAP database.
The limiting users to home directory is done on a "by group" basis. That is to say, if a user is in a specific group, they will be limited to their home directory.
Whenever I add a user that only needs access to do www-uploads and the like, I just add them to the www-users group, and then limit that group.
The limiting is done by adding the following line in /etc/proftpd.conf:
DefaultRoot ~ www-users
And users in the www-users group is now limited to their home directory.
To get ProFTPd to actually look for groups in LDAP, we also need to add the following:
LDAPServer "localhost:389" LDAPDNInfo "cn=admin,dc=abode,dc=dk" LDAPDoAuth on "dc=abode,dc=dk"
To enable ProFTPd to authenticate against a LDAP database, the above is not quite enough. You also need to edit ProFTPd's PAM configuration file (/etc/pam.d/proftpd), and add the lines
auth sufficient pam_ldap.so auth required pam_unix.so nullok try_first_pass account sufficient pam_ldap.so session sufficient pam_ldap.so
I have added the "try_first_pass" option to the line with pam_unix.so that users do not have to enter the password multiple times if the LDAP authentication fails.