Your IP : 52.14.232.226
| Current Path : /usr/share/doc/proftpd/ |
|
|
| Current File : //usr/share/doc/proftpd/Configuration.html |
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd">
<HTML
><HEAD
><TITLE
>Configuration Directive List</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"></HEAD
><BODY
CLASS="BOOK"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="BOOK"
><A
NAME="PROFTPD-CONFIG"
></A
><DIV
CLASS="TITLEPAGE"
><H1
CLASS="TITLE"
><A
NAME="AEN2"
>Configuration Directive List</A
></H1
><HR></DIV
><DIV
CLASS="TOC"
><DL
><DT
><B
>Table of Contents</B
></DT
><DT
>1. <A
HREF="#AEN4"
>List of Directives</A
></DT
><DD
><DL
><DT
><A
HREF="#ACCESSDENYMSG"
> AccessDenyMsg</A
> -- Customise the response on failed authentication</DT
><DT
><A
HREF="#ACCESSGRANTMSG"
> AccessGrantMsg</A
> -- Customise the response on successful authentication</DT
><DT
><A
HREF="#ALLOW"
> Allow</A
> -- Access control directive</DT
><DT
><A
HREF="#ALLOWALL"
> AllowAll</A
> -- Allow all clients </DT
><DT
><A
HREF="#ALLOWCLASS"
> AllowClass</A
> -- Class based allow rules</DT
><DT
><A
HREF="#ALLOWFILTER"
> AllowFilter</A
> -- Regular expression of command arguments to be accepted</DT
><DT
><A
HREF="#ALLOWFOREIGNADDRESS"
> AllowForeignAddress</A
> -- Control the use of the PORT command</DT
><DT
><A
HREF="#ALLOWGROUP"
> AllowGroup</A
> -- Group based allow rules</DT
><DT
><A
HREF="#ALLOWLOGSYMLINKS"
> AllowLogSymlinks</A
> -- Permit logging to symlinked files</DT
><DT
><A
HREF="#ALLOWOVERRIDE"
> AllowOverride</A
> -- Toggles handling of .ftpaccess files</DT
><DT
><A
HREF="#ALLOWOVERWRITE"
> AllowOverwrite</A
> -- Enable files to be overwritten</DT
><DT
><A
HREF="#ALLOWRETRIEVERESTART"
> AllowRetrieveRestart</A
> -- Allow clients to resume downloads</DT
><DT
><A
HREF="#ALLOWSTORERESTART"
> AllowStoreRestart</A
> -- Allow clients to resume uploads</DT
><DT
><A
HREF="#ALLOWUSER"
> AllowUser</A
> -- User based allow rules</DT
><DT
><A
HREF="#ANONRATIO"
> AnonRatio</A
> -- Ratio directive</DT
><DT
><A
HREF="#ANONREJECTPASSWORDS"
> AnonRejectPasswords</A
> -- Block certain anonymous user passwords</DT
><DT
><A
HREF="#ANONREQUIREPASSWORD"
> AnonRequirePassword</A
> -- Make anonymous users supply a valid password</DT
><DT
><A
HREF="#ANONYMOUS"
> Anonymous</A
> -- Define an anonymous server</DT
><DT
><A
HREF="#ANONYMOUSGROUP"
> AnonymousGroup</A
> -- Treat group members as anonymous users</DT
><DT
><A
HREF="#AUTHALIASONLY"
> AuthAliasOnly</A
> -- Allow only aliased login names</DT
><DT
><A
HREF="#AUTHGROUPFILE"
> AuthGroupFile</A
> -- Specify alternate group file</DT
><DT
><A
HREF="#AUTHORDER"
> AuthOrder</A
> -- Configure auth module checking order</DT
><DT
><A
HREF="#AUTHPAM"
> AuthPAM</A
> -- Enable/Disable PAM authentication</DT
><DT
><A
HREF="#AUTHPAMCONFIG"
> AuthPAMConfig</A
> -- Select PAM service name</DT
><DT
><A
HREF="#AUTHUSERFILE"
> AuthUserFile</A
> -- Specify alternate passwd file</DT
><DT
><A
HREF="#AUTHUSINGALIAS"
> AuthUsingAlias</A
> -- Authenticate via Alias-name instead of mapped username</DT
><DT
><A
HREF="#BIND"
> Bind</A
> -- Bind the server or Virtualhost to a specific IP address [deprecated]</DT
><DT
><A
HREF="#BYTERATIOERRMSG"
> ByteRatioErrMsg</A
> -- Ratio directive</DT
><DT
><A
HREF="#CAPABILITIESENGINE"
> CapabilitiesEngine</A
> -- Enable/disable mod_cap</DT
><DT
><A
HREF="#CAPABILITIESSET"
> CapabilitiesSet</A
> -- Configure the set of Linux capabilities processed</DT
><DT
><A
HREF="#CDPATH"
> CDPath</A
> -- Sets "search paths" for the cd command</DT
><DT
><A
HREF="#CLASS"
> Class</A
> -- Define a class of client connections</DT
><DT
><A
HREF="#COMMANDBUFFERSIZE"
> CommandBufferSize</A
> -- Limit the maximum command length</DT
><DT
><A
HREF="#CREATEHOME"
> CreateHome</A
> -- Create and populate users' home directories as needed</DT
><DT
><A
HREF="#CWDRATIOMSG"
> CwdRatioMsg</A
> -- Ratio directive</DT
><DT
><A
HREF="#DEBUGLEVEL"
> DebugLevel</A
> -- Set the debugging output level</DT
><DT
><A
HREF="#DEFAULTADDRESS"
> DefaultAddress</A
> -- Set the address for the server to listen on</DT
><DT
><A
HREF="#DEFAULTCHDIR"
> DefaultChdir</A
> -- Set starting directory for FTP sessions</DT
><DT
><A
HREF="#DEFAULTROOT"
> DefaultRoot</A
> -- Sets default chroot directory</DT
><DT
><A
HREF="#DEFAULTSERVER"
> DefaultServer</A
> -- Set the default server</DT
><DT
><A
HREF="#DEFAULTTRANSFERMODE"
> DefaultTransferMode</A
> -- Set the default method of data transfer</DT
><DT
><A
HREF="#DEFERWELCOME"
> DeferWelcome</A
> -- Don't show welcome message until user has authenticated</DT
><DT
><A
HREF="#DEFINE"
> Define</A
> -- Initialises Defines for IfDefine</DT
><DT
><A
HREF="#DELAYENGINE"
> DelayEngine</A
> -- Control the use of mod_delay</DT
><DT
><A
HREF="#DELAYTABLE"
> DelayTable</A
> -- Sets the name and path of the file used as the timing
table</DT
><DT
><A
HREF="#DELETEABORTEDSTORES"
> DeleteAbortedStores</A
> -- Enable automatic deletion of partially uploaded HiddenStores files</DT
><DT
><A
HREF="#DENY"
> Deny</A
> -- Access control directive</DT
><DT
><A
HREF="#DENYALL"
> DenyAll</A
> -- Deny all clients</DT
><DT
><A
HREF="#DENYCLASS"
> DenyClass</A
> -- Class based deny rules</DT
><DT
><A
HREF="#DENYFILTER"
> DenyFilter</A
> -- Regular expression of command arguments to be blocked</DT
><DT
><A
HREF="#DENYGROUP"
> DenyGroup</A
> -- Group based deny rules</DT
><DT
><A
HREF="#DENYUSER"
> DenyUser</A
> -- User based deny rules</DT
><DT
><A
HREF="#DIRECTORY"
> Directory</A
> -- Directory-limited configuration directives</DT
><DT
><A
HREF="#DIRFAKEGROUP"
> DirFakeGroup</A
> -- Hide real file/directory group</DT
><DT
><A
HREF="#DIRFAKEMODE"
> DirFakeMode</A
> -- Hide real file/directory permissions</DT
><DT
><A
HREF="#DIRFAKEUSER"
> DirFakeUser</A
> -- Hide real file/directory owner</DT
><DT
><A
HREF="#DISPLAYCHDIR"
> DisplayChdir</A
> -- Set the file to display when entering a directory</DT
><DT
><A
HREF="#DISPLAYCONNECT"
> DisplayConnect</A
> -- Sets connect banner file</DT
><DT
><A
HREF="#DISPLAYFILETRANSFER"
> DisplayFileTransfer</A
> -- FIXFIXFIX</DT
><DT
><A
HREF="#DISPLAYGOAWAY"
> DisplayGoAway</A
> -- Set the file to display to a rejected connection</DT
><DT
><A
HREF="#DISPLAYLOGIN"
> DisplayLogin</A
> -- Set the file to display on login</DT
><DT
><A
HREF="#DISPLAYQUIT"
> DisplayQuit</A
> -- Set the file to display on quit</DT
><DT
><A
HREF="#DISPLAYREADME"
> DisplayReadme</A
> -- Enable display of file modification times on a file pattern</DT
><DT
><A
HREF="#EXTENDEDLOG"
> ExtendedLog</A
> -- Specify custom logfiles</DT
><DT
><A
HREF="#FILERATIOERRMSG"
> FileRatioErrMsg</A
> -- (docs incomplete)</DT
><DT
><A
HREF="#GLOBAL"
> Global</A
> -- Set some directives to apply across the entire daemon</DT
><DT
><A
HREF="#GROUP"
> Group</A
> -- Set the group the server normally runs as</DT
><DT
><A
HREF="#GROUPOWNER"
> GroupOwner</A
> -- Change default group for new files and directories</DT
><DT
><A
HREF="#GROUPPASSWORD"
> GroupPassword</A
> -- Set a group-wide password</DT
><DT
><A
HREF="#GROUPRATIO"
> GroupRatio</A
> -- Ratio directive</DT
><DT
><A
HREF="#HIDDENSTORES"
> HiddenStores</A
> -- Enables more safe file uploads</DT
><DT
><A
HREF="#HIDEFILES"
> HideFiles</A
> -- Enable hiding of files based on regular expressions</DT
><DT
><A
HREF="#HIDEGROUP"
> HideGroup</A
> -- Enable hiding of files based on group owner</DT
><DT
><A
HREF="#HIDENOACCESS"
> HideNoAccess</A
> -- Block the listing of directory entries to which the user
has no access permissions</DT
><DT
><A
HREF="#HIDEUSER"
> HideUser</A
> -- Enable hiding of files based on user owner</DT
><DT
><A
HREF="#HOSTRATIO"
> HostRatio</A
> -- Ratio directive</DT
><DT
><A
HREF="#IDENTLOOKUPS"
> IdentLookups</A
> -- Toggle ident lookups</DT
><DT
><A
HREF="#IFDEFINE"
> IfDefine</A
> -- To control the use of sections of the configuration</DT
><DT
><A
HREF="#IFMODULE"
> IfModule</A
> -- Parse a section of config based on module name</DT
><DT
><A
HREF="#IGNOREHIDDEN"
> IgnoreHidden</A
> -- Treat 'hidden' files as if they don't exist</DT
><DT
><A
HREF="#INCLUDE"
> Include</A
> -- Load additional configuration directives from a file</DT
><DT
><A
HREF="#LDAPALIASDEREFERENCE"
> LDAPAliasDereference</A
> -- Specify how LDAP alias dereferencing is done</DT
><DT
><A
HREF="#LDAPATTR"
> LDAPAttr</A
> -- Map LDAP Attributes to something non standard</DT
><DT
><A
HREF="#LDAPAUTHBINDS"
> LDAPAuthBinds</A
> -- (docs incomplete)</DT
><DT
><A
HREF="#LDAPDEFAULTAUTHSCHEME"
> LDAPDefaultAuthScheme</A
> -- Set the authentication scheme/hash that is used when no leading
{hashname} is present.
</DT
><DT
><A
HREF="#LDAPDEFAULTGID"
> LDAPDefaultGID</A
> -- Set the default GID to be assigned to users when no uidNumber
attribute is found.
</DT
><DT
><A
HREF="#LDAPDEFAULTUID"
> LDAPDefaultUID</A
> -- Set the default UID to be assigned to users when no uidNumber
attribute is found.
</DT
><DT
><A
HREF="#LDAPDNINFO"
> LDAPDNInfo</A
> -- Set DN information to be used for initial bind</DT
><DT
><A
HREF="#LDAPDOAUTH"
> LDAPDoAuth</A
> -- Enable LDAP authentication</DT
><DT
><A
HREF="#LDAPDOGIDLOOKUPS"
> LDAPDoGIDLookups</A
> -- Enable LDAP lookups for user group membership and GIDs in
directory listings
</DT
><DT
><A
HREF="#LDAPDOQUOTALOOKUPS"
> LDAPDoQuotaLookups</A
> -- Enable LDAP quota limit support</DT
><DT
><A
HREF="#LDAPDOUIDLOOKUPS"
> LDAPDoUIDLookups</A
> -- Enable LDAP lookups for UIDs in directory listings
</DT
><DT
><A
HREF="#LDAPFORCEDEFAULTGID"
> LDAPForceDefaultGID</A
> -- Force all LDAP-authenticated users to use the same GID.</DT
><DT
><A
HREF="#LDAPFORCEDEFAULTUID"
> LDAPForceDefaultUID</A
> -- Force all LDAP-authenticated users to use the same UID.</DT
><DT
><A
HREF="#LDAPFORCEGENERATEDHOMEDIR"
> LDAPForceGeneratedHomedir</A
> -- Force all LDAP-authenticated users to use the default HomeDironDemand
prefix/suffix.
</DT
><DT
><A
HREF="#LDAPFORCEHOMEDIRONDEMAND"
> LDAPForceHomedirOnDemand</A
> -- Force all LDAP-authenticated users to use the default HomeDironDemand
prefix/suffix. [deprecated]
</DT
><DT
><A
HREF="#LDAPGENERATEHOMEDIR"
> LDAPGenerateHomedir</A
> -- Enable the creation of user home directories on demand
</DT
><DT
><A
HREF="#LDAPGENERATEHOMEDIRPREFIX"
> LDAPGenerateHomedirPrefix</A
> -- Enable the creation of user home directories on demand
</DT
><DT
><A
HREF="#LDAPGENERATEHOMEDIRPREFIXNOUSERNAME"
> LDAPGenerateHomedirPrefixNoUsername</A
> -- (docs incomplete)</DT
><DT
><A
HREF="#LDAPGROUPS"
> LDAPGroups</A
> -- Enable LDAP lookups for user group membership and GIDs in
directory listings
</DT
><DT
><A
HREF="#LDAPHOMEDIRONDEMAND"
> LDAPHomedirOnDemand</A
> -- Enable the creation of user home directories on demand [deprecated]
</DT
><DT
><A
HREF="#LDAPHOMEDIRONDEMANDPREFIX"
> LDAPHomedirOnDemandPrefix</A
> -- Enable the creation of user home directories on demand [deprecated]
</DT
><DT
><A
HREF="#LDAPHOMEDIRONDEMANDPREFIXNOUSERNAME"
> LDAPHomedirOnDemandPrefixNoUsername</A
> -- (docs incomplete)</DT
><DT
><A
HREF="#LDAPHOMEDIRONDEMANDSUFFIX"
> LDAPHomedirOnDemandSuffix</A
> -- Specify an additional directory to be created inside a user's
home directory on demand. [deprecated]
</DT
><DT
><A
HREF="#LDAPNEGATIVECACHE"
> LDAPNegativeCache</A
> -- Enable negative caching for LDAP lookups</DT
><DT
><A
HREF="#LDAPPROTOCOLVERSION"
> LDAPProtocolVersion</A
> -- Set the LDAP protocol version</DT
><DT
><A
HREF="#LDAPQUERYTIMEOUT"
> LDAPQueryTimeout</A
> -- Set a timeout for LDAP queries</DT
><DT
><A
HREF="#LDAPSEARCHSCOPE"
> LDAPSearchScope</A
> -- Specify the search scope used in LDAP queries</DT
><DT
><A
HREF="#LDAPSERVER"
> LDAPServer</A
> -- Specify the LDAP server to use for lookups</DT
><DT
><A
HREF="#LDAPUSERS"
> LDAPUsers</A
> -- Enable LDAP authentication/user lookups</DT
><DT
><A
HREF="#LDAPUSETLS"
> LDAPUseTLS</A
> -- Enable TLS/SSL connections to the LDAP server.</DT
><DT
><A
HREF="#LEECHRATIOMSG"
> LeechRatioMsg</A
> -- Sets the 'over ratio' error message</DT
><DT
><A
HREF="#LIMIT"
> Limit</A
> -- Set the commands/actions to be controlled</DT
><DT
><A
HREF="#LISTOPTIONS"
> ListOptions</A
> -- Configure options used when listing directories</DT
><DT
><A
HREF="#LOGFORMAT"
> LogFormat</A
> -- Specify a logging format</DT
><DT
><A
HREF="#LOGINPASSWORDPROMPT"
> LoginPasswordPrompt</A
> -- Configure to display the passwort prompt or not</DT
><DT
><A
HREF="#MASQUERADEADDRESS"
> MasqueradeAddress</A
> -- Configure the server address presented to clients</DT
><DT
><A
HREF="#MAXCLIENTS"
> MaxClients</A
> -- Limits the number of users that can connect</DT
><DT
><A
HREF="#MAXCLIENTSPERCLASS"
> MaxClientsPerClass</A
> -- Limit the number of connections per class</DT
><DT
><A
HREF="#MAXCLIENTSPERHOST"
> MaxClientsPerHost</A
> -- Limits the connections per client machine</DT
><DT
><A
HREF="#MAXCLIENTSPERUSER"
> MaxClientsPerUser</A
> -- Limit the number of connections per userid</DT
><DT
><A
HREF="#MAXCONNECTIONRATE"
> MaxConnectionRate</A
> -- Maximum TCP socket connection rate</DT
><DT
><A
HREF="#MAXCONNECTIONSPERHOST"
> MaxConnectionsPerHost</A
> -- Limits the unauthenticated connections per client machine</DT
><DT
><A
HREF="#MAXHOSTSPERUSER"
> MaxHostsPerUser</A
> -- Limit the number of connections per userid</DT
><DT
><A
HREF="#MAXINSTANCES"
> MaxInstances</A
> -- Sets the maximum number of child processes to be spawned</DT
><DT
><A
HREF="#MAXLOGINATTEMPTS"
> MaxLoginAttempts</A
> -- Sets how many password attempts are allowed before disconnection</DT
><DT
><A
HREF="#MAXRETRIEVEFILESIZE"
> MaxRetrieveFileSize</A
> -- Restrict size of downloaded files</DT
><DT
><A
HREF="#MAXSTOREFILESIZE"
> MaxStoreFileSize</A
> -- Restrict size of uploaded files</DT
><DT
><A
HREF="#MULTILINERFC2228"
> MultilineRFC2228</A
> -- Enable RFC2228 multiline response mode</DT
><DT
><A
HREF="#ORDER"
> Order</A
> -- Configures the precedence of the Limit directives</DT
><DT
><A
HREF="#PASSIVEPORTS"
> PassivePorts</A
> -- Specify the ftp-data port range to be used</DT
><DT
><A
HREF="#PATHALLOWFILTER"
> PathAllowFilter</A
> -- Only allow new files which match a specified pattern</DT
><DT
><A
HREF="#PATHDENYFILTER"
> PathDenyFilter</A
> -- Disallow new files which match a specified pattern</DT
><DT
><A
HREF="#PERSISTENTPASSWD"
> PersistentPasswd</A
> -- Sets handling of unix auth files</DT
><DT
><A
HREF="#PIDFILE"
> PidFile</A
> -- Set the filepath to hold the pid of the master server</DT
><DT
><A
HREF="#PORT"
> Port</A
> -- Set the port for the control socket</DT
><DT
><A
HREF="#RADIUSACCTSERVER"
> RadiusAcctServer</A
> -- Setup RADIUS accounting details</DT
><DT
><A
HREF="#RADIUSAUTHSERVER"
> RadiusAuthServer</A
> -- Setup RADIUS authenticator details</DT
><DT
><A
HREF="#RADIUSENGINE"
> RadiusEngine</A
> -- Enable RADIUS support</DT
><DT
><A
HREF="#RADIUSLOG"
> RadiusLog</A
> -- Specify the logfile for reporting / debugging</DT
><DT
><A
HREF="#RADIUSREALM"
> RadiusRealm</A
> -- Setup the authentication realm</DT
><DT
><A
HREF="#RADIUSUSERINFO"
> RadiusUserInfo</A
> -- Configure login information via RADIUS</DT
><DT
><A
HREF="#RATIOFILE"
> RatioFile</A
> -- Ratio directive</DT
><DT
><A
HREF="#RATIOS"
> Ratios</A
> -- (docs incomplete)</DT
><DT
><A
HREF="#RATIOTEMPFILE"
> RatioTempFile</A
> -- Ratio directive</DT
><DT
><A
HREF="#REQUIREVALIDSHELL"
> RequireValidShell</A
> -- Allow connections based on /etc/shells</DT
><DT
><A
HREF="#REWRITECONDITION"
> RewriteCondition</A
> -- Define a rule condition</DT
><DT
><A
HREF="#REWRITEENGINE"
> RewriteEngine</A
> -- Enable/disable mod_rewrite</DT
><DT
><A
HREF="#REWRITELOCK"
> RewriteLock</A
> -- Set the filename for synchronization lockfile</DT
><DT
><A
HREF="#REWRITELOG"
> RewriteLog</A
> -- Specify a log file for mod_rewrite reporting</DT
><DT
><A
HREF="#REWRITEMAP"
> RewriteMap</A
> -- Define a rewrite map</DT
><DT
><A
HREF="#REWRITERULE"
> RewriteRule</A
> -- Define a rewrite rule</DT
><DT
><A
HREF="#RLIMITCPU"
> RLimitCPU</A
> -- Configure the maximum CPU time in seconds used by a process</DT
><DT
><A
HREF="#RLIMITMEMORY"
> RLimitMemory</A
> -- Configure the maximum memory in bytes used by a process</DT
><DT
><A
HREF="#RLIMITOPENFILES"
> RLimitOpenFiles</A
> -- Configure the maximum number of open files used by a process</DT
><DT
><A
HREF="#ROOTLOGIN"
> RootLogin</A
> -- Permit root user logins</DT
><DT
><A
HREF="#ROOTREVOKE"
> RootRevoke</A
> -- Drop root privileges completely</DT
><DT
><A
HREF="#SAVERATIOS"
> SaveRatios</A
> -- FIXME FIXME</DT
><DT
><A
HREF="#SCOREBOARDFILE"
> ScoreboardFile</A
> -- Sets the name and path of the scoreboard file</DT
><DT
><A
HREF="#SERVERADMIN"
> ServerAdmin</A
> -- Set the address for the server admin</DT
><DT
><A
HREF="#SERVERIDENT"
> ServerIdent</A
> -- Set the message displayed on connect</DT
><DT
><A
HREF="#SERVERLOG"
> ServerLog</A
> -- Configure logs on a per-server basis</DT
><DT
><A
HREF="#SERVERNAME"
> ServerName</A
> -- Configure the name displayed to connecting users</DT
><DT
><A
HREF="#SERVERTYPE"
> ServerType</A
> -- Set the mode proftpd runs in</DT
><DT
><A
HREF="#SETENV"
> SetEnv</A
> -- (docs incomplete)</DT
><DT
><A
HREF="#SHOWSYMLINKS"
> ShowSymlinks</A
> -- Toggle the display of symlinks</DT
><DT
><A
HREF="#SOCKETBINDTIGHT"
> SocketBindTight</A
> -- Controls how TCP/IP sockets are created</DT
><DT
><A
HREF="#SOCKETOPTIONS"
> SocketOptions</A
> -- Tune socket-level options</DT
><DT
><A
HREF="#SQLAUTHENTICATE"
> SQLAuthenticate</A
> -- Specify authentication methods and what to authenticate
</DT
><DD
><DL
><DT
><A
HREF="#AEN8470"
>Group Table Structure</A
></DT
></DL
></DD
><DT
><A
HREF="#SQLAUTHTYPES"
> SQLAuthTypes</A
> -- Specify the allowed authentication types and their check order</DT
><DT
><A
HREF="#SQLBACKEND"
> SQLBackend</A
> -- Set the SQL backend module</DT
><DT
><A
HREF="#SQLCONNECTINFO"
> SQLConnectInfo</A
> -- Specify connection information for the backend</DT
><DT
><A
HREF="#SQLDEFAULTGID"
> SQLDefaultGID</A
> -- Configure the default GID for users</DT
><DT
><A
HREF="#SQLDEFAULTHOMEDIR"
> SQLDefaultHomedir</A
> -- Configure the default homedir</DT
><DT
><A
HREF="#SQLDEFAULTUID"
> SQLDefaultUID</A
> -- Configure the default UID for users</DT
><DT
><A
HREF="#SQLENGINE"
> SQLEngine</A
> -- Configure how mod_sql will operate</DT
><DT
><A
HREF="#SQLGROUPINFO"
> SQLGroupInfo</A
> -- Configure the group table and fields that hold group information</DT
><DT
><A
HREF="#SQLGROUPWHERECLAUSE"
> SQLGroupWhereClause</A
> -- Configure a WHERE clause for every group query</DT
><DT
><A
HREF="#SQLLOG"
> SQLLog</A
> -- Log information to a database table</DT
><DT
><A
HREF="#SQLLOGFILE"
> SQLLogFile</A
> -- Specify a log file for mod_sql reporting and debugging</DT
><DT
><A
HREF="#SQLMINID"
> SQLMinID</A
> -- Set SQLMinUserGID and SQLMinUserID in one place</DT
><DT
><A
HREF="#SQLMINUSERGID"
> SQLMinUserGID</A
> -- Set a minimum GID</DT
><DT
><A
HREF="#SQLMINUSERUID"
> SQLMinUserUID</A
> -- Set a minimum UID</DT
><DT
><A
HREF="#SQLNAMEDQUERY"
> SQLNamedQuery</A
> -- Specify a query and an identifier for SQLShowInfo and SQLLog</DT
><DT
><A
HREF="#SQLNEGATIVECACHE"
> SQLNegativeCache</A
> -- Enable negative caching for SQL lookups</DT
><DT
><A
HREF="#SQLRATIOS"
> SQLRatios</A
> -- (docs incomplete)</DT
><DT
><A
HREF="#SQLRATIOSTATS"
> SQLRatioStats</A
> -- (docs incomplete)</DT
><DT
><A
HREF="#SQLSHOWINFO"
> SQLShowInfo</A
> -- Create a message to be sent to the user after any successful command</DT
><DT
><A
HREF="#SQLUSERINFO"
> SQLUserInfo</A
> -- Configure the user table and fields that hold user information</DT
><DT
><A
HREF="#SQLUSERWHERECLAUSE"
> SQLUserWhereClause</A
> -- Configure a WHERE clause for every user query<</DT
><DT
><A
HREF="#STOREUNIQUEPREFIX"
> StoreUniquePrefix</A
> -- Set the prefix to be added to uniquely generated filenames</DT
><DT
><A
HREF="#SYSLOGFACILITY"
> SyslogFacility</A
> -- Set the facility level used for logging</DT
><DT
><A
HREF="#SYSLOGLEVEL"
> SyslogLevel</A
> -- Set the verbosity level of system logging</DT
><DT
><A
HREF="#SYSTEMLOG"
> SystemLog</A
> -- Redirect syslogging to a file</DT
><DT
><A
HREF="#TCPACCESSFILES"
> TCPAccessFiles</A
> -- Sets the access files to use</DT
><DT
><A
HREF="#TCPACCESSSYSLOGLEVELS"
> TCPAccessSyslogLevels</A
> -- Sets the logging levels for mod_wrap</DT
><DT
><A
HREF="#TCPBACKLOG"
> tcpBackLog</A
> -- Control the tcp backlog in standalone mode</DT
><DT
><A
HREF="#TCPGROUPACCESSFILES"
> TCPGroupAccessFiles</A
> -- Sets the access files to use</DT
><DT
><A
HREF="#TCPNODELAY"
> tcpNoDelay</A
> -- Control the use of TCP_NODELAY</DT
><DT
><A
HREF="#TCPSERVICENAME"
> TCPServiceName</A
> -- Configures the name proftpd will use with mod_wrap</DT
><DT
><A
HREF="#TCPUSERACCESSFILES"
> TCPUserAccessFiles</A
> -- Sets the access files to use</DT
><DT
><A
HREF="#TIMEOUTIDLE"
> TimeoutIdle</A
> -- Sets the idle connection timeout</DT
><DT
><A
HREF="#TIMEOUTLINGER"
> TimeoutLinger</A
> -- Sets the timeout used for lingering closes</DT
><DT
><A
HREF="#TIMEOUTLOGIN"
> TimeoutLogin</A
> -- Sets the login timeout</DT
><DT
><A
HREF="#TIMEOUTNOTRANSFER"
> TimeoutNoTransfer</A
> -- Sets the connection without transfer timeout</DT
><DT
><A
HREF="#TIMEOUTSESSION"
> TimeoutSession</A
> -- Sets a timeout for an entire session</DT
><DT
><A
HREF="#TIMEOUTSTALLED"
> TimeoutStalled</A
> -- Sets the timeout on stalled data transfers</DT
><DT
><A
HREF="#TIMESGMT"
> TimesGMT</A
> -- Toggle time display between GMT and local</DT
><DT
><A
HREF="#TLSCACERTIFICATEFILE"
> TLSCACertificateFile</A
> -- Define a CA certificate used to verify your client certificates</DT
><DT
><A
HREF="#TLSCACERTIFICATEPATH"
> TLSCACertificatePath</A
> -- Define a path to the CAs used to verify your client certificates</DT
><DT
><A
HREF="#TLSCAREVOCATIONFILE"
> TLSCARevocationFile</A
> -- Define a file with your CA revocation certifcates</DT
><DT
><A
HREF="#TLSCAREVOCATIONPATH"
> TLSCARevocationPath</A
> -- Define a path to your CA revocation certificates</DT
><DT
><A
HREF="#TLSCERTIFICATECHAINFILE"
> TLSCertificateChainFile</A
> -- Define an all in one certification file</DT
><DT
><A
HREF="#TLSCIPHERSUITE"
> TLSCipherSuite</A
> -- Define a cipher list</DT
><DT
><A
HREF="#TLSDHPARAMFILE"
> TLSDHParamFile</A
> -- Define a file used in Diffie-Hellman key exchange</DT
><DT
><A
HREF="#TLSDSACERTIFICATEFILE"
> TLSDSACertificateFile</A
> -- Point to the file containing the DSA certificate</DT
><DT
><A
HREF="#TLSDSACERTIFICATEKEYFILE"
> TLSDSACertificateKeyFile</A
> -- Point to the file containing the private DSA key</DT
><DT
><A
HREF="#TLSENGINE"
> TLSEngine</A
> -- Enable TLS/SSL connections</DT
><DT
><A
HREF="#TLSLOG"
> TLSLog</A
> -- Specify a logfile for mod_tls's reporting on a per-server basis</DT
><DT
><A
HREF="#TLSOPTIONS"
> TLSOptions</A
> -- Configure optional behaviour of mod_tls</DT
><DT
><A
HREF="#TLSPASSPHRASEPROVIDER"
> TLSPassPhraseProvider</A
> -- FIXFIXFIX</DT
><DT
><A
HREF="#TLSPROTOCOL"
> TLSProtocol</A
> -- Define the SSL/TLS protocol version mod_tls should use</DT
><DT
><A
HREF="#TLSRANDOMSEED"
> TLSRandomSeed</A
> -- Define a file for PRNG seeding</DT
><DT
><A
HREF="#TLSRENEGOTIATE"
> TLSRenegotiate</A
> -- Configure SSL renegotiations</DT
><DT
><A
HREF="#TLSREQUIRED"
> TLSRequired</A
> -- Require SSL/TLS on the control and/or data channel</DT
><DT
><A
HREF="#TLSRSACERTIFICATEFILE"
> TLSRSACertificateFile</A
> -- Point to the file containing the RSA certificate</DT
><DT
><A
HREF="#TLSRSACERTIFICATEKEYFILE"
> TLSRSACertificateKeyFile</A
> -- Point to the file containing the private RSA key</DT
><DT
><A
HREF="#TLSVERIFYCLIENT"
> TLSVerifyClient</A
> -- Configure how to candle certificates presented by clients -- </DT
><DT
><A
HREF="#TLSVERIFYDEPTH"
> TLSVerifyDepth</A
> -- Define how deeply mod_tls should verify a client certificate</DT
><DT
><A
HREF="#TRANSFERLOG"
> TransferLog</A
> -- Specify the path to the transfer log</DT
><DT
><A
HREF="#TRANSFERRATE"
> TransferRate</A
> -- Configure upload, download transfer rates</DT
><DT
><A
HREF="#UMASK"
> Umask</A
> -- Set the default Umask</DT
><DT
><A
HREF="#UNSETENV"
> UnsetEnv</A
> -- (docs incomplete)</DT
><DT
><A
HREF="#USEFTPUSERS"
> UseFtpUsers</A
> -- Block based on /etc/ftpusers</DT
><DT
><A
HREF="#USEGLOBBING"
> UseGlobbing</A
> -- Toggles use of glob() functionality</DT
><DT
><A
HREF="#USEIPV6"
> UseIPv6</A
> -- Disable IPv6 support</DT
><DT
><A
HREF="#USER"
> User</A
> -- Set the user the daemon will run as</DT
><DT
><A
HREF="#USERALIAS"
> UserAlias</A
> -- Alias a username to a system user</DT
><DT
><A
HREF="#USERDIRROOT"
> UserDirRoot</A
> -- Set the chroot directory to a subdirectory of the anonymous server</DT
><DT
><A
HREF="#USEREVERSEDNS"
> UseReverseDNS</A
> -- Toggle rDNS lookups</DT
><DT
><A
HREF="#USEROWNER"
> UserOwner</A
> -- Set the user ownership of new files / directories</DT
><DT
><A
HREF="#USERPASSWORD"
> UserPassword</A
> -- Creates a hardcoded username/password pair</DT
><DT
><A
HREF="#USERRATIO"
> UserRatio</A
> -- Ratio directive</DT
><DT
><A
HREF="#USESENDFILE"
> UseSendfile</A
> -- Toggles use of sendfile() functionality</DT
><DT
><A
HREF="#USEUTF8"
> UseUTF8</A
> -- FIXFIXFIX</DT
><DT
><A
HREF="#VIRTUALHOST"
> VirtualHost</A
> -- Define a virtual ftp server</DT
><DT
><A
HREF="#WTMPLOG"
> WtmpLog</A
> -- Toggle logging to wtmp</DT
></DL
></DD
><DT
>2. <A
HREF="#AEN12545"
>List of modules</A
></DT
><DD
><DL
><DT
><A
HREF="#MOD-AUTH"
> mod_auth</A
> -- Authentication module</DT
><DT
><A
HREF="#MOD-CORE"
> mod_core</A
> -- Core module</DT
><DT
><A
HREF="#MOD-DELAY"
> mod_delay</A
> -- Prevent information leak through timing attacks</DT
><DT
><A
HREF="#MOD-LDAP"
> mod_ldap</A
> -- LDAP authentication support</DT
><DT
><A
HREF="#MOD-LOG"
> mod_log</A
> -- Logging support</DT
><DT
><A
HREF="#MOD-LS"
> mod_ls</A
> -- file listing functionality</DT
><DT
><A
HREF="#MOD-RADIUS"
> mod_radius</A
> -- RADIUS based authentication support</DT
><DT
><A
HREF="#MOD-RATIO"
> mod_ratio</A
> -- FIX ME FIX ME</DT
><DT
><A
HREF="#MOD-README"
> mod_readme</A
> -- "README" file support</DT
><DT
><A
HREF="#MOD-SQL"
> mod_sql</A
> -- SQL support module</DT
><DT
><A
HREF="#MOD-TLS"
> mod_tls</A
> -- TLS/SSL support module</DT
><DT
><A
HREF="#MOD-WRAP"
> mod_wrap</A
> -- Interface to libwrap</DT
><DT
><A
HREF="#MOD-XFER"
> mod_xfer</A
> -- FIX ME FIX ME</DT
></DL
></DD
><DT
>3. <A
HREF="#AEN13026"
>List of configuration contexts</A
></DT
><DD
><DL
><DT
><A
HREF="#CONTEXT-SERVERCONFIG"
> server config</A
> -- server config</DT
><DT
><A
HREF="#CONTEXT-GLOBAL"
> Global</A
> -- Global</DT
><DT
><A
HREF="#CONTEXT-VIRTUALHOST"
> VirtualHost</A
> -- VirtualHost</DT
><DT
><A
HREF="#CONTEXT-ANONYMOUS"
> Anonymous</A
> -- Anonymous</DT
><DT
><A
HREF="#CONTEXT-LIMIT"
> Limit</A
> -- Limit</DT
><DT
><A
HREF="#CONTEXT-FTPACCESS"
> .ftpaccess</A
> -- .ftpaccess</DT
></DL
></DD
></DL
></DIV
><DIV
CLASS="LOT"
><DL
CLASS="LOT"
><DT
><B
>List of Tables</B
></DT
><DT
>1-1. <A
HREF="#AEN11119"
>Enviroment variables</A
></DT
><DT
>1-2. <A
HREF="#AEN11138"
>Enviroment variables</A
></DT
></DL
></DIV
><DIV
CLASS="LOT"
><DL
CLASS="LOT"
><DT
><B
>List of Examples</B
></DT
><DT
>1-1. <A
HREF="#EXAMPLE-USERMAP"
>Example Usermap</A
></DT
><DT
>1-2. <A
HREF="#EXAMPLE-FIFONAMEDPIPE"
>Example FIFO/Named Pipe 1:1 mapping</A
></DT
></DL
></DIV
><DIV
CLASS="CHAPTER"
><HR><H1
><A
NAME="AEN4"
></A
>Chapter 1. List of Directives</H1
><H1
><A
NAME="ACCESSDENYMSG"
></A
>
AccessDenyMsg</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN14"
></A
><H2
>Name</H2
>AccessDenyMsg -- Customise the response on failed authentication</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN17"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AccessDenyMsg</B
> [ <CODE
CLASS="OPTION"
>"message"</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>Dependent on login type</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.2 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN44"
></A
><H2
>Description</H2
><P
>Normally, a 530 response message is sent to an FTP client immediately after
a failed authentication attempt, with a standard message indicating the the
reason of failure. In the case of a wrong password, the reason is usually
"Login incorrect." This message can be customized with the AccessDenyMsg
directive. In the message argument, the magic cookie '%u' is replaced with
the username specified by the client during login.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN47"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN50"
></A
><H2
>Examples</H2
><P
>AccessDenyMsg "Guest access denied for %u."</P
></DIV
><H1
><A
NAME="ACCESSGRANTMSG"
></A
>
AccessGrantMsg</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN61"
></A
><H2
>Name</H2
>AccessGrantMsg -- Customise the response on successful authentication</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN64"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AccessGrantMsg</B
> [ <CODE
CLASS="OPTION"
>"message"</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>Dependent on login type</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0pl5 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN91"
></A
><H2
>Description</H2
><P
>Normally, a 230 response message is sent to an FTP client immediately after
authentication, with a standard message indicating that the user has either
logged in or that anonymous access has been granted. This message
can be customized with the AccessGrantMsg directive. In the message argument,
the magic cookie '%u' is replaced with the username specified by the client
during login.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN94"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN97"
></A
><H2
>Examples</H2
><P
>AccessGrantMsg "Guest access granted for %u."</P
></DIV
><H1
><A
NAME="ALLOW"
></A
>
Allow</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN108"
></A
><H2
>Name</H2
>Allow -- Access control directive</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN111"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>Allow</B
> [ <CODE
CLASS="OPTION"
>["from"] "all"|"none"|host|network[,host|network[,...]]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>Allow from all</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Limit></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0pl6 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN138"
></A
><H2
>Description</H2
><P
>The Allow directive is used inside a <Limit> context to explicitly
specify which hosts and/or networks have access to the commands or
operations being limited. Allow is typically used in conjunction
with Order and Deny in order to create sophisticated (or perhaps
not-so-sophisticated) access control rules. Allow takes an optional
first argument; the keyword from. Using from is purely cosmetic. The
remaining arguments are expected to be a list of hosts and networks which
will be explicitly granted access. The magic keyword all can be used to
indicate that all hosts will explicitly be granted access (analogous to
the AllowAll directive, except with a lower priority). Additionally, the
magic keyword none can be used to indicate that no hosts or networks
will be explicitly granted access (although this does not prevent
them from implicitly being granted access). If all or none is used,
no other hosts or networks can be supplied. Host and network addresses
can be specified by name or numeric address. For security reasons, it is
recommended that all address information be supplied numerically. Relying
solely on named addresses causes security to depend a great deal upon
DNS servers which may themselves be vulnerable to attack or spoofing.
Numeric addresses which specify an entire network should end in a
trailing period (i.e. 10.0.0. for the entire 10.0.0 subnet). Named
addresses which specify an entire network should begin with a leading
period (i.e. .proftpd.net for the entire proftpd.net domain).</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN141"
></A
><H2
>See also</H2
><P
><A
HREF="#ALLOW"
>Allow</A
>
<A
HREF="#ORDER"
>Order</A
>
<A
HREF="#LIMIT"
>Limit</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN147"
></A
><H2
>Examples</H2
><PRE
CLASS="PROGRAMLISTING"
><Limit LOGIN>
Order allow,deny
Allow from 128.44.26.,128.44.26.,myhost.mydomain.edu,.trusted-domain.org
Deny from all
</Limit></PRE
></DIV
><H1
><A
NAME="ALLOWALL"
></A
>
AllowAll</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN158"
></A
><H2
>Name</H2
>AllowAll -- Allow all clients </DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN161"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AllowAll</B
> [ <CODE
CLASS="OPTION"
>AllowAll</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>Default is to implicitly AllowAll, but not explicitly</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Directory>, <Anonymous>, <Limit>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN188"
></A
><H2
>Description</H2
><P
>The AllowAll directive explicitly allows access to a <Directory>,
<Anonymous> or <Limit> block. Although proftpd's default
behavior is to allow access to a particular object, the default is
an implicit allow. AllowAll creates an explicit allow, overriding any
higher level denial directives.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN191"
></A
><H2
>See also</H2
><P
><A
HREF="#DENYALL"
>DenyAll</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN195"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="ALLOWCLASS"
></A
>
AllowClass</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN206"
></A
><H2
>Name</H2
>AllowClass -- Class based allow rules</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN209"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AllowClass</B
> [ <CODE
CLASS="OPTION"
>["AND"|"OR"|"regex"] class-expression</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Limit></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.10rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN236"
></A
><H2
>Description</H2
><P
>AllowClass specifies a class-expression that is specifically permitted access
within the context of the <Limit> block it is applied to. class-expression
has a similar syntax as that used in AllowGroup, in that it should contain a
comma delimited list of classes or "not" classes (by prefixing a
class name name with the `!' character) that are to be allowed access to the
block.</P
><P
>By default, the expression is parsed as a boolean "OR" list, meaning
that ANY elements of the expression must evaluate to logically true in order
to the explicit allow to apply. In order to treat the expression as a boolean
"AND" list, meaning that ALL of the elements must evaluate to
logically true, use the optional "AND" keyword. Similarly, to treat
the expression as a regular expression, use the "regex" keyword.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN240"
></A
><H2
>See also</H2
><P
><A
HREF="#ALLOWUSER"
>AllowUser</A
>
<A
HREF="#DENYUSER"
>DenyUser</A
>
<A
HREF="#ALLOWGROUP"
>AllowGroup</A
>
<A
HREF="#DENYGROUP"
>DenyGroup</A
>
<A
HREF="#DENYGROUP"
>DenyClass</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN248"
></A
><H2
>Examples</H2
><P
><PRE
CLASS="PROGRAMLISTING"
> # A regular expression AllowClass directive
AllowClass regex ^known
# An AND-evaluated ClassUser directive
DenyClass AND bad,scanner</PRE
></P
></DIV
><H1
><A
NAME="ALLOWFILTER"
></A
>
AllowFilter</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN260"
></A
><H2
>Name</H2
>AllowFilter -- Regular expression of command arguments to be accepted</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN263"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AllowFilter</B
> [ <CODE
CLASS="OPTION"
>regular-expression</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global>, <Anonymous>, <Directoryl>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0pre7 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN290"
></A
><H2
>Description</H2
><P
>AllowFilter allows the configuration of a regular expression
that must be matched for all command arguments sent to ProFTPD. It is
extremely useful in controlling what characters may be sent in a
command to ProFTPD, preventing some possible types of attacks against
ProFTPD. The regular expression is applied against the arguments to
the command sent by the client, so care must be taken when creating a
proper regex. Commands that fail the regex match result in a
"Forbidden command" error being returned to the client. If the
regular-expression argument contains whitespace, it must be enclosed
in quotes.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN293"
></A
><H2
>See also</H2
><P
><A
HREF="#DENYFILTER"
>DenyFilter</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN297"
></A
><H2
>Examples</H2
><PRE
CLASS="PROGRAMLISTING"
># Only allow commands containing alphanumeric characters and whitespace
AllowFilter "^[a-zA-Z0-9 ,]*$"</PRE
><P
></P
></DIV
><H1
><A
NAME="ALLOWFOREIGNADDRESS"
></A
>
AllowForeignAddress</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN309"
></A
><H2
>Name</H2
>AllowForeignAddress -- Control the use of the PORT command</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN312"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AllowForeignAddress</B
> [ <CODE
CLASS="OPTION"
> on|off </CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>AllowForeignAddress off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.7 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN339"
></A
><H2
>Description</H2
><P
>Normally, proftpd disallows clients from using the ftp PORT command with
anything other than their own address (the source address of the ftp
control connection), as well as preventing the use of PORT to specify
a low-numbered (< 1024) port. In either case, the client is sent an
"Invalid port" error and a message is syslog'd indicating either
"address mismatch" or "bounce attack". By enabling
this directive, proftpd will allow clients to transmit foreign data
connection addresses that do not match the client's address. This allows
such tricks as permitting a client to transfer a file between two FTP
servers without involving itself in the actual data connection. Generally
it's considered a bad idea, security-wise, to permit this sort of thing.
AllowForeignAddress only affects data connection addresses; not tcp
ports. There is no way (and no valid reason) to allow a client to use
a low-numbered port in its PORT command.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN342"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN345"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="ALLOWGROUP"
></A
>
AllowGroup</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN356"
></A
><H2
>Name</H2
>AllowGroup -- Group based allow rules</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN359"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AllowGroup</B
> [ <CODE
CLASS="OPTION"
>["AND"|"OR"|"regex"] group-expression</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Limit></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN386"
></A
><H2
>Description</H2
><P
>AllowGroup specifies a group-expression that is specifically
permitted within the context of the <Limit> block it is applied
to. group-expression has the same format as that used in DefaultRoot, in
that it should contain a comma separated list of groups or "not"
groups (by prefixing a group name with the `!' character) that are to
be allowed access to the block.</P
><P
>By default, the expression is parsed as a boolean "AND" list, meaning
that ALL elements of the expression must evaluate to logically true in order
to the explicit allow to apply. In order to treat the expression as a boolean
"OR" list, meaning that ANY of the elements must evaluate to logically
true, use the optional "OR" keyword. Similarly, to treat the
expression as a regular expression, use the "regex" keyword.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN390"
></A
><H2
>See also</H2
><P
><A
HREF="#DENYGROUP"
>DenyGroup</A
>,
<A
HREF="#DENYUSER"
>DenyUser</A
>,
<A
HREF="#ALLOWUSER"
>AllowUser</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN396"
></A
><H2
>Examples</H2
><P
><PRE
CLASS="PROGRAMLISTING"
> # An OR-evaluated AllowGroup directive
AllowGroup OR www,doc
# A regular expression DenyGroup directive
DenyGroup regex ^sys</PRE
></P
></DIV
><H1
><A
NAME="ALLOWLOGSYMLINKS"
></A
>
AllowLogSymlinks</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN408"
></A
><H2
>Name</H2
>AllowLogSymlinks -- Permit logging to symlinked files</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN411"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AllowLogSymlinks</B
> [ <CODE
CLASS="OPTION"
>"on"|"off"</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>AllowLogSymlinks off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_log</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.2rc2 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN438"
></A
><H2
>Description</H2
><P
>By default, the server will the path of any configured SystemLog, any configured
TransferLogs, and any configured ExtendedLogs to see if they are symbolic
links. If the paths are symbolic links, the server will refuse to log to that
link unless explicitly configured to do so via this directive.</P
><DIV
CLASS="REFSECT2"
><A
NAME="AEN441"
></A
><H3
>Security note:</H3
><P
>Security note: this behaviour should not be allowed unless for
a very good reason. By allowing the server to open symbolic links with
its root privileges, you are allowing a potential symlink attack where
the server could be tricked into overwriting arbitrary system files.
You have been warned.</P
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN444"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN447"
></A
><H2
>Examples</H2
><PRE
CLASS="PROGRAMLISTING"
>AllowLogSymlinks on</PRE
></DIV
><H1
><A
NAME="ALLOWOVERRIDE"
></A
>
AllowOverride</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN458"
></A
><H2
>Name</H2
>AllowOverride -- Toggles handling of .ftpaccess files</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN461"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AllowOverride</B
> [ <CODE
CLASS="OPTION"
>on|off ["user"|"group"|"class" expression]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>on</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost>, <Anonymous></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN488"
></A
><H2
>Description</H2
><P
>Normally, the server will look for and parse any files in the encountered
directories called ".ftpaccess". The files provide a functionality
similar to Apache's .htaccess files -- mini-configuration files. This
directive controls when those .ftpaccess files will be parsed.</P
><P
>The optional parameters are used to restrict the use of .ftpaccess files only
to specific users. If the "user" restriction is given, then expression is a
user-expression specifying to which users the rule applies. Similarly for the
"group" restriction. For the "class" restriction, the expression is simply
the name of connection class for whom the rule will apply.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN492"
></A
><H2
>See also</H2
><P
></P
></DIV
><H1
><A
NAME="ALLOWOVERWRITE"
></A
>
AllowOverwrite</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN503"
></A
><H2
>Name</H2
>AllowOverwrite -- Enable files to be overwritten</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN506"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AllowOverwrite</B
> [ <CODE
CLASS="OPTION"
>on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>AllowOverwrite off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Directory>, <Global>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_xfer</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN533"
></A
><H2
>Description</H2
><P
>The AllowOverwrite directive permits newly transfered files to overwrite
existing files. By default, ftp clients cannot overwrite existing files.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN536"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN539"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="ALLOWRETRIEVERESTART"
></A
>
AllowRetrieveRestart</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN550"
></A
><H2
>Name</H2
>AllowRetrieveRestart -- Allow clients to resume downloads</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN553"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AllowRetrieveRestart</B
> [ <CODE
CLASS="OPTION"
>on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>AllowRetrieveRestart on</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Directory>, <Global>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN580"
></A
><H2
>Description</H2
><P
>The AllowRetrieveRestart directive permits or denies clients from
performing "restart" retrieve file transfers via the FTP
REST command. By default this is enabled, so that clients may resume
interrupted file transfers at a later time without losing previously
collected data.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN583"
></A
><H2
>See also</H2
><P
><A
HREF="#ALLOWSTORERESTART"
>AllowStoreRestart</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN587"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="ALLOWSTORERESTART"
></A
>
AllowStoreRestart</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN598"
></A
><H2
>Name</H2
>AllowStoreRestart -- Allow clients to resume uploads</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN601"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AllowStoreRestart</B
> [ <CODE
CLASS="OPTION"
>on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>AllowStoreRestart off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Directory>, <Global>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN628"
></A
><H2
>Description</H2
><P
>The AllowStoreRestart directive permits or denies clients from
"restarting" interrupted store file transfers (those sent
from client to server). By default restarting (via the REST command) is
not permitted when sending files to the server. Care should be taken to
disallow anonymous ftp "incoming" transfers to be restarted,
as this will allow clients to corrupt or increase the size of previously
stored files (even if not their own).</P
><P
>The REST (Restart STOR) command is automatically blocked when HiddenStores is
enabled, with the server returning a 501 error code to the client.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN632"
></A
><H2
>See also</H2
><P
><A
HREF="#ALLOWRETRIEVERESTART"
>AllowRetrieveRestart</A
>
<A
HREF="#DELETEABORTEDSTORES"
>DeleteAbortedStores</A
>
<A
HREF="#HIDDENSTORES"
>HiddenStores</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN638"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="ALLOWUSER"
></A
>
AllowUser</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN649"
></A
><H2
>Name</H2
>AllowUser -- User based allow rules</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN652"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AllowUser</B
> [ <CODE
CLASS="OPTION"
>["AND"|"OR"|"regex"] user-expression</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Limit></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.7 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN679"
></A
><H2
>Description</H2
><P
>AllowUser specifies a user-expression that is specifically permitted access
within the context of the <Limit> block it is applied to. user-expression
has a similar syntax as that used in AllowGroup, in that it should contain a
comma delimited list of users or "not" users (by prefixing a user
name with the `!' character) that are to be allowed access to the block.</P
><P
>By default, the expression is parsed as a boolean "OR" list, meaning
that ANY elements of the expression must evaluate to logically true in order
to the explicit allow to apply. In order to treat the expression as a boolean
"AND" list, meaning that ALL of the elements must evaluate to
logically true, use the optional "AND" keyword. Similarly, to treat
the expression as a regular expression, use the "regex" keyword.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN683"
></A
><H2
>See also</H2
><P
><A
HREF="#DENYUSER"
>DenyUser</A
>
<A
HREF="#ALLOWGROUP"
>AllowGroup</A
>
<A
HREF="#DENYGROUP"
>DenyGroup</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN689"
></A
><H2
>Examples</H2
><P
><PRE
CLASS="PROGRAMLISTING"
> # A regular expression AllowUser directive
AllowUser regex ^ftp
# An AND-evaluated DenyUser directive
DenyUser AND system,test</PRE
></P
></DIV
><H1
><A
NAME="ANONRATIO"
></A
>
AnonRatio</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN701"
></A
><H2
>Name</H2
>AnonRatio -- Ratio directive</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN704"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AnonRatio</B
> [ <CODE
CLASS="OPTION"
>foo1 foo2 foo3</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None known</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ratio</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>at least 1.2.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN731"
></A
><H2
>Description</H2
><P
>The AnonRatio directive ....</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN734"
></A
><H2
>See also</H2
><P
>AnonRatio</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN737"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="ANONREJECTPASSWORDS"
></A
>
AnonRejectPasswords</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN748"
></A
><H2
>Name</H2
>AnonRejectPasswords -- Block certain anonymous user passwords</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN751"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AnonRejectePasswords</B
> [ <CODE
CLASS="OPTION"
>regex</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Anonymous></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.9rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN778"
></A
><H2
>Description</H2
><P
>The AnonRejectPasswords directive configures a regular expression filter for
passwords given for anonymous logins. If the given anonymous password matches
the configured regular expression, the anonymous login is denied.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN781"
></A
><H2
>See also</H2
><P
><A
HREF="#ANONREQUIREPASSWORD"
>AnonRequirePassword</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN785"
></A
><H2
>Examples</H2
><PRE
CLASS="PROGRAMLISTING"
> # Reject all <Anonymous> logins that use "evil.org" as part of the password
AnonRejectPasswords @evil\.org$</PRE
></DIV
><H1
><A
NAME="ANONREQUIREPASSWORD"
></A
>
AnonRequirePassword</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN796"
></A
><H2
>Name</H2
>AnonRequirePassword -- Make anonymous users supply a valid password</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN799"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AnonRequirePassword</B
> [ <CODE
CLASS="OPTION"
>on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>AnonRequirePassword off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Anonymous></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN826"
></A
><H2
>Description</H2
><P
>Normally, anonymous FTP logins do not require the client to authenticate themselves
via the normal method of a transmitted cleartext password which is hashed and
matched against an existing system user's password. Instead, anonymous logins
are expected to enter their e-mail address when prompted for a password. Enabling
the AnonRequirePassword directive requires anonymous logins to enter a valid
password which must match the password of the user that the anonymous daemon
runs as. However using AuthUsingAlias
authentication can be matched against the password of the login username.
This can be used to create "guest" accounts, which function
exactly as normal anonymous logins do (and thus present a
"chrooted"
protected file system to the client), but require a valid password on the server's
host system.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN829"
></A
><H2
>See also</H2
><P
><A
HREF="#ANONYMOUSGROUP"
>AnonymousGroup</A
>
<A
HREF="#AUTHALIASONLY"
>AuthAliasOnly</A
>
<A
HREF="#AUTHUSINGALIAS"
>AuthUsingAlias</A
></P
></DIV
><H1
><A
NAME="ANONYMOUS"
></A
>
Anonymous</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN843"
></A
><H2
>Name</H2
>Anonymous -- Define an anonymous server</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN846"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>Anonymous</B
> [ <CODE
CLASS="OPTION"
>root-directory</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config,<VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN873"
></A
><H2
>Description</H2
><P
>The Anonymous configuration block is used to create an anonymous FTP
login, and is terminated by a matching </Anonymous> directive. The
root-directory parameters specifies which directory the daemon will
first chdir to, and then chroot, immediately after login. Once the chroot
operation successfully completes, higher level directories are no longer
accessible to the running child daemon (and thus the logged in user). By
default, proftpd assumes an anonymous login if the remote client attempts
to login as the currently running user; unless the current user is root,
in which case anonymous logins are not allowed regardless of the presence
of an <Anonymous> block. To force anonymous logins to be bound to
a user other than the current user, see the User and Group directives. In
addition, if a User or Group directive is present in an <Anonymous>
block, the daemon permanently switches to the specified uid/gid before
chroot()ing. Normally, anonymous logins are not required to authenticate
with a password, but are expected to enter a valid e-mail address in place
of a normal password (which is logged). If this behavior is undesirable
for a given <Anonymous> configuration block, it can be overridden
via the AnonRequirePassword directive.</P
><P
>Note: Chroot()ed anonymous directories do not need to have supplemental
system files in them, nor do they need to have any sort of specific
directory structure. This is because proftpd is designed to acquire as
much system information as possible before the chroot, and to leave open
those files which are needed for normal operation and reside outside
the new root directory.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN877"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN880"
></A
><H2
>Examples</H2
><PRE
CLASS="PROGRAMLISTING"
>Example of a typical anonymous FTP configuration:
<Anonymous /home/ftp>
# After anonymous login, daemon runs as user/group ftp.
User ftp
Group ftp
# The client login 'anonymous' is aliased to the "real" user 'ftp'.
UserAlias anonymous ftp
# Deny write operations to all directories, except for 'incoming' where
# 'STOR' is allowed (but 'READ' operations are prohibited)
<Directory *>
<Limit WRITE>
DenyAll
</Limit>
</Directory>
<Directory incoming>
<Limit READ >
DenyAll
</Limit>
<Limit STOR>
AllowAll
</Limit>
</Directory>
</Anonymous></PRE
><P
></P
></DIV
><H1
><A
NAME="ANONYMOUSGROUP"
></A
>
AnonymousGroup</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN892"
></A
><H2
>Name</H2
>AnonymousGroup -- Treat group members as anonymous users</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN895"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AnonymousGroup</B
> [ <CODE
CLASS="OPTION"
>group-expression</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.3 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN922"
></A
><H2
>Description</H2
><P
>The AnonymousGroup directive specifies a group-expression to which all
matching users will be considered anonymous logins. The group-expression
argument is a boolean logically ANDed list of groups to which the user
must be a member of (or non-member if the group name is prefixed with
a `!' character). For more information on group-expressions see the
DefaultRoot directive. If the authenticating user is matched by an
AnonymousGroup directive, no valid password is required, and a special
dynamic anonymous configuration is created, with the user's home directory
as the default root directory. If a DefaultRoot directive also applies
to the user, this directory is used instead of the user's home dir.
Great care should be taken when using AnonymousGroup, as improper
configuration can open up user home directories to full read/write access
to the entire world.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN925"
></A
><H2
>See also</H2
><P
><A
HREF="#AUTHALIASONLY"
>AuthAliasOnly</A
>
<A
HREF="#AUTHUSINGALIAS"
>AuthUsingAlias</A
>
<A
HREF="#ANONREQUIREPASSWORD"
>AnonRequirePassword</A
>
<A
HREF="#DEFAULTROOT"
>DefaultRoot</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN932"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="AUTHALIASONLY"
></A
>
AuthAliasOnly</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN943"
></A
><H2
>Name</H2
>AuthAliasOnly -- Allow only aliased login names</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN946"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AuthAliasOnly</B
> [ <CODE
CLASS="OPTION"
>on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>AuthAliasOnly off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.3 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN973"
></A
><H2
>Description</H2
><P
>AuthAliasOnly restricts authentication to "aliased" logins only;
i.e. those usernames provided by clients which are "mapped"
to a real userid by the UserAlias directive. Turning AuthAliasOnly `on'
in a particular context will cause proftpd to completely ignore all
non-aliased logins for the entire context. If no contexts are available
without AuthAliasOnly set to `on', proftpd rejects the client login and
sends an appropriate message to syslog.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN976"
></A
><H2
>See also</H2
><P
><A
HREF="#ANONYMOUSGROUP"
>AnonymousGroup</A
>
<A
HREF="#AUTHUSINGALIAS"
>AuthUsingAlias</A
>
<A
HREF="#ANONREQUIREPASSWORD"
>AnonRequirePassword</A
>
<A
HREF="#USERALIAS"
>UserAlias</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN983"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="AUTHGROUPFILE"
></A
>
AuthGroupFile</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN994"
></A
><H2
>Name</H2
>AuthGroupFile -- Specify alternate group file</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN997"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AuthGroupFile</B
> [ <CODE
CLASS="OPTION"
>path</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth_file</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.0.3/1.1.1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1024"
></A
><H2
>Description</H2
><P
>AuthGroupFile specifies an alternate groups file, having the same
format as the system /etc/group file, and if specified is used
during authentication and group lookups for directory/access control
operations. The path argument should be the full path to the specified
file. AuthGroupFile can be configured on a per-VirtualHost basis, so
that virtual FTP servers can each have their own authentication database
(most often used in conjunction with AuthUserFile).</P
><P
>Note that this file need not reside inside a chroot()ed directory
structure for Anonymous or DefaultRoot logins, as it is held open for
the duration of client connections.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1028"
></A
><H2
>See also</H2
><P
><A
HREF="#AUTHUSERFILE"
>AuthUserFile</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1032"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="AUTHORDER"
></A
>
AuthOrder</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN1043"
></A
><H2
>Name</H2
>AuthOrder -- Configure auth module checking order</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN1046"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AuthOrder</B
> [ <CODE
CLASS="OPTION"
>module-name</CODE
>...]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.8rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1073"
></A
><H2
>Description</H2
><P
>The AuthOrder directive configures the names of auth modules, and the
order in which they will be checked when authenticating a user.</P
><P
>At least one module name must be given; there is no maximum number of modules
that can be listed. The listed module names must the full name of the source
file, e.g. "mod_auth_unix.c". To see a full list of module names, use
"proftpd -l". Do not use "mod_auth.c", as that module is the authentication
front end module, and is necessary. </P
><P
>You can make an auth module be "authoritative" by appending an asterisk (*)
after the module name. Usually this is done for the "mod_auth_pam.c" module,
to ensure that the login fails if the PAM check fails.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1078"
></A
><H2
>Examples</H2
><PRE
CLASS="PROGRAMLISTING"
> # Use only AuthUserFiles when authenticating, and not the system's /etc/passwd
AuthOrder mod_auth_file.c</PRE
><PRE
CLASS="PROGRAMLISTING"
> # If the user's information is not in LDAP, they're not a user to use
# this server.
AuthOrder mod_ldap.c</PRE
><PRE
CLASS="PROGRAMLISTING"
> # Use SQL tables first, then LDAP, for authentication
AuthOrder mod_sql.c mod_ldap.c</PRE
><PRE
CLASS="PROGRAMLISTING"
> # Use the normal system /etc/passwd and PAM, but make sure that PAM is
# authoritative about accepting or rejecting the login
AuthOrder mod_auth_pam.c* mod_auth_unix.c</PRE
></DIV
><H1
><A
NAME="AUTHPAM"
></A
>
AuthPAM</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN1092"
></A
><H2
>Name</H2
>AuthPAM -- Enable/Disable PAM authentication</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN1095"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AuthPAM</B
> [ <CODE
CLASS="OPTION"
>on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>on</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config,<VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth_pam</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1122"
></A
><H2
>Description</H2
><P
>This directive determines whether PAM is used as an authentication
method by ProFTPD. Enabled by default to fit in with the design
policy of using PAM as the primary authentication mechanism.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1125"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1128"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="AUTHPAMCONFIG"
></A
>
AuthPAMConfig</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN1139"
></A
><H2
>Name</H2
>AuthPAMConfig -- Select PAM service name</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN1142"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AuthPAMConfig</B
> [ <CODE
CLASS="OPTION"
>service</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>ftp</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config,<VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth_pam</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1169"
></A
><H2
>Description</H2
><P
>This directive allows you to specify the PAM service name used in
authentication. PAM allows you to specify a service name to use when
authenticating. This allows you to configure different PAM service names
to be used for different virtual hosts. The directive was renamed from
PAMConfig post 1.2.0 pre10.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1172"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1175"
></A
><H2
>Examples</H2
><P
><PRE
CLASS="PROGRAMLISTING"
># Virtual host foobar authenticates differently than the rest
AuthPAMConfig foobar
# This assumes, that you have a PAM service named foobar
# configured in your /etc/pam.conf file or /etc/pam.d directory. </PRE
></P
></DIV
><H1
><A
NAME="AUTHUSERFILE"
></A
>
AuthUserFile</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN1187"
></A
><H2
>Name</H2
>AuthUserFile -- Specify alternate passwd file</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN1190"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AuthUserFile</B
> [ <CODE
CLASS="OPTION"
>path</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config,<VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth_file</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.0.3/1.1.1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1217"
></A
><H2
>Description</H2
><P
>AuthUserFile specifies an alternate passwd file, having the same
format as the system /etc/passwd file, and if specified is used
during authentication and user lookups for directory/access control
operations. The path argument should be the full path to the specified
file. AuthUserFile can be configured on a per-VirtualHost basis, so
that virtual FTP servers can each have their own authentication database
(most often used in conjunction with AuthGroupFile).</P
><P
>Note that this file need not reside inside a chroot()ed directory
structure for Anonymous or DefaultRoot logins, as it is held open for
the duration of client connections.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1221"
></A
><H2
>See also</H2
><P
><A
HREF="#AUTHGROUPFILE"
>AuthGroupFile</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1225"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="AUTHUSINGALIAS"
></A
>
AuthUsingAlias</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN1236"
></A
><H2
>Name</H2
>AuthUsingAlias -- Authenticate via Alias-name instead of mapped username</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN1239"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>AuthUsingAlias</B
> [ <CODE
CLASS="OPTION"
>on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>AuthUsingAlias off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Anonymous></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0pre9 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1266"
></A
><H2
>Description</H2
><P
>AuthUsingAlias disables the resolving of mapped usernames for
authentication purposes. For example, if you have mapped the username
anonymous to the "real" user ftp, the password gets checked against the
user "anonymous". When AuthUsingAlias is disabled, the checked username
would be "ftp".</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1269"
></A
><H2
>See also</H2
><P
><A
HREF="#ANONYMOUSGROUP"
>AnonymousGroup</A
>
<A
HREF="#AUTHALIASONLY"
>AuthAliasOnly</A
>
<A
HREF="#ANONREQUIREPASSWORD"
>AnonRequirePassword</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1275"
></A
><H2
>Examples</H2
><PRE
CLASS="PROGRAMLISTING"
>An example of an Anonymous configuration using
AuthUsingAlias
# Basic Read-Only Anonymous Configuration.
<Anonymous /home/ftp>
UserAlias anonymous nobody
UserAlias ftp nobody
AuthAliasOnly on
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
# Give Full Read-Write Anonymous Access to certain users
<Anonymous /home/ftp>
AnonRequirePassword on
AuthAliasOnly on
AuthUsingAlias on
# The list of authorized users.
# user/pass lookup is for each user, not password entry
# of server uid ('nobody' in this example).
UserAlias fred nobody
UserAlias joe nobody
<Limit ALL>
AllowAll
</Limit>
</Anonymous></PRE
><P
></P
></DIV
><H1
><A
NAME="BIND"
></A
>
Bind</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN1287"
></A
><H2
>Name</H2
>Bind -- Bind the server or Virtualhost to a specific IP address [deprecated]</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN1290"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>Bind</B
> [ <CODE
CLASS="OPTION"
>IP address</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.6 - 1.3.0rc1</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1317"
></A
><H2
>Description</H2
><P
>Cause of too much confusion this directive has been deprecated with
ProFTPD 1.3.0rc1.
Please take a look at the <A
HREF="#VIRTUALHOST"
>VirtualHost</A
> and
<A
HREF="#DEFAULTADDRESS"
>DefaultAddress</A
> directive.
The Bind directive allows additional IP addresses to be bound to a main
or VirtualHost configuration. Multiple Bind directives can be used to
bind multiple addresses. The address argument should be either a fully
qualified domain name or a numeric dotted-quad IP address. Incoming
connections destined to an additional address added by Bind are serviced
by the context containing the directive. Additionally, if SocketBindTight
is set to on, a specific listen connection is created for each additional
address.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1322"
></A
><H2
>See also</H2
><P
><A
HREF="#VIRTUALHOST"
>VirtualHost</A
>
<A
HREF="#DEFAULTADDRESS"
>DefaultAddress</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1327"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="BYTERATIOERRMSG"
></A
>
ByteRatioErrMsg</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN1338"
></A
><H2
>Name</H2
>ByteRatioErrMsg -- Ratio directive</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN1341"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>ByteRatioErrMsg</B
> [ <CODE
CLASS="OPTION"
>foo1 foo2 foo3</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None known</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ratio</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>at least 1.2.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1368"
></A
><H2
>Description</H2
><P
>The ByteRatioErrMsg directive ....
Example:
ByteRatioErrMsg</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1371"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1374"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="CAPABILITIESENGINE"
></A
>
CapabilitiesEngine</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN1385"
></A
><H2
>Name</H2
>CapabilitiesEngine -- Enable/disable mod_cap</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN1388"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>CapabilitiesEngine</B
> [ <CODE
CLASS="OPTION"
>on</CODE
>
<CODE
CLASS="OPTION"
>off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>CapabilitiesEngine On, if running on a Linux hosts that supports capabilities</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_cap</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.8rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1416"
></A
><H2
>Description</H2
><P
>The CapabilitiesEngine directive enables or disables the module's
runtime capabilities engine. If set to off, this module does no runtime
capabilities processing at all. Use this directive to disable the
module.</P
></DIV
><H1
><A
NAME="CAPABILITIESSET"
></A
>
CapabilitiesSet</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN1427"
></A
><H2
>Name</H2
>CapabilitiesSet -- Configure the set of Linux capabilities processed</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN1430"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>CapabilitiesSet</B
> [ <CODE
CLASS="OPTION"
>[+/-]capability</CODE
>...]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>CapabilitiesSet +CAP_CHOWN</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_cap</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.8rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1457"
></A
><H2
>Description</H2
><P
>By default, mod_cap removes all but two capabilities from the
session-handling process: CAP_NET_BIND_SERVICE, for binding to ports lower
than 1024 (required for active data transfers), and CAP_CHOWN, for
allowing a process to change a file's ownership to a different user. The
latter capability is only strictly necessary if the UserOwner
configuration directive is in use; if not being used, the CAP_CHOWN
capability is best removed. The CapabilitiesSet directive is used to
manipulate the set of capabilities that mod_cap grants.</P
><P
>To remove a capability, prefix the name with a '-'; to enable a
capability, use '+'. At present, this directive only supports one
capability: CAP_CHOWN.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1461"
></A
><H2
>Example</H2
><P
> <IfModule mod_cap.c>
CapabilitiesEngine on
CapabilitiesSet -CAP_CHOWN
</IfModule></P
></DIV
><H1
><A
NAME="CDPATH"
></A
>
CDPath</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN1472"
></A
><H2
>Name</H2
>CDPath -- Sets "search paths" for the cd command</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN1475"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>CDPath</B
> [ <CODE
CLASS="OPTION"
>directory</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0pre2 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1502"
></A
><H2
>Description</H2
><P
>Adds an entry to a search path that is used when changing directories. For
example:
CDPath /home/public
CDPath /var/devel
This allows a user to cd into any directory directly under /home/public or /var/devel,
provided they have the appropriate rights. So, if /home/public/proftpd exists,
cd proftpd will bring the user to that directory, regardless of where
they currently are in the directory tree.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1505"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1508"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="CLASS"
></A
>
Class</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN1519"
></A
><H2
>Name</H2
>Class -- Define a class of client connections</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN1522"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>VirtualHost</B
> [ <CODE
CLASS="OPTION"
><Class name></CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.10rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1549"
></A
><H2
>Description</H2
><P
>When configuring proftpd, it is sometimes nice, or even necessary, to tag or
label a client as belonging to some group, based on that client's IP address
or DNS hostname. A "class" is the name for such connection-based groupings in
ProFTPD terms. A class is defined to have a name, and as having certain
criteria such as IP addresses, IP subnets/masks, and DNS hostnames. A client
that connects to the daemon that has matching characteristics is then labeled
as belonging to that class.</P
><P
>Within a <Class> section, the From directive is used to list the
IP addresses, IP subnet/masks, and DNS names that make up the class.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1553"
></A
><H2
>See also</H2
><P
>From</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1557"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> <FONT
COLOR="RED"
> From 192.168.0.0/16
</FONT
></P
><P
>This defines a class named "internal"; any client connecting from
192.168.0.0/16 will belong to this class. And if you wanted to define a class
for all clients not connecting from 192.168.0.0/16 address space:</P
><P
CLASS="LITERALLAYOUT"
> <FONT
COLOR="RED"
> From !192.168.0.0/16
</FONT
></P
><P
>A more complicated class might include matching DNS names as well:</P
><P
CLASS="LITERALLAYOUT"
> <FONT
COLOR="RED"
> From 1.2.3.4
From proxy.*.com
From my.example.com
From 5.6.7.8
</FONT
></P
></DIV
><H1
><A
NAME="COMMANDBUFFERSIZE"
></A
>
CommandBufferSize</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN1575"
></A
><H2
>Name</H2
>CommandBufferSize -- Limit the maximum command length</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN1578"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>CommandBufferSize</B
> [ <CODE
CLASS="OPTION"
>size</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>512</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0pre7 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1605"
></A
><H2
>Description</H2
><P
>The CommandBufferSize directive controls the maximum command length permitted
to be sent to the server. This allows you to effectively control what the longest
command the server may accept it, and can help protect the server from various
Denial of Service or resource-consumption attacks. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1608"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1611"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="CREATEHOME"
></A
>
CreateHome</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN1622"
></A
><H2
>Name</H2
>CreateHome -- Create and populate users' home directories as needed</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN1625"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>CreateHome</B
> [ <CODE
CLASS="OPTION"
>off|on [<mode>] [skel <path>] [dirmode <mode>] [uid <uid>] [gid <gid>]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.8rc2 and later</P
></DD
><DD
><P
>1.3.1rc1 and later for uid, gid arguments</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1654"
></A
><H2
>Description</H2
><P
>The CreateHome directive configures the server to automatically create a
user's home directory, if that directory does not exist, during the login
process.</P
><P
>The mode parameter is used to configure the absolute mode of the home directory
created. If not specified, the module will default to 700.</P
><P
>The optional skel path parameter can be used to configure an /etc/skel-like
directory containing account initialization files and directories. The
parameter must be the full path to the directory. The directory must not be
world-writeable. Files copied from this directory into the new home directory
will have the UID and GID of the logging-in user. Note that sockets and FIFOs
in the skeleton directory will not be copied; any setuid or setgid bits on
files will be removed from the copied files in the target home directory.</P
><P
>The optional dirmode, uid, and gid parameters can be used to specify the
mode, owner, and group for intermediate directories that may need to be
created in order to create the target home directory. By default, the mode
for such intermediate directories will be 711. NOTE: using a mode that does
not allow for the execute bit to be enabled can cause havoc. You have been
warned.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1660"
></A
><H2
>Examples</H2
><P
> # Use the CreateHome default settings
CreateHome on</P
><P
> # Specify a skeleton directory
CreateHome on skel /etc/ftpd/skel</P
><P
> # No skeleton, but make sure that intermediate directories have 755
# permissions.
CreateHome on dirmode 755</P
><P
> # Skeleton directory, with 700 intermediate directories
CreateHome on skel /etc/ftpd/skel dirmode 700</P
></DIV
><H1
><A
NAME="CWDRATIOMSG"
></A
>
CwdRatioMsg</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN1674"
></A
><H2
>Name</H2
>CwdRatioMsg -- Ratio directive</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN1677"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>CwdRatioMsg</B
> [ <CODE
CLASS="OPTION"
>foo1 foo2 foo3</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None known</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ratio</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>at least 1.2.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1704"
></A
><H2
>Description</H2
><P
>The CwdRatioMsg directive ....
Example:
CwdRatioMsg</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1707"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1710"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="DEBUGLEVEL"
></A
>
DebugLevel</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN1721"
></A
><H2
>Name</H2
>DebugLevel -- Set the debugging output level</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN1724"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DebugLevel</B
> [ <CODE
CLASS="OPTION"
>level</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>DebugLevel 0</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.8rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1751"
></A
><H2
>Description</H2
><P
>The DebugLevel directive configures the debugging level the server will use
when logging. The level parameter must be between 0 (lowest) and 10 (highest).
This configuration directive will take precedence over any command-line
debugging options used.</P
></DIV
><H1
><A
NAME="DEFAULTADDRESS"
></A
>
DefaultAddress</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN1762"
></A
><H2
>Name</H2
>DefaultAddress -- Set the address for the server to listen on</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN1765"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DefaultAddress</B
> [ <CODE
CLASS="OPTION"
>dns-names|ip-addresses seperated with spaces</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1792"
></A
><H2
>Description</H2
><P
>This directive sets the the address the main server instance will bind
to, the default behaviour is to select whatever IP the system reports
as being the primary IP.</P
><P
>Starting with ProFTPD 1.3.0rc1 it's possible to use more than one FQDN or IP
Address. With this change the old Bind directive has been deprecated.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1796"
></A
><H2
>See also</H2
><P
><A
HREF="#VIRTUALHOST"
>VirtualHost</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1800"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
>ServerName "Default FTP Server"<br>
Port 21<br>
<br>
# We want the main server instance to listen on a specific IP<br>
DefaultAddress 192.168.10.30<br>
<br>
## Since 1.3.0rc1 it's also possible to use the following:<br>
# DefaultAddress 192.168.10.30 my.domain.tld</P
></DIV
><H1
><A
NAME="DEFAULTCHDIR"
></A
>
DefaultChdir</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN1811"
></A
><H2
>Name</H2
>DefaultChdir -- Set starting directory for FTP sessions</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN1814"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DefaultChdir</B
> [ <CODE
CLASS="OPTION"
>directory [group-expression]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>~</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0pre2 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1841"
></A
><H2
>Description</H2
><P
>Determines the directory a user is placed in after logging in.
By default, the user is put in their home directory. The specified
directory can be relative to the user's home directory.
NOTE: If the specified directory is not available then DefaultChdir
is treated as if it wasn't there in the first place. In particular,
in this case the directory a user is placed in after logging in is
determined by the other settings in proftpd.conf.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1844"
></A
><H2
>See also</H2
><P
><A
HREF="#DEFAULTROOT"
>DefaultRoot</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1848"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="DEFAULTROOT"
></A
>
DefaultRoot</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN1859"
></A
><H2
>Name</H2
>DefaultRoot -- Sets default chroot directory</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN1862"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DefaultRoot</B
> [ <CODE
CLASS="OPTION"
>directory [group-expression]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>DefaultRoot /</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0pl7 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1889"
></A
><H2
>Description</H2
><P
>The DefaultRoot directive controls the default root directory assigned
to a user upon login. If DefaultRoot is set to a directory other than
"/", a chroot operation is performed immediately after a client
authenticates. This can be used to effectively isolate the client from
a portion of the host system filespace. The specified root directory
must begin with a / or can be the magic character '~'; meaning that the
client is chroot jailed into their home directory.</P
><P
>When the specified chroot directory is a symlink this will be resolved
to it's parent first before setting up the chroot. This can have
unwanted side effects. For example if a user has write access to the
symlink he could modify it so that it points to '/'. Thus the chroot
would be the root directory of the server, resulting in insufficient or no
restrictions.</P
><P
>If the DefaultRoot directive specifies a directory which disallows
access to the logged-in user's home directory, the user's current
working directory after login is set to the DefaultRoot instead of their
normal home directory. DefaultRoot cannot be used in <Anonymous>
configuration blocks, as the <Anonymous> directive explicitly
contains a root directory used for Anonymous logins. The special
character '~' is replaced with the authenticating user's home directory
immediately after login. Note that the default root may be a subdirectory
of the home directory, such as "~/anon-ftp".</P
><P
>The optional group-expression argument can be used to restrict the
DefaultRoot directive to a unix group, groups or subset of groups. The
expression takes the format: [!]group-name1[,[!]group-name2[,...]]. The
expression is parsed in a logical boolean AND fashion, such that each
member of the expression must evaluate to logically TRUE in order for
the DefaultRoot directive to apply. The special character '!' is used
to negate group membership.</P
><P
>Care should be taken when using DefaultRoot. Chroot "jails"
should not be used as methods for implementing general system security
as there are potentially ways that a user can "escape" the jail.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1896"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1899"
></A
><H2
>Examples</H2
><PRE
CLASS="PROGRAMLISTING"
>Example of a DefaultRoot configuration:
ServerName "A test ProFTPD Server"
ServerType inetd
User ftp
Group ftp
#
# This causes proftpd to perform a chroot into the authenticating user's directory
# immediately after login.
# Once this happens, the user is unable to "see" higher level directories.
# Because a group-expression is included, only users who are a member of
# the group 'users' and NOT a member of 'staff' will have their default
# root directory set to '~'.
DefaultRoot ~ users,!staff
... </PRE
><P
></P
></DIV
><H1
><A
NAME="DEFAULTSERVER"
></A
>
DefaultServer</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN1911"
></A
><H2
>Name</H2
>DefaultServer -- Set the default server</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN1914"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DefaultServer</B
> [ <CODE
CLASS="OPTION"
>on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>DefaultServer off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config,<VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0pl6 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1941"
></A
><H2
>Description</H2
><P
>The DefaultServer directive controls which server configuration is used as
the default when an incoming connection is destined for an IP address which
is neither the host's primary IP address or one of the addresses specified in
a <VirtualHost> configuration block. Normally such
"unknown" connections are issued a "no server available to service
your request" message and disconnected. When DefaultServer is turned on
for either the primary server configuration or a virtual server, all unknown
destination connections are serviced by the default server. Only a single server
configuration can be set to default.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1944"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1947"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="DEFAULTTRANSFERMODE"
></A
>
DefaultTransferMode</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN1958"
></A
><H2
>Name</H2
>DefaultTransferMode -- Set the default method of data transfer</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN1961"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DefaultTransferMode</B
> [ <CODE
CLASS="OPTION"
>ascii|binary</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>DefaultTransferMode ascii</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0pre9 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1988"
></A
><H2
>Description</H2
><P
>DefaultTransferMode sets the default transfer mode of the server. By default,
carriage-return/linefeed translation will be performed (ASCII mode).</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1991"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN1994"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="DEFERWELCOME"
></A
>
DeferWelcome</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN2005"
></A
><H2
>Name</H2
>DeferWelcome -- Don't show welcome message until user has authenticated</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN2008"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DeferWelcome</B
> [ <CODE
CLASS="OPTION"
>DeferWelcome on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>DeferWelcome off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2035"
></A
><H2
>Description</H2
><P
>The DeferWelcome directive configures a master or
virtual server to delay transmitting the
ServerName and address to new connections,
until a client has successfully authenticated. If enabled, the initial welcome
message will be exceedingly generic and will not give away any type of information
about the host that the daemon is actively running on. This can be used by security-conscious
administrators to limit the amount of "probing" possible from non-trusted
networks/hosts.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2038"
></A
><H2
>See also</H2
><P
><A
HREF="#SERVERIDENT"
>ServerIdent</A
>
<A
HREF="#SERVERNAME"
>ServerName</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2043"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="DEFINE"
></A
>
Define</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN2054"
></A
><H2
>Name</H2
>Define -- Initialises Defines for IfDefine</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN2057"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>Define</B
> [ <CODE
CLASS="OPTION"
>parameter-name</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>any context</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.6rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2084"
></A
><H2
>Description</H2
><P
>This directive is used to initialise defines for use in conjunction with
the IfDefine directive</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2087"
></A
><H2
>See also</H2
><P
><A
HREF="#IFDEFINE"
>IfDefine</A
>,
<A
HREF="#IFMODULE"
>IfModule</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2092"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
>IfDefine LoadLimiting<br>
IfDefine HighPerformanceSetup</P
></DIV
><H1
><A
NAME="DELAYENGINE"
></A
>
DelayEngine</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN2103"
></A
><H2
>Name</H2
>DelayEngine -- Control the use of mod_delay</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN2106"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DelayEngine</B
> [ <CODE
CLASS="OPTION"
> on|off </CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> DelayEngine on</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_delay</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.3.0rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2133"
></A
><H2
>Description</H2
><P
>The DelayEngine directive enables or disables the module's runtime delaying
calculations. If it is set to off this module does no delaying. Use this
directive to disable the module.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2136"
></A
><H2
>See also</H2
><P
><A
HREF="#DELAYTABLE"
>DelayTable</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2140"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> <IfModule mod_delay.c><br>
DelayEngine off<br>
</IfModule></P
></DIV
><H1
><A
NAME="DELAYTABLE"
></A
>
DelayTable</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN2151"
></A
><H2
>Name</H2
>DelayTable -- Sets the name and path of the file used as the timing
table</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN2154"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DelayTable</B
> [ <CODE
CLASS="OPTION"
> path </CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>DelayTable var/proftpd/proftpd.delay</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_delay</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.3.0rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2181"
></A
><H2
>Description</H2
><P
>The DelayTable directive configures a path to a file that mod_delay uses for
storing its timing data. The given path must be an absolute path. It is
recommended that this file not be on an NFS mounted partition.</P
><P
>Note that timing data is kept across daemon stop/starts. When new <VirtualHost>s
are added to the configuration, though, mod_delay will detect that it does not
have a suitable DelayTable for the new configuration, and will clear all stored data.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2185"
></A
><H2
>See also</H2
><P
><A
HREF="#DELAYENGINE"
>DelayEngine</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2189"
></A
><H2
>Examples</H2
></DIV
><H1
><A
NAME="DELETEABORTEDSTORES"
></A
>
DeleteAbortedStores</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN2199"
></A
><H2
>Name</H2
>DeleteAbortedStores -- Enable automatic deletion of partially uploaded HiddenStores files</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN2202"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DeleteAbortedStores</B
> [ <CODE
CLASS="OPTION"
>DeleteAbortedStores on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server, <VirtualHost>, <Directory>, <Anonymous>, <Global>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_xfer</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0rc2 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2229"
></A
><H2
>Description</H2
><P
>The DeleteAbortedStores directive controls whether ProFTPD
deletes partially uploaded HiddenStores files if the transfer is stopped via
the ABOR command rather than a connection failure.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2232"
></A
><H2
>See also</H2
><P
><A
HREF="#HIDDENSTORES"
>HiddenStores</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2236"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="DENY"
></A
>
Deny</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN2247"
></A
><H2
>Name</H2
>Deny -- Access control directive</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN2250"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>Deny</B
> [ <CODE
CLASS="OPTION"
>Deny ["from"] "all"|"none"|host|network[,host|network[,...]]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Limit></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0pl6 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2277"
></A
><H2
>Description</H2
><P
>The Deny directive is used to create a list of hosts and/or networks which
will explicitly be denied access to a given <Limit> context block. The
magic keywords "ALL" and "NONE" can be used to indicate that all hosts are
denied access, or that no hosts are explicitly denied (respectively). For more
information on the syntax and usage of Deny see: Allow
and Order.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2280"
></A
><H2
>See also</H2
><P
><A
HREF="#ALLOW"
>Allow</A
>
<A
HREF="#ORDER"
>Order</A
>
<A
HREF="#LIMIT"
>Limit</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2286"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="DENYALL"
></A
>
DenyAll</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN2297"
></A
><H2
>Name</H2
>DenyAll -- Deny all clients</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN2300"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DenyAll</B
> [ <CODE
CLASS="OPTION"
>DenyAll</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Directory>, <Anonymous>, <Limit>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2327"
></A
><H2
>Description</H2
><P
>The DenyAll directive is analogous to a combination of "order
deny,allow <cr> deny from all", with the exception that it
has a higher precedence when parsed. It is provided as a convenient
method of completely denying access to a directory, anonymous ftp or
limit block. Because of its precedence, it should not be intermixed with
normal Order/Deny directives. The DenyAll directive can be overridden
at a lower level directory by using AllowAll. DenyAll and AllowAll are
mutually exclusive.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2330"
></A
><H2
>See also</H2
><P
><A
HREF="#ALLOWALL"
>AllowAll</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2334"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="DENYCLASS"
></A
>
DenyClass</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN2345"
></A
><H2
>Name</H2
>DenyClass -- Class based deny rules</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN2348"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DenyClass</B
> [ <CODE
CLASS="OPTION"
>["AND"|"OR"|"regex"] class-expression</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Limit></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.10rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2375"
></A
><H2
>Description</H2
><P
>DenyClass specifies a class-expression that is specifically denied access
within the context of the <Limit> block it is applied to. class-expression
has a similar syntax as that used in AllowGroup, in that it should contain a
comma delimited list of classes or "not" classes (by prefixing a
class name name with the `!' character) that are to be denied access to the
block.</P
><P
>By default, the expression is parsed as a boolean "OR" list, meaning
that ANY elements of the expression must evaluate to logically true in order
to the explicit deny to apply. In order to treat the expression as a boolean
"AND" list, meaning that ALL of the elements must evaluate to
logically true, use the optional "AND" keyword. Similarly, to treat
the expression as a regular expression, use the "regex" keyword.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2379"
></A
><H2
>See also</H2
><P
><A
HREF="#ALLOWUSER"
>AllowUser</A
>
<A
HREF="#DENYUSER"
>DenyUser</A
>
<A
HREF="#ALLOWGROUP"
>AllowGroup</A
>
<A
HREF="#DENYGROUP"
>DenyGroup</A
>
<A
HREF="#DENYGROUP"
>AllowClass</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2387"
></A
><H2
>Examples</H2
><P
><PRE
CLASS="PROGRAMLISTING"
> # A regular expression AllowClass directive
AllowClass regex ^known
# An AND-evaluated ClassUser directive
DenyClass AND bad,scanner</PRE
></P
></DIV
><H1
><A
NAME="DENYFILTER"
></A
>
DenyFilter</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN2399"
></A
><H2
>Name</H2
>DenyFilter -- Regular expression of command arguments to be blocked</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN2402"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DenyFilter</B
> [ <CODE
CLASS="OPTION"
>DenyFilter regular-expression</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global>, <Anonymous>, <Directory>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0pre7 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2429"
></A
><H2
>Description</H2
><P
>Similar to AllowFilter, DenyFilter specifies a regular expression
which must not match any of the command arguments. If the regex does
match, a "Forbidden command" error is returned to the client. This can
be especially useful for forbidding certain command argument
combinations from ever reaching ProFTPD.</P
><P
><SPAN
CLASS="emphasis"
><I
CLASS="EMPHASIS"
>Notes:</I
></SPAN
> The 'PASV' command cannot be blocked using
this directive.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2434"
></A
><H2
>See also</H2
><P
>AllowFilter</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2437"
></A
><H2
>Examples</H2
><PRE
CLASS="PROGRAMLISTING"
># We don't want to allow any commands with % being sent to the server
DenyFilter "%"</PRE
><P
></P
></DIV
><H1
><A
NAME="DENYGROUP"
></A
>
DenyGroup</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN2449"
></A
><H2
>Name</H2
>DenyGroup -- Group based deny rules</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN2452"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DenyGroup</B
> [ <CODE
CLASS="OPTION"
>["AND"|"OR"|"regex"] group-expression</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Limit></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2479"
></A
><H2
>Description</H2
><P
>DenyGroup specifies a group-expression that is specifically
denied within the context of the
<Limit> block it is applied to. group-expression
has the same format as that used in DefaultRoot,
in that it should contain a comma separated list of groups or "not"
groups (by prefixing a group name with the `!' character) that are to be denied
access to the block.</P
><P
>By default, the expression is parsed as a boolean "AND" list, meaning
that ALL elements of the expression must evaluate to logically true in order
to the explicit deny to apply. In order to treat the expression as a boolean
"OR" list, meaning that ANY of the elements must evaluate to logically
true, use the optional "OR" keyword. Similarly, to treat the
expression as a regular expression, use the "regex" keyword.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2483"
></A
><H2
>See also</H2
><P
><A
HREF="#DENYUSER"
>DenyUser</A
>,
<A
HREF="#ALLOWUSER"
>AllowUser</A
>
<A
HREF="#ALLOWGROUP"
>AllowGroup</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2489"
></A
><H2
>Examples</H2
><P
><PRE
CLASS="PROGRAMLISTING"
> # An OR-evaluated AllowGroup directive
AllowGroup OR www,doc
# A regular expression DenyGroup directive
DenyGroup regex ^sys</PRE
></P
></DIV
><H1
><A
NAME="DENYUSER"
></A
>
DenyUser</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN2501"
></A
><H2
>Name</H2
>DenyUser -- User based deny rules</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN2504"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DenyUser</B
> [ <CODE
CLASS="OPTION"
>["AND"|"OR"|"regex"] user-expression</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Limit></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.7 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2531"
></A
><H2
>Description</H2
><P
>DenyUser specifies a user-expression that is specifically denied within
the context of the <Limit> block it is applied to. user-expression
is a comma delimited list of users or "not" users (by prefixing
a user name with the `!' character).</P
><P
>By default, the expression is parsed as a boolean "OR" list, meaning
that ANY elements of the expression must evaluate to logically true in order
to the explicit deny to apply. In order to treat the expression as a boolean
"AND" list, meaning that ALL of the elements must evaluate to
logically true, use the optional "AND" keyword. Similarly, to treat
the expression as a regular expression, use the "regex" keyword.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2535"
></A
><H2
>See also</H2
><P
><A
HREF="#DENYGROUP"
>DenyGroup</A
>,
<A
HREF="#ALLOWUSER"
>AllowUser</A
>
<A
HREF="#ALLOWGROUP"
>AllowGroup</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2541"
></A
><H2
>Examples</H2
><P
><PRE
CLASS="PROGRAMLISTING"
> # A regular expression AllowUser directive
AllowUser regex ^ftp
# An AND-evaluated DenyUser directive
DenyUser AND system,test</PRE
></P
></DIV
><H1
><A
NAME="DIRECTORY"
></A
>
Directory</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN2553"
></A
><H2
>Name</H2
>Directory -- Directory-limited configuration directives</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN2556"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>Directory</B
> [ <CODE
CLASS="OPTION"
><Directory pathname></CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2583"
></A
><H2
>Description</H2
><P
>This directive creates a block of configuration directives which applies only
to the specified directory and its sub-directories. The block is ended with
</Directory>. Per-directory configuration is enabled during run-time with
a "closest" match algorithm, meaning that the <Directory> directive
with the closest matching path to the actual pathname of the file or directory
in question is used. Per-directory configuration is inherited by all sub-directories
until a closer matching <Directory> is encountered, at which time the
original per-directory configuration is replaced with the closer match. Note
that this does not apply to <Limit> </Limit> blocks, which are
inherited by all sub-directories until a <Limit> block is reached in a
closer match.</P
><P
> A trailing slash and wildcard ("/*") can be appended to the
directory, specifying that the configuration block applies only to the contents
(and sub-contents), not to the actual directory itself. Such wildcard matches
always take precedence over non-wildcard <Directory> configuration
blocks. <Directory> blocks cannot be nested (they are automatically
nested at run-time based on their pathnames). Pathnames must always be absolute
(except inside <Anonymous>), and should not reference symbolic links.
Pathnames inside an <Anonymous> block can be relative, indicating that
they are based on the anonymous root directory.</P
><P
>[Notes for ProFTPD 1.1.3 and later only]
Pathnames that begin with the special character '~' and do not specify
a username immediately after ~ are put into a special deferred mode.
When in deferred mode, the directory context is not hashed and sorted into the
configuration tree at boot time, but rather this hashing is deferred until a
user authenticates, at which time the '~' character is replaced with the user's
home directory. This allows a global <Directory> block which applies to
all user's home directories, or sub-directories thereof. This feature is not
supported within an <Anonymous> block.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2588"
></A
><H2
>See also</H2
><P
><A
HREF="#LIMIT"
>Limit</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2592"
></A
><H2
>Examples</H2
><P
><PRE
CLASS="PROGRAMLISTING"
>#Default usage of the directory directive
<Directory /users/robroy/private>
HideNoAccess on
</Directory>
#Example with username-expanding
<Directory ~/anon-ftp>
<Limit WRITE>
DenyAll
</Limit>
</Directory></PRE
></P
></DIV
><H1
><A
NAME="DIRFAKEGROUP"
></A
>
DirFakeGroup</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN2604"
></A
><H2
>Name</H2
>DirFakeGroup -- Hide real file/directory group</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN2607"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DirFakeGroup</B
> [ <CODE
CLASS="OPTION"
>DirFakeGroup On|Off [groupname]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>DirFakeGroup Off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global>, <Anonymous>, <Directory>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.5</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2634"
></A
><H2
>Description</H2
><P
>DirFakeGroup can be used to hide the true group of files (including
directories, fifos, etc.) in a directory listing. If simply turned On,
DirFakeGroup will display all files as being owned by group 'ftp'.
Optionally, the groupname argument can be used to specify a specific group
other than 'ftp'. "~" can be used as the argument in order to display the
primary group name of the current user.</P
><P
>Both DirFakeGroup and DirFakeUser are completely cosmetic; the groupname or
username specified don't need to exist on the system, and neither directive
affects permissions, real ownership or access control in any way.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2638"
></A
><H2
>See also</H2
><P
><A
HREF="#DIRFAKEUSER"
>DirFakeUser</A
>
<A
HREF="#DIRFAKEMODE"
>DirFakeMode</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2643"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="DIRFAKEMODE"
></A
>
DirFakeMode</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN2654"
></A
><H2
>Name</H2
>DirFakeMode -- Hide real file/directory permissions</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN2657"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DirFakeMode</B
> [ <CODE
CLASS="OPTION"
>DirFakeMode octal-mode</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global>, <Anonymous>, <Directory></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.6</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2684"
></A
><H2
>Description</H2
><P
>The DirFakeMode directive configures a mode (or permissions) which will be
displayed for ALL files and directories in directory listings. For each subset
of permissions (user, group, other), the "execute" permission for directories
is added in listings if the "read" permission is specified by this directive.
As with DirFakeUser, and DirFakeGroup, the "fake" permissions shown in
directory listings are cosmetic only, they do not affect real permissions or
access control in any way on the server. Note that DirFakeMode can affect
the real permissions, for example, for FTP mirroring tools. Such tools tend
to create a mirror from what the tool sees (e.g. DirFakeMode permissions)
on the source FTP server.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2687"
></A
><H2
>See also</H2
><P
><A
HREF="#DIRFAKEUSER"
>DirFakeUser</A
>
<A
HREF="#DIRFAKEGROUP"
>DirFakeGroup</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2692"
></A
><H2
>Examples</H2
><P
><PRE
CLASS="PROGRAMLISTING"
> DirFakeMode 0640
Will result in:
-rw-r----- ... arbitrary.file
drwxr-x--- ... arbitrary.directory</PRE
></P
></DIV
><H1
><A
NAME="DIRFAKEUSER"
></A
>
DirFakeUser</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN2704"
></A
><H2
>Name</H2
>DirFakeUser -- Hide real file/directory owner</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN2707"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DirFakeUser</B
> [ <CODE
CLASS="OPTION"
>DirFakeUser On|Off [username]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>DirFakeUser Off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global>, <Anonymous>, <Directory>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.5</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2734"
></A
><H2
>Description</H2
><P
>DirFakeUser can be used to hide the true user owners of files (including
directories, fifos, etc.) in a directory listing. If simply turned On,
DirFakeUser will display all files as being owned by user 'ftp'. Optionally,
the username argument can be used to specify a specific user other than
'ftp'. "~" can be used as the argument in order to display the current
user's username.</P
><P
>Both DirFakeGroup and DirFakeUser are completely cosmetic; the groupname or
username specified don't need to exist on the system, and neither directive
affects permissions, real ownership or access control in any way.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2738"
></A
><H2
>See also</H2
><P
><A
HREF="#DIRFAKEGROUP"
>DirFakeGroup</A
>
<A
HREF="#DIRFAKEMODE"
>DirFakeMode</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2743"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="DISPLAYCHDIR"
></A
>
DisplayChdir</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN2754"
></A
><H2
>Name</H2
>DisplayChdir -- Set the file to display when entering a directory</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN2757"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DisplayChdir</B
> [ <CODE
CLASS="OPTION"
>DisplayChdir filename [ true ]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost>, <Anonymous>, <Directory></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.3.1rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2784"
></A
><H2
>Description</H2
>The DisplayChdir directive configures an ASCII text filename which will
be displayed to the user everytime he changes into a directory.
If you would like to have the old behaviour of DisplayFirstChdir back you've
to use the option "true". Then the file will only be displayed on the first
time the user changes into the directory or if proftpd detects
that its last modification time has changed since the previous CWD into a
given directory.
If the filename is relative, it is looked for in the new
directory that the user has changed into. Note that for anonymous ftp logins
(see <Anonymous>), the file must reside inside the chroot()ed file
system space. If the file cannot be found or accessed, no error occurs and
nothing is logged or displayed to the client.
<P
>DisplayChdir, DisplayConnect, DisplayLogin and DisplayQuit support the
following "magic cookies" (only in 0.99.0pl10 and later), which are
replaced with their respective strings before being displayed to the user.</P
><PRE
CLASS="PROGRAMLISTING"
>%C Current working directory
%E Server admin's e-mail address
%F Available space on file system, in bytes
%f Available space on file system, with units
%i The number of files uploaded (input) in this session
%K Total number of bytes transferred
%k Total number of bytes transferred, in units
%L Local host name
%M Max number of authenticated clients
%N Current number of authenticated clients
%o The number of files downloaded (output) in this session
%R Remote host name
%T Current Time
%t The number of files transfered (uploaded and downloaded) in this session
%U Username originally used in login
%u Username reported by ident protocol
%V Name of virtual host (if any)
%x The name of the user's class
%y Current number of connections from the user's class
%z Max number of connections from the user's class
%{total_bytes_in} The number of bytes uploaded (input) in this session
%{total_bytes_out} The number of bytes downloaded (output) in this session
%{total_bytes_xfer} The number of bytes transferred (uploaded and downloaded) in this session
%(total_files_in} The number of files uploaded (input) in this session
%(total_files_out} The number of files downloaded (output) in this session
%(total_files_xfer} The number of files transferred (uploaded and downloaded) in this session </PRE
><P
>NOTE: not all of these may have a rational value, depending on the context in
which they're used (e.g., %u if ident lookups are off).</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2789"
></A
><H2
>See also</H2
><P
> <A
HREF="#DISPLAYCONNECT"
>DisplayConnect</A
>
<A
HREF="#DISPLAYLOGIN"
>DisplayLogin</A
>
<A
HREF="#DISPLAYQUIT"
>DisplayQuit</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2795"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> #Old way in the spirit of DisplayFirstChdir<br>
DisplayChdir /home/ftp/filetodisplay true</P
></DIV
><H1
><A
NAME="DISPLAYCONNECT"
></A
>
DisplayConnect</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN2806"
></A
><H2
>Name</H2
>DisplayConnect -- Sets connect banner file</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN2809"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DisplayConnect</B
> [ <CODE
CLASS="OPTION"
>DisplayConnect filename</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0pre2 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2836"
></A
><H2
>Description</H2
><P
>The DisplayConnect directive configures an ASCII text filename which
will be displayed to the user when they initially connect but before they
login. The filename can be either relative or absolute. In the case of a
relative filename, the file is searched for starting in the home directory
of the user the server is running as. As this can lead confusion, absolute
pathnames are suggested. If the file cannot be found or accessed, no
error occurs and nothing is logged or displayed to the client.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2839"
></A
><H2
>See also</H2
><P
>DisplayFirstChdir</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2843"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="DISPLAYFILETRANSFER"
></A
>
DisplayFileTransfer</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN2854"
></A
><H2
>Name</H2
>DisplayFileTransfer -- FIXFIXFIX</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN2857"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DisplayFileTransfer</B
> [ <CODE
CLASS="OPTION"
>"name" limit|regex|ip value</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>FIXFIXFIX</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost>, <Anonymous>, <Limit>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_xfer</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.3.1rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2884"
></A
><H2
>Description</H2
><P
>FIX FIX FIX</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2887"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2890"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
>FIXFIXFIX</P
><P
>FIXFIX</P
></DIV
><H1
><A
NAME="DISPLAYGOAWAY"
></A
>
DisplayGoAway</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN2902"
></A
><H2
>Name</H2
>DisplayGoAway -- Set the file to display to a rejected connection</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN2905"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DisplayGoAway</B
> [ <CODE
CLASS="OPTION"
>DisplayGoAway filename</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0pre8 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2932"
></A
><H2
>Description</H2
><P
>The DisplayGoAway directive specifies an ASCII text filename which will be
displayed to the user if the class they're a member of has too many users logged
in and their login request has been denied.
DisplayGoAway supports the same "magic cookies" as DisplayFirstChdir.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2935"
></A
><H2
>See also</H2
><P
>DisplayFirstChdir</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2939"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="DISPLAYLOGIN"
></A
>
DisplayLogin</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN2950"
></A
><H2
>Name</H2
>DisplayLogin -- Set the file to display on login</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN2953"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DisplayLogin</B
> [ <CODE
CLASS="OPTION"
>DisplayLogin filename</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2980"
></A
><H2
>Description</H2
><P
>The DisplayLogin directive configures an ASCII text filename which will be
displayed to the user when they initially login. The filename can be either
relative or absolute. In the case of a relative filename, the file is searched
for in the initial directory a user is placed in immediately after login (home
directory for unix user logins, anonymous-root directory for anonymous logins). Note: that for jailed
logins, the file must reside inside the chroot()ed file system space. If
the file cannot be found or accessed, no error occurs and nothing is logged
or displayed to the client.
DisplayLogin supports the same "magic cookies" as DisplayFirstChdir.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2983"
></A
><H2
>See also</H2
><P
>DisplayFirstChdir</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN2987"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="DISPLAYQUIT"
></A
>
DisplayQuit</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN2998"
></A
><H2
>Name</H2
>DisplayQuit -- Set the file to display on quit</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN3001"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DisplayQuit</B
> [ <CODE
CLASS="OPTION"
>DisplayQuit filename</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0pre8 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3028"
></A
><H2
>Description</H2
><P
>DisplayQuit configures an ASCII text filename which will be displayed to the
user when they quit. The filename can be either relative or absolute. In the
case of a relative filename, the file is searched for in current directory a
user is in when they logout -- for this reason, a absolute filename is usually
preferable.
NOTE: for jailed logins, the file must reside inside the
chroot()ed file system space. If the file cannot be found or accessed, no error
occurs and nothing is logged or displayed to the client.
DisplayQuit supports the "magic cookies" listed under DisplayFirstChdir.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3031"
></A
><H2
>See also</H2
><P
>DisplayFirstChdir</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3035"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="DISPLAYREADME"
></A
>
DisplayReadme</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN3046"
></A
><H2
>Name</H2
>DisplayReadme -- Enable display of file modification times on a file pattern</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN3049"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>DisplayReadme</B
> [ <CODE
CLASS="OPTION"
>DisplayReadme filename or pattern</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_readme</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0pre8 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3076"
></A
><H2
>Description</H2
><P
>Module: mod_readme
The DisplayReadme directive notifies the user of the last change date of the
specified file or pattern. Only a single DisplayReadme directive is allowed per configuration
scope.
DisplayReadme README
Will result in:
Please read the file README it was last modified on Sun Oct 17 10:36:14
1999 - 0 days ago
Being displayed to the user on a cwd.
DisplayReadmePattern README*
Will result in:
Please read the file README
it was last modified on Tue Jan 25 04:47:48 2000 - 0 days ago
Please read the file README.first
it was last modified on Tue Jan 25 04:48:04 2000 - 0 days ago
Being displayed to the user on a cwd. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3079"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3082"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="EXTENDEDLOG"
></A
>
ExtendedLog</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN3093"
></A
><H2
>Name</H2
>ExtendedLog -- Specify custom logfiles</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN3096"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>ExtendedLog</B
> [ <CODE
CLASS="OPTION"
>filename [[command-classes] format-nickname]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous> <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_log</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.6pl1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3123"
></A
><H2
>Description</H2
><P
>The ExtendedLog directive allows customizable logfiles to be generated, either
globally or per VirtualHost. The filename
argument must contain an absolute pathname to a logfile which will be appended
to when proftpd starts; the pathname should not be to a file in a nonexistent
directory, to a world-writeable directory, or be a symbolic link (unless
AllowLogSymlinks is set to on). Multiple logfiles (potentially with different
command classes and formats) can be created. Optionally, the command-classes
argument can be used to control which types of commands are logged. If not
command classes are specified, proftpd logs all commands by default (passwords
are hidden). command-classes is a comma delimited (no whitespace!) list of
which commands to log.</P
><P
>The following are valid classes:
NONE
No commands
AUTH
Authentication commands (ACCT, PASS, REIN, USER)
INFO
Informational commands (FEAT, HELP, MDTM, QUIT, PWD, STAT, SIZE, SYST, XPWD)
DIRS
Directory commands (CDUP, CWD, LIST, MKD, NLST, RMD, XCWD, XCUP, XMKD, XRMD)
READ
File reading (RETR)
WRITE
File/directory writing or creation (APPE, MKD, RMD, RNFR, RNTO, STOR, STOU, XMKD, XRMD)
MISC
Miscellaneous commands (ABOR, ALLO, EPRT, EPSV, MODE, NOOP, OPTS, PASV, PORT, REST, RNFR, RNTO, SITE, SMNT, STRU, TYPE)
SEC
RFC2228-related security FTP commands
ALL
All commands (default)</P
><P
>If a format-nickname argument is supplied, ExtendedLog
will use the predefined logformat (created by LogFormat).
Otherwise, the default format of "%h %l %u %t \"%r\" %s %b"
is used.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3128"
></A
><H2
>See also</H2
><P
><A
HREF="#ALLOWLOGSYMLINKS"
>AllowLogSymlinks</A
>,
<A
HREF="#LOGFORMAT"
>LogFormat</A
>,
<A
HREF="#TRANSFERLOG"
>TransferLog</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3134"
></A
><H2
>Examples</H2
><P
>For example, to log all read and write operations to /var/log/ftp.log (using
the default format), you could:</P
><PRE
CLASS="PROGRAMLISTING"
>ExtendedLog /var/log/ftp.log read,write</PRE
><P
></P
></DIV
><H1
><A
NAME="FILERATIOERRMSG"
></A
>
FileRatioErrMsg</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN3147"
></A
><H2
>Name</H2
>FileRatioErrMsg -- (docs incomplete)</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN3150"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>FileRatioErrMsg</B
> [ <CODE
CLASS="OPTION"
>FileRatioErrMsg foo1 foo2 foo3</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None known</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ratio</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>at least 1.2.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3177"
></A
><H2
>Description</H2
><P
>The FileRatioErrMsg directive ....
Example:
FileRatioErrMsg</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3180"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3183"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="GLOBAL"
></A
>
Global</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN3194"
></A
><H2
>Name</H2
>Global -- Set some directives to apply across the entire daemon</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN3197"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>Global</B
> [ <CODE
CLASS="OPTION"
><Global></CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.6 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3224"
></A
><H2
>Description</H2
><P
>The Global configuration block is used to create a set of configuration directives
which is applied universally to both the main server configuration and all VirtualHost
configurations. Most, but not all other directives can be used
inside a Global block.</P
><P
>In addition, multiple <Global> blocks can be created. At runtime, all
Global blocks are merged together and finally into each server's configuration.
Global blocks are terminated by a matching </Global> directive.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3228"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3231"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="GROUP"
></A
>
Group</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN3242"
></A
><H2
>Name</H2
>Group -- Set the group the server normally runs as</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN3245"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>Group</B
> [ <CODE
CLASS="OPTION"
>Group groupid</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3272"
></A
><H2
>Description</H2
><P
>The Group directive configures which group the server daemon will normally
run at. See User for more details.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3275"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3278"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="GROUPOWNER"
></A
>
GroupOwner</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN3289"
></A
><H2
>Name</H2
>GroupOwner -- Change default group for new files and directories</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN3292"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>GroupOwner</B
> [ <CODE
CLASS="OPTION"
>GroupOwner groupname</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Anonymous>, <Directory>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3319"
></A
><H2
>Description</H2
><P
>The GroupOwner directive configures which group all newly created directories
and files will be owned by, within the context that GroupOwner is applied to.
The group ID of groupname cannot be 0.
Note that GroupOwner cannot be used to override the host OS/file system user/group
paradigm. If the current user is not a member of the specified group, new files
and directories will not be able to be chown()ed to the GroupOwner group. If
this happens, file STOR (send file from client to server) and MKD/XMKD (mkdir) operations
will succeed normally, however the new directory entries will be owned by the
current user's default group (a warning message is also logged) instead of by
the desired group. If you also use UserOwner
in the same context, this restriction is lifted.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3322"
></A
><H2
>See also</H2
><P
><A
HREF="#USEROWNER"
>UserOwner</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3326"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="GROUPPASSWORD"
></A
>
GroupPassword</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN3337"
></A
><H2
>Name</H2
>GroupPassword -- Set a group-wide password</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN3340"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>GroupPassword</B
> [ <CODE
CLASS="OPTION"
>GroupPassword groupid hashed-password</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0pl5 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3367"
></A
><H2
>Description</H2
><P
>The GroupPassword directive creates a special "group" password which
allows all users in the specified group to authenticate using a single password.
The group/password supplied is only effective inside the context to which GroupPassword
is applied. The hashed-password argument is a standard
cleartext password which has been passed through the standard unix crypt() library
function. Extreme care should be taken when using GroupPassword, as
serious security problems may arise if group membership is not carefully controlled.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3370"
></A
><H2
>See also</H2
><P
>UserPassword</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3373"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="GROUPRATIO"
></A
>
GroupRatio</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN3384"
></A
><H2
>Name</H2
>GroupRatio -- Ratio directive</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN3387"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>GroupRatio</B
> [ <CODE
CLASS="OPTION"
>GroupRatio foo1 foo2 foo3</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None known</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ratio</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>at least 1.2.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3414"
></A
><H2
>Description</H2
><P
>The GroupRatio directive ....
Example:
GroupRatio</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3417"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3420"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="HIDDENSTORES"
></A
>
HiddenStores</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN3431"
></A
><H2
>Name</H2
>HiddenStores -- Enables more safe file uploads</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN3434"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>HiddenStores</B
> [ <CODE
CLASS="OPTION"
>HiddenStores on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>HiddenStores off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost>, <Anonymous>, ></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_xfer</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3461"
></A
><H2
>Description</H2
><P
>The HiddenStores directive enables two-step file uploads: files are
uploaded as ".in.filename." and once the upload is complete,
renamed to just "filename". This provides a degree of
atomicity and helps prevent 1) incomplete uploads and 2) files being
used while they're still in the progress of being uploaded.</P
><P
> Note:
if the temporary file name is already in use (e.g., a server crash
during upload), it will prevent the file from being uploaded</P
><P
>The REST (Restart STOR) command is automatically blocked when
HiddenStores is enabled, with the server returning a 501 error code to
the client.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3466"
></A
><H2
>See also</H2
><P
><A
HREF="#ALLOWSTORERESTART"
>AllowStoreRestart</A
>
<A
HREF="#DELETEABORTEDSTORES"
>DeleteAbortedStores</A
></P
></DIV
><H1
><A
NAME="HIDEFILES"
></A
>
HideFiles</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN3479"
></A
><H2
>Name</H2
>HideFiles -- Enable hiding of files based on regular expressions</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN3482"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>HideFiles</B
> [ <CODE
CLASS="OPTION"
>[!]regexp|"none" ["user"|"group"|"class" expression]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Directory>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3509"
></A
><H2
>Description</H2
><P
>The HideFiles directive configures a <Directory> section to hide all
directory entries, e.g. its files and sub-directories, that match the given
regular expression. These files can still be operated on by other FTP commands
(DELE, RETR, etc), as constrained by any applicable <Limit>s, but this
can be modified using the IgnoreHidden directive. Note that this directive
manipulates a file's "hidden-ness", but doesn't do any hiding by itself. A
<Limit> section, with IgnoreHidden enabled, does the actual hiding of the
files from the <Limit>ed commands.</P
><P
>As <Directory> configurations are inherited by sub-directories, the "none"
parameter can be used to disable any inherited file hiding within a
sub-directory, usually through the use of a .ftpaccess file.</P
><P
>The optional parameters are used to restrict the rule for hiding files only
to specific users. If "user" restriction is given, then expression is a
user-expression specifying to which users the rule applies. Similarly for the
"group" restriction. For the "class" restriction, the expression is simply
the name of connection class for whom the rule will apply.</P
><H2
>Examples:</H2
><PRE
CLASS="PROGRAMLISTING"
> # Hide configuration and passwd files from view
HideFiles "(\\.conf|passwd)$"
# ...or the same regex, without the quotes
HideFiles (\.conf|passwd)$
# Hide those same files from everyone _except_ a special user
HideFiles (\.conf|passwd)$ user !tj
# Using the ! prefix to "invert" the regular expression matching,
# allow only .txt and .html files to be seen
HideFiles !(\.txt|\.html)$
# Only let users of the webmaster group see HTML files, but nothing else
HideFiles !(\.htm|\.html)$ group webmaster</PRE
><P
>See Also: HideGroup, HideUser, HideNoAccess</P
></DIV
><H1
><A
NAME="HIDEGROUP"
></A
>
HideGroup</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN3525"
></A
><H2
>Name</H2
>HideGroup -- Enable hiding of files based on group owner</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN3528"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>HideGroup</B
> [ <CODE
CLASS="OPTION"
>HideGroup groupid</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Directory>, <Anonymous></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3555"
></A
><H2
>Description</H2
><P
>The HideGroup directive configures a
<Directory> or < Anonymous> block to hide all directory
entries owned by the specified group, unless the group is the primary
group of the currently logged-in, authenticated user . Normally, hidden
directories and files cannot be seen via LIST or NLST commands but can
be operated on via other FTP commands (CWD, DELE, RETR, etc). This behavior
can be modified via the IgnoreHidden directive.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3558"
></A
><H2
>See also</H2
><P
>See Also: HideUser, HideNoAccess, IgnoreHidden</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3561"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="HIDENOACCESS"
></A
>
HideNoAccess</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN3572"
></A
><H2
>Name</H2
>HideNoAccess -- Block the listing of directory entries to which the user
has no access permissions</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN3575"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>HideNoAccess</B
> [ <CODE
CLASS="OPTION"
>HideNoAccess on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Directory>,<Anonymous></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3602"
></A
><H2
>Description</H2
><P
>The HideNoAccess directive configures a <Directory> or
<Anonymous> block to hide all directory entries in a directory
listing (via the LIST or NLST FTP commands) to which the current
logged-in, authenticated user has no access. Normal Unix-style
permissions always apply, so that although a user may not be able to
see a directory entry that has HideNoAccess applied, they will receive
a normal "Permission denied" error message when attempting
to blindly manipulate the file system object. The directory or file
can be made completely invisible to all FTP commands by applying
IgnoreHidden in conjunction with HideNoAccess.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3605"
></A
><H2
>See also</H2
><P
>See Also: HideUser, HideGroup, IgnoreHidden</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3608"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="HIDEUSER"
></A
>
HideUser</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN3619"
></A
><H2
>Name</H2
>HideUser -- Enable hiding of files based on user owner</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN3622"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>HideUser</B
> [ <CODE
CLASS="OPTION"
>HideUser userid</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Directory>, <Anonymous></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3649"
></A
><H2
>Description</H2
><P
>The HideUser directive configures a <Directory> or <Anonymous>
block to hide all directory entries owned by the specified user, unless
the owning user is the currently logged-in, authenticated user. Normally,
hidden directories and files cannot be seen via LIST or NLST commands but
can be operated on via other FTP commands (CWD, DELE, RETR, etc). This
behavior can be modified via the IgnoreHidden directive. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3652"
></A
><H2
>See also</H2
><P
>HideGroup, HideNoAccess, IgnoreHidden</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3655"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="HOSTRATIO"
></A
>
HostRatio</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN3666"
></A
><H2
>Name</H2
>HostRatio -- Ratio directive</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN3669"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>HostRatio</B
> [ <CODE
CLASS="OPTION"
>HostRatio foo1 foo2 foo3</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None known</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ratio</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>at least 1.2.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3696"
></A
><H2
>Description</H2
><P
>The HostRatio directive ....
Example:
HostRatio</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3699"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3702"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="IDENTLOOKUPS"
></A
>
IdentLookups</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN3713"
></A
><H2
>Name</H2
>IdentLookups -- Toggle ident lookups</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN3716"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>IdentLookups</B
> [ <CODE
CLASS="OPTION"
>IdentLookups on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>IdentLookups on</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.5 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3743"
></A
><H2
>Description</H2
><P
>Normally, when a client initially connects to proftpd, the ident protocol
(RFC1413) is used to attempt to identify the remote username. This can
be controlled via the IdentLookups directive.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3746"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3749"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="IFDEFINE"
></A
>
IfDefine</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN3760"
></A
><H2
>Name</H2
>IfDefine -- To control the use of sections of the configuration</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN3763"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>IfDefine</B
> [ <CODE
CLASS="OPTION"
>[!]define-label</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>any</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.6rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3790"
></A
><H2
>Description</H2
><P
>The <IfDefine test>...</IfDefine> section is used to mark
directives that are conditional. The directives within an IfDefine
section are only processed if the test is true. If the test is false,
everything between the start and end markers is ignored.</P
><P
>The test in the <IfDefine> section directive can be one of two
forms: 'parameter-name' or '!parameter-name'</P
><P
>In the former case, the directives between the start and end markers are
only processed if the parameter named parameter-name is defined. The
second format reverses the test, and only processes the directives if
parameter-name is not defined. </P
><P
>The parameter-name argument is a define as given on the command line
via -Dparameter-name, at the time the server was started.</P
><P
>
<IfDefine> sections are nest-able, which can be used to implement
simple multiple-parameter tests.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3797"
></A
><H2
>See also</H2
><P
><A
HREF="#DEFINE"
>Define</A
>,
<A
HREF="#IFMODULE"
>IfModule</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3802"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
>$ proftpd -DDoSomething<br>
<br>
--[ proftpd.conf ]--<br>
<IfDefine DoSomething><br>
# do something here<br>
</IfDefine><br>
--[ end ]--<br> </P
></DIV
><H1
><A
NAME="IFMODULE"
></A
>
IfModule</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN3813"
></A
><H2
>Name</H2
>IfModule -- Parse a section of config based on module name</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN3816"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>IfModule</B
> [ <CODE
CLASS="OPTION"
>[!]module-name</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>any</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.6rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3843"
></A
><H2
>Description</H2
><P
>The <IfModule test>...</IfModule> section is used to mark
directives that are conditional. The directives within an IfModule
section are only processed if the test is true. If the test is false,
everything between the start and end markers is ignored.</P
><P
>The test in the <IfModule> section directive can be one of two
forms: "module name" or "!module name"</P
><P
>In the former case, the directives between the start and end markers
are only processed if the module named module name is compiled in to
ProFTPD. The second format reverses the test, and only processes the
directives if module name is not compiled in.</P
><P
>The module name argument is a module name as given as the file name of
the module, at the time it was compiled. For example, mod_sql.c.</P
><P
><IfModule> sections are nest-able, which can be used to implement
simple multiple-module tests.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3850"
></A
><H2
>See also</H2
><P
><A
HREF="#DEFINE"
>Define</A
>, <A
HREF="#IFDEFINE"
>IfDefine</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3855"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
><IfModule mod_load.c><br>
MaxLoad 10 "Access denied, server load too high"<br>
</IfModule></P
></DIV
><H1
><A
NAME="IGNOREHIDDEN"
></A
>
IgnoreHidden</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN3866"
></A
><H2
>Name</H2
>IgnoreHidden -- Treat 'hidden' files as if they don't exist</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN3869"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>IgnoreHidden</B
> [ <CODE
CLASS="OPTION"
>IgnoreHidden on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>IgnoreHidden off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Limit></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3896"
></A
><H2
>Description</H2
><P
>Normally, files hidden via HideNoAccess, HideUser or HideGroup
can be operated on by all FTP commands (assuming Unix file
permissions allow access), even though they do not appear in directory
listings. Additionally, even when normal file system permissions disallow
access, proftpd returns a "Permission denied" error to the
client, indicating that the requested object does exist, even if it
cannot be acted upon. IgnoreHidden configures a <Limit> block to
completely ignore any hidden directory entries for the set of limited FTP
commands. This has the effect of returning an error similar to "No
such file or directory" when the client attempts to use the limited
command upon a hidden directory or file.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3899"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3902"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="INCLUDE"
></A
>
Include</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN3913"
></A
><H2
>Name</H2
>Include -- Load additional configuration directives from a file</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN3916"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>Include</B
> [ <CODE
CLASS="OPTION"
>Include file</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Directory>, <Anonymous>, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3943"
></A
><H2
>Description</H2
><P
>This directive allows you to include another configuration file within your current configuration file. The given file argument must be the full path to
the file to be included.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3946"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3949"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPALIASDEREFERENCE"
></A
>
LDAPAliasDereference</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN3960"
></A
><H2
>Name</H2
>LDAPAliasDereference -- Specify how LDAP alias dereferencing is done</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN3963"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPAliasDereference</B
> [ <CODE
CLASS="OPTION"
>never</CODE
>
<CODE
CLASS="OPTION"
>find</CODE
>
<CODE
CLASS="OPTION"
>search</CODE
>
<CODE
CLASS="OPTION"
>always</CODE
>
]</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3971"
></A
><H2
></H2
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>LDAPAliasDereference never</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>2.8.16 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3994"
></A
><H2
>Description</H2
><P
>Should be one of never, always, search, or find to specify that
aliases are never dereferenced, always dereferenced, dereferenced when
searching, or dereferenced only when locating the base object for the
search.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN3997"
></A
><H2
>Examples</H2
><P
>LDAPAliasDereference always</P
></DIV
><H1
><A
NAME="LDAPATTR"
></A
>
LDAPAttr</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN4008"
></A
><H2
>Name</H2
>LDAPAttr -- Map LDAP Attributes to something non standard</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN4011"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPAttr</B
> [ <CODE
CLASS="OPTION"
>uid</CODE
>
<CODE
CLASS="OPTION"
>uidNumber</CODE
>
<CODE
CLASS="OPTION"
>gidNumber</CODE
>
<CODE
CLASS="OPTION"
>homeDirectory</CODE
>
<CODE
CLASS="OPTION"
>userPassword</CODE
>
<CODE
CLASS="OPTION"
>loginShell</CODE
>
<CODE
CLASS="OPTION"
>cn</CODE
>
<CODE
CLASS="OPTION"
>memberUid</CODE
>
<CODE
CLASS="OPTION"
>ftpQuota</CODE
>] [ <CODE
CLASS="OPTION"
>"NewAttribute"</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>2.8.13 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4048"
></A
><H2
>Description</H2
><P
>FIXMEFIXMEFIXME</P
><P
>This dicrective has to be set before any of the LDAPDo* directives.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4052"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4055"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
>FIXFIXFIX</P
><P
>FIXFIX</P
></DIV
><H1
><A
NAME="LDAPAUTHBINDS"
></A
>
LDAPAuthBinds</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN4067"
></A
><H2
>Name</H2
>LDAPAuthBinds -- (docs incomplete)</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN4070"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>Syntax: LDAPAuthBinds</B
> [ <CODE
CLASS="OPTION"
>on</CODE
>
<CODE
CLASS="OPTION"
>off</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
>(docs incomplete)</B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> LDAPAuthBinds off in mod_ldap <= 2.7.6,
LDAPAuthBinds on in mod_ldap >= 2.8
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v2.5 and later
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4098"
></A
><H2
>Description</H2
><P
>By default, the DN specified by LDAPDNInfo will be used to
bind to the LDAP server to obtain user information, including the
userPassword attribute. If LDAPAuthBinds is set to on, the DN
specified by LDAPDNInfo will be used to fetch all user information
except the userPassword attribute. Then, mod_ldap will bind to the
LDAP server as the user who is logging in via FTP with the
user-supplied password. If this bind succeeds, the user is
considered authenticated and is allowed to log in. This method of
LDAP authentication has the added benefit of supporting any password
encryption scheme that your LDAP server supports.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4101"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4104"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPDEFAULTAUTHSCHEME"
></A
>
LDAPDefaultAuthScheme</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN4115"
></A
><H2
>Name</H2
>LDAPDefaultAuthScheme -- Set the authentication scheme/hash that is used when no leading
{hashname} is present.
</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN4118"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPDefaultAuthScheme</B
> [ <CODE
CLASS="OPTION"
>crypt</CODE
>
<CODE
CLASS="OPTION"
>clear</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> LDAPDefaultAuthScheme "crypt"
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v2.0 and later
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4146"
></A
><H2
>Description</H2
><P
>Specifies the authentication scheme used for passwords with no
{prefix} in the LDAP database. For example, if you are using
something like userPassword: mypass in your LDAP database, you would
want to set LDAPDefaultAuthScheme to clear.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4149"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4152"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPDEFAULTGID"
></A
>
LDAPDefaultGID</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN4163"
></A
><H2
>Name</H2
>LDAPDefaultGID -- Set the default GID to be assigned to users when no uidNumber
attribute is found.
</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN4166"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPDefaultGID</B
> [ <CODE
CLASS="OPTION"
>default-gid</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> None
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v2.0 and later
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4193"
></A
><H2
>Description</H2
><P
>This directive is useful primarily in virtual-user
environments common in large-scale ISPs and hosting organizations.
If a user does not have a LDAP gidNumber attribute, the
LDAPDefaultGID is used. This allows one to have a large number of
users in an LDAP database without gidNumber attributes; setting this
configuration directive will automatically assign those users a
single GID.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4196"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4199"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPDEFAULTUID"
></A
>
LDAPDefaultUID</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN4210"
></A
><H2
>Name</H2
>LDAPDefaultUID -- Set the default UID to be assigned to users when no uidNumber
attribute is found.
</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN4213"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPDefaultUID</B
> [ <CODE
CLASS="OPTION"
>default-uid</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> None
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v2.0 and later
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4240"
></A
><H2
>Description</H2
><P
>This directive is useful primarily in virtual-user
environments common in large-scale ISPs and hosting organizations.
If a user does not have a LDAP uidNumber attribute, the
LDAPDefaultUID is used. This allows one to have a large number of
users in an LDAP database without uidNumber attributes; setting this
configuration directive will automatically assign those users a
single UID.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4243"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4246"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPDNINFO"
></A
>
LDAPDNInfo</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN4257"
></A
><H2
>Name</H2
>LDAPDNInfo -- Set DN information to be used for initial bind</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN4260"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPDNInfo</B
> [ <CODE
CLASS="OPTION"
>LDAPDNInfo "ldap-dn" "dn-password"</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> LDAPDNInfo "" "" (anonymous bind)
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v2.0 and later
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4287"
></A
><H2
>Description</H2
><P
>This directive specifies the LDAP DN and password to use when
binding to the LDAP server. If this configuration directive is not
specified, anonymous binds are used.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4290"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4293"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPDOAUTH"
></A
>
LDAPDoAuth</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN4304"
></A
><H2
>Name</H2
>LDAPDoAuth -- Enable LDAP authentication</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN4307"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPDoAuth</B
> [ <CODE
CLASS="OPTION"
>on</CODE
>
<CODE
CLASS="OPTION"
>off</CODE
>
] [ <CODE
CLASS="OPTION"
>"auth-base-dn"</CODE
>
] [ <CODE
CLASS="OPTION"
>"search-filter-template"</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> LDAPDoAuth off
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap <= v2.9.0, replaced by
<A
HREF="#LDAPUSERS"
>LDAPUsers</A
>
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4340"
></A
><H2
>Description</H2
><P
>This configuration directive activates LDAP authentication.
The second argument to this directive is the LDAP base DN to use for
authentication. The third argument is a template to be used for the
search filter; %v will be replaced with the username that is being
authenticated.
By default, the search filter template
"(&(uid=%v)(objectclass=posixAccount))" is used.
The uid for the the search filter is taken from the
<A
HREF="#LDAPATTR"
>LDAPAttr</A
> directive.
Search filter
templates are only supported in mod_ldap v2.7 and later.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4344"
></A
><H2
>See also</H2
><P
> <A
HREF="#LDAPATTR"
>LDAPAttr</A
>
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4348"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPDOGIDLOOKUPS"
></A
>
LDAPDoGIDLookups</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN4359"
></A
><H2
>Name</H2
>LDAPDoGIDLookups -- Enable LDAP lookups for user group membership and GIDs in
directory listings
</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN4362"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPDoGIDLookups</B
> [ <CODE
CLASS="OPTION"
>on</CODE
>
<CODE
CLASS="OPTION"
>off</CODE
>
] [ <CODE
CLASS="OPTION"
>"gid-base-dn"</CODE
>
] [ <CODE
CLASS="OPTION"
>"cn-filter-template"</CODE
>
] [ <CODE
CLASS="OPTION"
>"gid-number-filter-template"</CODE
>
] [ <CODE
CLASS="OPTION"
>"member-uid-filter-template"</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> LDAPDoGIDLookups off
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap <= v2.9.0, replaced by
<A
HREF="#LDAPGROUPS"
>LDAPGroups</A
>
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4399"
></A
><H2
>Description</H2
><P
>This configuration directive activates LDAP GID-to-name
lookups in directory listings. The second argument to this directive
is the LDAP base DN to use for GID-to-name lookups. The third
through fifth arguments are templates to be used for the search
filter; %v will be replaced with the GID that is being looked
up.</P
><P
>By default, the search filter templates look like this:</P
><P
> cn_filter: "(cn=%v)(objectclass=posixGroup))",
gidnumber_filter: "(gidNumber=%v)(objectclass=posixGroup))",
memberuid_filter: "(memberUid=%v)(objectclass=posixGroup))".
</P
><P
>The attribute names used in the default search filters are
taken from the <A
HREF="#LDAPATTR"
>LDAPAttr</A
>
directive.</P
><P
>Filter templates are only supported in mod_ldap v2.8.3 and
later.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4407"
></A
><H2
>See also</H2
><P
> <A
HREF="#LDAPATTR"
>LDAPAttr</A
>
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4411"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPDOQUOTALOOKUPS"
></A
>
LDAPDoQuotaLookups</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN4422"
></A
><H2
>Name</H2
>LDAPDoQuotaLookups -- Enable LDAP quota limit support</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN4425"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPDoQuotaLookups</B
> [ <CODE
CLASS="OPTION"
>on</CODE
>
<CODE
CLASS="OPTION"
>off</CODE
>
] [ <CODE
CLASS="OPTION"
>"base-dn"</CODE
>
] [ <CODE
CLASS="OPTION"
>"quota-filter-template"</CODE
>
] [ <CODE
CLASS="OPTION"
>"default-quota"</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> LDAPDoQuotaLookups off
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap <= v2.9.0, replaced by
<A
HREF="#LDAPUSERS"
>LDAPUsers</A
> and
LDAPDefaultQuota
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4461"
></A
><H2
>Description</H2
><P
>Activates LDAP quota lookups. The second argument is the LDAP
base DN to use for quota limit searches. The third argument is the
search filter template. The default search filter template is
"(&(LDAPAttr_uid=%u)(objectclass=posixAccount))". The attribute
name used in the default search filter template is taken from the
<A
HREF="#LDAPATTR"
>LDAPAttr</A
> directive, so if you re-map
an attribute, the default search filter reflects that
re-mapping.</P
><P
>In mod_ldap v2.7 or later, %u in the search filter template
will be replaced with the username, group, or class that is being
looked up. mod_ldap v2.9.3 or later will also expand %u in the
base DN.</P
><P
>The optional <CODE
CLASS="OPTION"
>default-quota<CODE
CLASS="OPTION"
> argument specifies
the quota limits to use if an entry does not have a ftpQuota
attribute, and has the same format as the ftpQuota LDAP attribute.
For example, "false,hard,100,100,100,100,100,100". This argument is
deprecated as of ProFTPD 1.3.4b; use the <TT
CLASS="REPLACEABLE"
><I
>>LDAPAttr
</I
></TT
></CODE
></CODE
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4471"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPDOUIDLOOKUPS"
></A
>
LDAPDoUIDLookups</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN4482"
></A
><H2
>Name</H2
>LDAPDoUIDLookups -- Enable LDAP lookups for UIDs in directory listings
</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN4485"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPDoUIDLookups</B
> [ <CODE
CLASS="OPTION"
>on</CODE
>
<CODE
CLASS="OPTION"
>off</CODE
>
] [ <CODE
CLASS="OPTION"
>"uid-base-dn"</CODE
>
] [ <CODE
CLASS="OPTION"
>"uid-filter-template"</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> LDAPDoUIDLookups off
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
> mod_ldap <= v2.9.0, replaced by
<A
HREF="#LDAPUSERS"
>LDAPUsers</A
>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v2.0 and later
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4518"
></A
><H2
>Description</H2
><P
> This configuration directive activates LDAP UID-to-name
lookups in directory listings. The second argument to this directive
is the LDAP base DN to use for UID-to-name lookups. The third
argument is a template to be used for the search filter; %v will be
replaced with the UID that is being looked up. By default, the
search filter template
"(&(LDAPAttr_uidNumber=%v)(objectclass=posixAccount))" is used.
The uid for the the search filter is taken from the
<A
HREF="#LDAPATTR"
>LDAPAttr</A
> directive
Search
filter templates are only supported in mod_ldap v2.7 and
later.
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4522"
></A
><H2
>See also</H2
><P
> <A
HREF="#LDAPATTR"
>LDAPAttr</A
>
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4526"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPFORCEDEFAULTGID"
></A
>
LDAPForceDefaultGID</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN4537"
></A
><H2
>Name</H2
>LDAPForceDefaultGID -- Force all LDAP-authenticated users to use the same GID.</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN4540"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>Syntax: LDAPForceDefaultGID</B
> [ <CODE
CLASS="OPTION"
>on</CODE
>
<CODE
CLASS="OPTION"
>off</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> LDAPForceDefaultGID off
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v2.8 and later
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4568"
></A
><H2
>Description</H2
><P
>Even when a <A
HREF="#LDAPDEFAULTGID"
>LDAPDefaultGID</A
>
is configured, mod_ldap will allow individual users to have
gidNumber attributes that will override this default GID. With
LDAPForceDefaultGID enabled, all LDAP-authenticated users are given
the default GID; GIDs may not be overridden by gidNumber
attributes.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4572"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4575"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPFORCEDEFAULTUID"
></A
>
LDAPForceDefaultUID</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN4586"
></A
><H2
>Name</H2
>LDAPForceDefaultUID -- Force all LDAP-authenticated users to use the same UID.</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN4589"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>Syntax: LDAPForceDefaultUID</B
> [ <CODE
CLASS="OPTION"
>on</CODE
>
<CODE
CLASS="OPTION"
>off</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> LDAPForceDefaultUID off
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v2.8 and later
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4617"
></A
><H2
>Description</H2
><P
>Even when a <A
HREF="#LDAPDEFAULTUID"
>LDAPDefaultUID</A
>
is configured, mod_ldap will allow individual users to have
uidNumber attributes that will override this default UID. With
LDAPForceDefaultUID enabled, all LDAP-authenticated users are given
the default UID; UIDs may not be overridden by uidNumber
attributes.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4621"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4624"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPFORCEGENERATEDHOMEDIR"
></A
>
LDAPForceGeneratedHomedir</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN4635"
></A
><H2
>Name</H2
>LDAPForceGeneratedHomedir -- Force all LDAP-authenticated users to use the default HomeDironDemand
prefix/suffix.
</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN4638"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPForceGeneratedHomedir</B
> [ <CODE
CLASS="OPTION"
>on</CODE
>
<CODE
CLASS="OPTION"
>off</CODE
>
] [ <CODE
CLASS="OPTION"
>directory-mode</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> LDAPForceGeneratedHomedir off
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v2.8.13 and later
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4668"
></A
><H2
>Description</H2
><P
>Even when a
<A
HREF="#LDAPGENERATEHOMEDIRPREFIX"
>LDAPGenerateHomedirPrefix</A
>
is configured, mod_ldap will allow individual users to have
homeDirectory attributes that will override the default. With
LDAPForceHomeDironDemand enabled, all LDAP-authenticated users are given
the default prefix and/or suffix; homedirs may not be overridden by LDAP
homeDirectory attributes.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4672"
></A
><H2
>See also</H2
><P
> <A
HREF="#LDAPGENERATEHOMEDIR"
>LDAPGenerateHomedir</A
>
<A
HREF="#LDAPGENERATEHOMEDIRPREFIX"
>LDAPGenerateHomedirPrefix</A
>
<A
HREF="#LDAPGENERATEHOMEDIRPREFIXNOUSERNAME"
>LDAPGenerateHomedirPrefixNoUsername</A
>
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4678"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPFORCEHOMEDIRONDEMAND"
></A
>
LDAPForceHomedirOnDemand</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN4689"
></A
><H2
>Name</H2
>LDAPForceHomedirOnDemand -- Force all LDAP-authenticated users to use the default HomeDironDemand
prefix/suffix. [deprecated]
</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN4692"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPForceHomedirOnDemand</B
> [ <CODE
CLASS="OPTION"
>on</CODE
>
<CODE
CLASS="OPTION"
>off</CODE
>
] [ <CODE
CLASS="OPTION"
>directory-mode</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> LDAPForceHomedirOnDemand off
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v2.8.11 and later
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4722"
></A
><H2
>Description</H2
><P
>This directive has been deprecated with mod_ldap v2.8.13.
Please take a look at <A
HREF="#LDAPFORCEGENERATEDHOMEDIR"
>LDAPForceGeneratedHomedir</A
>
</P
><P
>Even when a
<A
HREF="#LDAPHOMEDIRONDEMANDPREFIX"
>LDAPHomeDironDemandPrefix</A
>
is configured, mod_ldap will allow individual users to have
homeDirectory attributes that will override the default. With
LDAPForceHomeDironDemand enabled, all LDAP-authenticated users are given
the default prefix and/or suffix; homedirs may not be overridden by LDAP
homeDirectory attributes.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4728"
></A
><H2
>See also</H2
><P
><A
HREF="#LDAPFORCEGENERATEDHOMEDIR"
>LDAPForceGeneratedHomedir</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4732"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPGENERATEHOMEDIR"
></A
>
LDAPGenerateHomedir</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN4743"
></A
><H2
>Name</H2
>LDAPGenerateHomedir -- Enable the creation of user home directories on demand
</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN4746"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPGenerateHomedir</B
> [ <CODE
CLASS="OPTION"
>on</CODE
>
<CODE
CLASS="OPTION"
>off</CODE
>
] [ <CODE
CLASS="OPTION"
>directory-mode</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> LDAPGenerateHomedir off
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v2.8.13 and later
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4776"
></A
><H2
>Description</H2
><P
>LDAPGenerateHomedir activates on-demand home directory creation.
If a user logs in and does not yet have a home directory, a home
directory is created automatically.</P
><P
>In mod_ldap <= 2.7.6, the home directory will be owned by the
same user and group that ProFTPD runs as (see the User and Group
configuration directives). mod_ldap >= 2.8 can create home
directories for users with any UID/GID, not just those with the same
UID/GID as the main ProFTPD server.</P
><P
>The second argument allows you to specify the mode (default
permissions) to use when creating home directories on demand,
subject to ProFTPD's umask (see the Umask directive). If no
directory mode is specified, the default of 0755 is used. Directory
mode setting is only supported in mod_ldap v2.7 or later.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4781"
></A
><H2
>See also</H2
><P
> <A
HREF="#LDAPFORCEGENERATEDHOMEDIR"
>LDAPForceGeneratedHomedir</A
>
<A
HREF="#LDAPGENERATEHOMEDIRPREFIX"
>LDAPGenerateHomedirPrefix</A
>
<A
HREF="#LDAPGENERATEHOMEDIRPREFIXNOUSERNAME"
>LDAPGenerateHomedirPrefixNoUsername</A
>
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4787"
></A
><H2
>Examples</H2
><P
></P
></DIV
>%<H1
><A
NAME="LDAPGENERATEHOMEDIRPREFIX"
></A
>
LDAPGenerateHomedirPrefix</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN4798"
></A
><H2
>Name</H2
>LDAPGenerateHomedirPrefix -- Enable the creation of user home directories on demand
</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN4801"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPGenerateHomedirPrefix</B
> [ <CODE
CLASS="OPTION"
>leading-path</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> LDAPGenerateHomedirPrefix off
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v2.8.13 and later
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4828"
></A
><H2
>Description</H2
><P
>LDAPGenerateHomedirPrefix enables a prefix to be specified for
on-demand home directory creation. This is most useful if mod_ldap
is being used to authenticate against an LDAP directory that does
not return a homeDirectory attribute, either because it cannot
(Microsoft Active Directory, for example) or because you do not wish
to extend your existing directory schema.</P
><P
>For example, setting this directive to "/home" and logging in
as the user "joe" would result in his home directory being created
as "/home/joe". The directory will be created with the mode
specified in <A
HREF="#LDAPGENERATEHOMEDIR"
>LDAPGenerateHomedir</A
>. To use
this directive, <A
HREF="#LDAPGENERATEHOMEDIR"
>LDAPGenerateHomedir</A
> must be
enabled.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4834"
></A
><H2
>See also</H2
><P
> <A
HREF="#LDAPFORCEGENERATEDHOMEDIR"
>LDAPForceGeneratedHomedir</A
>
<A
HREF="#LDAPGENERATEHOMEDIR"
>LDAPGenerateHomedir</A
>
<A
HREF="#LDAPGENERATEHOMEDIRPREFIXNOUSERNAME"
>LDAPGenerateHomedirPrefixNoUsername</A
>
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4840"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPGENERATEHOMEDIRPREFIXNOUSERNAME"
></A
>
LDAPGenerateHomedirPrefixNoUsername</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN4851"
></A
><H2
>Name</H2
>LDAPGenerateHomedirPrefixNoUsername -- (docs incomplete)</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN4854"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPGenerateHomedirPrefixNoUsername</B
> [ <CODE
CLASS="OPTION"
>on</CODE
>
<CODE
CLASS="OPTION"
>off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>(docs incomplete)</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost>, <Anonymous>, <Limit>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>mod_ldap 2.8.13 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4882"
></A
><H2
>Description</H2
><P
>(docs incomplete)</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4885"
></A
><H2
>See also</H2
><P
> <A
HREF="#LDAPFORCEGENERATEDHOMEDIR"
>LDAPForceGeneratedHomedir</A
>
<A
HREF="#LDAPGENERATEHOMEDIR"
>LDAPGenerateHomedir</A
>
<A
HREF="#LDAPGENERATEHOMEDIRPREFIX"
>LDAPGenerateHomedirPrefix</A
></P
></DIV
><H1
><A
NAME="LDAPGROUPS"
></A
>
LDAPGroups</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN4899"
></A
><H2
>Name</H2
>LDAPGroups -- Enable LDAP lookups for user group membership and GIDs in
directory listings
</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN4902"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPGroups</B
> [ <CODE
CLASS="OPTION"
>"group-base-dn"</CODE
>
] [ <CODE
CLASS="OPTION"
>"group-name-filter-template"</CODE
>
] [ <CODE
CLASS="OPTION"
>"gid-number-filter-template"</CODE
>
] [ <CODE
CLASS="OPTION"
>"member-user-filter-template"</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> disabled
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v2.9.0 and later
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4935"
></A
><H2
>Description</H2
><P
>Activates LDAP group membership lookups and GID to name
mappings in directory listings.</P
><P
>The first argument is the LDAP base DN to use for group
lookups. The second through fourth arguments are search filter
templates; %u will be replaced with the group name, GID number, or
group member username that is being looked up, respectively.</P
><P
>The default search filter templates are:</P
><P
> group-name-filter-template: "(cn=%u)(objectclass=posixGroup))",
gid-number-filter-template: "(gidNumber=%u)(objectclass=posixGroup))",
member-user-filter-template: "(memberUid=%u)(objectclass=posixGroup))".
</P
><P
>The attribute names used in the default search filters are
taken from the <A
HREF="#LDAPATTR"
>LDAPAttr</A
>
directive, so if you re-map an attribute, the default search filter
reflects that re-mapping.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4943"
></A
><H2
>See also</H2
><P
> <A
HREF="#LDAPATTR"
>LDAPAttr</A
>
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4947"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPHOMEDIRONDEMAND"
></A
>
LDAPHomedirOnDemand</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN4958"
></A
><H2
>Name</H2
>LDAPHomedirOnDemand -- Enable the creation of user home directories on demand [deprecated]
</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN4961"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPHomedirOnDemand</B
> [ <CODE
CLASS="OPTION"
>on</CODE
>
<CODE
CLASS="OPTION"
>off</CODE
>
] [ <CODE
CLASS="OPTION"
>directory-mode</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> LDAPHomedirOnDemand off
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v2.0 - 2.8.12
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4991"
></A
><H2
>Description</H2
><P
>LDAPHomedirOnDemand activates on-demand home directory creation.
If a user logs in and does not yet have a home directory, a home
directory is created automatically.</P
><P
>In mod_ldap <= 2.7.6, the home directory will be owned by the
same user and group that ProFTPD runs as (see the User and Group
configuration directives). mod_ldap >= 2.8 can create home
directories for users with any UID/GID, not just those with the same
UID/GID as the main ProFTPD server.</P
><P
>The second argument allows you to specify the mode (default
permissions) to use when creating home directories on demand,
subject to ProFTPD's umask (see the Umask directive). If no
directory mode is specified, the default of 0755 is used. Directory
mode setting is only supported in mod_ldap v2.7 or later.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN4996"
></A
><H2
>See also</H2
><P
><A
HREF="#LDAPGENERATEHOMEDIR"
>LDAPGenerateHomedir</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5000"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPHOMEDIRONDEMANDPREFIX"
></A
>
LDAPHomedirOnDemandPrefix</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5011"
></A
><H2
>Name</H2
>LDAPHomedirOnDemandPrefix -- Enable the creation of user home directories on demand [deprecated]
</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN5014"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPHomedirOnDemandPrefix</B
> [ <CODE
CLASS="OPTION"
>leading-path</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> LDAPHomedirOnDemandPrefix off
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v2.8 - 2.8.12
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5041"
></A
><H2
>Description</H2
><P
>LDAPHomedirOnDemandPrefix enables a prefix to be specified for
on-demand home directory creation. This is most useful if mod_ldap
is being used to authenticate against an LDAP directory that does
not return a homeDirectory attribute, either because it cannot
(Microsoft Active Directory, for example) or because you do not wish
to extend your existing directory schema.</P
><P
>For example, setting this directive to "/home" and logging in
as the user "joe" would result in his home directory being created
as "/home/joe". The directory will be created with the mode
specified in <A
HREF="#LDAPHOMEDIRONDEMAND"
>LDAPHomedirOnDemand</A
>. To use
this directive, <A
HREF="#LDAPHOMEDIRONDEMAND"
>LDAPHomedirOnDemand</A
> must be
enabled.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5047"
></A
><H2
>See also</H2
><P
> <A
HREF="#LDAPGENERATEHOMEDIRPREFIX"
>LDAPGenerateHomedirPrefix</A
>
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5051"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPHOMEDIRONDEMANDPREFIXNOUSERNAME"
></A
>
LDAPHomedirOnDemandPrefixNoUsername</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5062"
></A
><H2
>Name</H2
>LDAPHomedirOnDemandPrefixNoUsername -- (docs incomplete)</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN5065"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPHomedirOnDemandPrefixNoUsername</B
> [ <CODE
CLASS="OPTION"
>"name" limit|regex|ip value</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>(docs incomplete)</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost>, <Anonymous>, <Limit>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>mod_ldap v2.8.1 - 2.8.12</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5092"
></A
><H2
>Description</H2
><P
>(docs incomplete)</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5095"
></A
><H2
>See also</H2
><P
><A
HREF="#LDAPGENERATEHOMEDIRPREFIXNOUSERNAME"
>LDAPGenerateHomedirPrefixNoUsername</A
></P
></DIV
><H1
><A
NAME="LDAPHOMEDIRONDEMANDSUFFIX"
></A
>
LDAPHomedirOnDemandSuffix</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5107"
></A
><H2
>Name</H2
>LDAPHomedirOnDemandSuffix -- Specify an additional directory to be created inside a user's
home directory on demand. [deprecated]
</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN5110"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPHomedirOnDemandSuffix</B
> [ <CODE
CLASS="OPTION"
>additional-directory1</CODE
>
<CODE
CLASS="OPTION"
>additional-directory2</CODE
>
<CODE
CLASS="OPTION"
>additional-directory3</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> LDAPHomedirOnDemandSuffix ""
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v2.6 - 2.8.12
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5139"
></A
><H2
>Description</H2
><P
>to be created within a user's home directory when it is
created on demand. For example, if a user's home directory is
"/home/user", setting this configuration directive to "public_html"
will also create "/home/user/public_html" on demand. In mod_ldap
v2.7.6 and earlier, you must also activate LDAPHomedirOnDemand in
your configuration.</P
><P
>mod_ldap >= 2.8 supports multiple suffix arguments and does
not require LDAPHomedirOnDemand to be enabled.</P
><P
>mod_ldap >= 2.8.11 supports additional mode information;
you can add ":octal-mode" to a directory argument to have it created
with that mode. For example,
LDAPHomedirOnDemandSuffix foo:700 will create the
suffix directory foo with the mode 700.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5144"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5147"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPNEGATIVECACHE"
></A
>
LDAPNegativeCache</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5158"
></A
><H2
>Name</H2
>LDAPNegativeCache -- Enable negative caching for LDAP lookups</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN5161"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPNegativeCache</B
> [ <CODE
CLASS="OPTION"
>on</CODE
>
<CODE
CLASS="OPTION"
>off</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> LDAPNegativeCache off
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v1.1 - 2.8.23
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5189"
></A
><H2
>Description</H2
><P
>LDAPNegativeCache specifies whether or not to cache negative
responses from the LDAP server when using LDAP for UID/GID lookups.
This option is useful if you also use/are in transition from another
authentication system; if there are many users in your old
authentication system that aren't in the LDAP database, there can be
a significant delay when a directory listing is performed as the
UIDs not in the LDAP database are repeatedly looked up in an attempt
to present usernames instead of UIDs in directory listings. With
LDAPNegativeCache set to on, negative ("not found") responses from
the LDAP server will be cached and speed will improve on directory
listings that contain many users not present in the LDAP
database.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5192"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5195"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPPROTOCOLVERSION"
></A
>
LDAPProtocolVersion</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5206"
></A
><H2
>Name</H2
>LDAPProtocolVersion -- Set the LDAP protocol version</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN5209"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPProtocolVersion</B
> [ <CODE
CLASS="OPTION"
>2 | 3</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>3</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>2.8.13 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5236"
></A
><H2
>Description</H2
><P
>FIX FIX FIX</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5239"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5242"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
>FIXFIXFIX</P
><P
>FIXFIX</P
></DIV
><H1
><A
NAME="LDAPQUERYTIMEOUT"
></A
>
LDAPQueryTimeout</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5254"
></A
><H2
>Name</H2
>LDAPQueryTimeout -- Set a timeout for LDAP queries</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN5257"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPQueryTimeout</B
> [ <CODE
CLASS="OPTION"
>timeout-seconds</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> LDAPQueryTimeout default-api-timeout
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v2.0 and later
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5284"
></A
><H2
>Description</H2
><P
>Sets the timeout used for LDAP directory queries. The default
is the default timeout used by your LDAP API.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5287"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5290"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPSEARCHSCOPE"
></A
>
LDAPSearchScope</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5301"
></A
><H2
>Name</H2
>LDAPSearchScope -- Specify the search scope used in LDAP queries</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN5304"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPSearchScope</B
> [ <CODE
CLASS="OPTION"
>onelevel</CODE
>
<CODE
CLASS="OPTION"
>subtree</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> LDAPSearchScope subtree
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v2.6 and later
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5332"
></A
><H2
>Description</H2
><P
>Set the scope used for LDAP searches. The default setting,
subtree, searches for all entries in the tree from the current level
down. Setting this directive to onelevel searches only one level
deep in the LDAP tree.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5335"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5338"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPSERVER"
></A
>
LDAPServer</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5349"
></A
><H2
>Name</H2
>LDAPServer -- Specify the LDAP server to use for lookups</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN5352"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPServer</B
> [ <CODE
CLASS="OPTION"
>"hostname1:port1 hostname2:port2"</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> LDAPServer "localhost"
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v1.0 and later
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5379"
></A
><H2
>Description</H2
><P
>LDAPServer allows you to to specify the hostname(s) and
port(s) of the LDAP server(s) to use for LDAP authentication. If no
LDAPServer configuration directive is present, the default LDAP
servers specified by your LDAP API will be used.</P
><P
>Note that the default search scope for LDAP URLs is 'base' if
a scope is not explicitly specified in the URL. This behavior
differs from the LDAPSearchScope directive, which defaults to
'subtree'.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5383"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5386"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPUSERS"
></A
>
LDAPUsers</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5397"
></A
><H2
>Name</H2
>LDAPUsers -- Enable LDAP authentication/user lookups</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN5400"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LDAPUsers</B
> [ <CODE
CLASS="OPTION"
>"user-base-dn"</CODE
>
] [ <CODE
CLASS="OPTION"
>"username-filter-template"</CODE
>
] [ <CODE
CLASS="OPTION"
>"uid-number-filter-template"</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> disabled
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v2.9.0 and later
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5431"
></A
><H2
>Description</H2
><P
>Activates LDAP authentication and UID to name mappings in
directory listings.</P
><P
>The first argument is the LDAP base DN to use for user
lookups. During authentication, %u will be replaced with the
username that is being authenticated. When looking up users by UID
number, %u will not be replaced. Usually, %u in the base DN is only
useful in "virtual user" environments, since mod_ldap won't be able
to look up other users.</P
><P
>The second argument is the search filter template for looking
up users by username; %u will be replaced with the username that is
being authenticated.</P
><P
>The third argument is the search filter template for looking
up users by UID number; %u will be replaced with the UID number that
is being looked up.</P
><P
>The default search filter templates are:</P
><P
> username-filter-template: "(uid=%u)(objectclass=posixAccount))",
uid-number-filter-template: "(uidNumber=%u)(objectclass=posixAccount))",
</P
><P
>The attribute names used in the default search filters are
taken from the <A
HREF="#LDAPATTR"
>LDAPAttr</A
>
directive, so if you re-map an attribute, the default search filter
reflects that re-mapping.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5441"
></A
><H2
>See also</H2
><P
> <A
HREF="#LDAPATTR"
>LDAPAttr</A
>
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5445"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LDAPUSETLS"
></A
>
LDAPUseTLS</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5456"
></A
><H2
>Name</H2
>LDAPUseTLS -- Enable TLS/SSL connections to the LDAP server.</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN5459"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>Syntax: LDAPUseTLS</B
> [ <CODE
CLASS="OPTION"
>on</CODE
>
<CODE
CLASS="OPTION"
>off</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> LDAPUseTLS off
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ldap
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_ldap v2.8 and later
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5487"
></A
><H2
>Description</H2
><P
>By default, mod_ldap connects to the LDAP server via a
non-encrypted connection. Enabling this option causes mod_ldap to
use an encrypted (TLS/SSL) connection to the LDAP server. If a
secure connection to the LDAP server fails, mod_ldap will not
authenticate users (mod_ldap will *not* fall back to an unsecure
connection).</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5490"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5493"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LEECHRATIOMSG"
></A
>
LeechRatioMsg</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5504"
></A
><H2
>Name</H2
>LeechRatioMsg -- Sets the 'over ratio' error message</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN5507"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LeechRatioMsg</B
> [ <CODE
CLASS="OPTION"
>LeechRatioMsg foo1 foo2 foo3</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None known</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ratio</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>at least 1.2.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5534"
></A
><H2
>Description</H2
><P
>The LeechRatioMsg directive defines the response message sent
back to the client upon breaking their quota limits.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5537"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5540"
></A
><H2
>Examples</H2
><PRE
CLASS="PROGRAMLISTING"
>LeechRatioMsg "please upload as well as download"</PRE
><P
></P
></DIV
><H1
><A
NAME="LIMIT"
></A
>
Limit</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5552"
></A
><H2
>Name</H2
>Limit -- Set the commands/actions to be controlled</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN5555"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>Limit</B
> [ <CODE
CLASS="OPTION"
><Limit command|command-group [command2 ..]></CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Directory>, <Anonymous>, <Global>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5582"
></A
><H2
>Description</H2
><P
>The Limit configuration block is used to place access restrictions on one or
more FTP commands, within a given context. Limits flow downward, so that a Limit
configuration in the server config context applies to all <Directory>
and <Anonymous> blocks that also
reside in the configuration; until it is overridden by a "lower" <Limit>
block. Any number of command parameters can be specified,
against which the contents of the <Limit> block will be applied. command
can be any valid FTP command, but is generally one of the following:
CWD (Change Working Directory)
Sent by client when changing directories.
MKD / XMKD (MaKe Directory)
Sent by client to create a new directory.
RNFR (ReName FRom), RNTO (ReName TO)
Sent as a pair by client to rename a directory entry.
DELE (DELEte)
Sent by client to delete a file.
RMD / XRMD (ReMove Directory)
Sent by client to remove a directory.
RETR (RETRieve)
Transfer a file from the server to the client.
STOR (STORe)
Transfer a file from the client to the server.
In addition, the following command-groups are accepted.
They have a lower precedence than real commands, meaning that a real command
limit will always be applied instead of the command-group.
READ
All FTP commands which deal with file reading (directory listing not included):
RETR, SITE, SIZE, STAT
WRITE
All FTP commands which deal with file or directory write/creation/deletion:
APPE, DELE, MKD, RMD, RNTO, STOR, XMKD, XRMD
DIRS
All FTP commands which deal with directory listing:
CDUP, CWD, LIST, MDTM, NLST, PWD, RNFR, XCUP, XCWD, XPWD
ALL
ALL FTP commands (identical to READ WRITE DIRS). Note this group has the
lowest precedence of all; it will not override a limit imposed by another
command-group (e.g. DIRS).
Finally, a special command is allowed which can be used to control login access:
LOGIN
Connection or login to the server. Applying a <Limit> to this pseudo-command
can be used to allow or deny initial connection or login to the context. It
has no effect, and is ignored, when used in a context other than server config,
<VirtualHost> or <Anonymous>
(i.e. using it in a <Directory> context is
meaningless).
<Limit> command restrictions should not be confused with file/directory
access permission. While limits can be used to restrict a command on a certain
directory, they cannot be used to override the file permissions inherent to
the base operating/file system.
The following FTP commands cannot be restricted via <Limit>:
ABOR
HELP
MODE (not implemented, always S)
NOOP
PASS (use <Limit LOGIN>)
PASV
PORT
QUIT
REST (use AllowRetrieveRestart, AllowStoreRestart)
STRU (not implemented, always F)
SYST
TYPE
USER (use <Limit LOGIN>)</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5585"
></A
><H2
>See also</H2
><P
>See Also: IgnoreHidden</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5588"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LISTOPTIONS"
></A
>
ListOptions</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5599"
></A
><H2
>Name</H2
>ListOptions -- Configure options used when listing directories</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN5602"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>ListOptions</B
> [ <CODE
CLASS="OPTION"
>"options string"</CODE
>] [ <CODE
CLASS="OPTION"
>["strict"]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global>, <Directory>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.8rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5631"
></A
><H2
>Description</H2
><P
>Normally, FTP commands involving directory listings (NLST, LIST and STAT)
use the arguments (options) passed by the client to determine what files are
displayed and the format they are displayed in. The ListOptions directive
can alter the behaviour of such listings by making it such that a certain
option (or options) is always in effect, or is always disabled.</P
><P
>In addition to the normal dash-prefixed options that the builtin ls takes,
the directive allows for plus-prefixed options. The plus-prefixed options
allow for their dash-prefixed equivalents, potentially given by a user, to
be disabled, while still allowing other options to function normally.</P
><PRE
CLASS="PROGRAMLISTING"
> -1 List one file per line
-A List all files except "." and ".."
-a List all files including those whose names start with "."
-C List entries by columns
-d List directory entries instead of directory contents
-F Append file type indicator (one of "*", "/", "=", "@" or "|") to names
-h Print file sizes in human-readable format (e.g. 1K, 234M, 2G)
-L List files pointed to by symlinks
-l Use a long listing format
-n List numeric UIDs/GIDs instead of user/group names
-R List subdirectories recursively
-r Sort filenames in reverse order
-S Sort by file size
-t Sort by modification time </PRE
><P
>If the optional "strict" keyword is used, then the configured options will
override any options given by the user (i.e. the user's options will be
ignored). In addition to "strict" the following keywords are supported:</P
><PRE
CLASS="PROGRAMLISTING"
> maxfiles Sets a maximum limit on the number of files listed in one directory listing
maxdirs Sets a maximum limit on the number of directories listed in one directory listing
maxdepth Sets a maximum recursion depth, if the -R option is allowed </PRE
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5638"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5641"
></A
><H2
>Examples</H2
><P
> # Force directory listings to always show dotfiles
ListOptions "-a"</P
><P
> # To prevent anyone from doing recursive listings, but still allowing
# other user options, use +R to disable any -R option given by users
ListOptions "+R"</P
><P
> # To allow only the basic listing, no options, always
ListOptions "" strict</P
><P
> #limit maximum files given back to 2000 and recurse in to a max
#depth of 3 directories
ListOptions -a maxfiles 2000 maxdepth 3</P
></DIV
><H1
><A
NAME="LOGFORMAT"
></A
>
LogFormat</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5655"
></A
><H2
>Name</H2
>LogFormat -- Specify a logging format</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN5658"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LogFormat</B
> [ <CODE
CLASS="OPTION"
>LogFormat nickname "format-string"</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>LogFormat default "%h %l %u %t \"%r\" %s %b"</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_log</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.6pl1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5685"
></A
><H2
>Description</H2
><P
>The LogFormat directive can be used to create a custom logging format for use
with the ExtendedLog directive. Once created, the
format can be referenced by the specified nickname.
The format-string argument can consist of any combination
of letters, numbers and symbols. The special character % is
used to start a meta-sequence (see below). To insert a literal % character,
use %%.</P
><P
>The following meta sequences are available and are replaced as indicated
when logging.</P
><PRE
CLASS="PROGRAMLISTING"
>%a Remote client IP address
%A Anonymous username (password given), or UNKNOWN if non-anonymous
%b Bytes sent for request
%d Directory name (not full path) for CDUP, CWD, MKD, RMD, XCWD, XCUP, XMKD, XRMD
%D Directory name (full path) for CDUP, CWD, MKD, RMD, XCWD, XCUP, XMKD, XRMD
%{FOOBAR}e Contents of environment variable FOOBAR. Note that the server does not set any environment variables itself.
%f Filename stored or retrieved, absolute path (not chrooted)
%F Filename stored or retrieved, as the client sees it
%h Remote client DNS name
%J Command arguments received from client, e.g. file.txt
%l Remote username (from ident), or UNKNOWN if ident lookup failed
%L Local server IP address
%m Command (method) name received from client, e.g. RETR
%p Local server port number
%P Local server process id (pid)
%r Full command line received from client
%s Numeric FTP response code (status)
%S Response message send from the client (available since v1.3.1rc1)
%t Current local time
%{format}t Current local time formatted (strftime(3) format)
%T Time taken to transmit/receive file, in seconds
%u Local authenticated userid
%U USER name originally sent by the client
%v ServerName of server handling session
%V DNS name of server handling session
%{version} Print ProFTPD Version
%{protocol} Protocol used</PRE
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5690"
></A
><H2
>See also</H2
><P
><A
HREF="#EXTENDEDLOG"
>ExtendedLog</A
>,
<A
HREF="#TRANSFERLOG"
>TransferLog</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5695"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="LOGINPASSWORDPROMPT"
></A
>
LoginPasswordPrompt</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5706"
></A
><H2
>Name</H2
>LoginPasswordPrompt -- Configure to display the passwort prompt or not</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN5709"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>LoginPasswordPrompt</B
> [ <CODE
CLASS="OPTION"
>LoginPasswordPrompt on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>LoginPasswordPrompt on</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0pre1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5736"
></A
><H2
>Description</H2
><P
>If set to off, ProFTPd will skip the password request if the
login will be denied regardless of password, e.g., if a <Limit LOGIN>
directive forbids the connection.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5739"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5742"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="MASQUERADEADDRESS"
></A
>
MasqueradeAddress</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5753"
></A
><H2
>Name</H2
>MasqueradeAddress -- Configure the server address presented to clients</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN5756"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>MasqueradeAddress</B
> [ <CODE
CLASS="OPTION"
>MasqueradeAddress ip-address|dns-hostname</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.2 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5783"
></A
><H2
>Description</H2
><P
>MasqueradeAddress causes the server to display the network information for
the specified IP address or DNS hostname to the client, on the assumption
that that IP address or DNS host is acting as a NAT gateway or port forwarder
for the server.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5786"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5789"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> MasqueradeAddress nat-gw.mydomain.com</P
><P
></P
></DIV
><H1
><A
NAME="MAXCLIENTS"
></A
>
MaxClients</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5801"
></A
><H2
>Name</H2
>MaxClients -- Limits the number of users that can connect</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN5804"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>MaxClients</B
> [ <CODE
CLASS="OPTION"
>MaxClients number|none [message]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>MaxClients none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Anonymous>, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5831"
></A
><H2
>Description</H2
><P
>The MaxClients directive configures the maximum number of authenticated clients
which may be logged into a server or anonymous account. Once this limit is
reached, additional clients attempting to authenticate will be disconnected.
The special value none may be supplied which removes
all maximum connection limits from the applicable configuration context. Additionally,
an optional message argument may be used which will
be displayed to a client attempting to exceed the maximum value; immediately
before disconnection. The message argument is parsed
for the magic string "%m", which is replaced with
the configured maximum value. If message is not
supplied, a system-wide default message is used.
Example:
MaxClients 5 "Sorry, the maximum number of allowed users are already
connected (%m)"
Results in:
530 Sorry, the maximum number of allowed users are already connected
(5)</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5834"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5837"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="MAXCLIENTSPERCLASS"
></A
>
MaxClientsPerClass</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5848"
></A
><H2
>Name</H2
>MaxClientsPerClass -- Limit the number of connections per class</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN5851"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>MaxClientsPerClass</B
> [ <CODE
CLASS="OPTION"
>MaxClientsPerClass name number|"none" [message]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.10rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5878"
></A
><H2
>Description</H2
><P
>The MaxClientsPerClass directive configures the maximum number of clients
that may be connected at any given time from the same Class. The
optional argument message may be used which will be displayed to a client
attempting to exceed the maximum value. If message is not supplied, a default
message of "Sorry, the maximum number of clients (%m) from your class are
already connected."</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5881"
></A
><H2
>See also</H2
><P
><A
HREF="#MAXCLIENTS"
>MaxClients</A
>,
<A
HREF="#MAXCLIENTSPERHOST"
>MaxClientsPerHost</A
>
<A
HREF="#MAXCLIENTSPERUSER"
>MaxClientsPerUser</A
>
<A
HREF="#MAXHOSTSPERUSER"
>MaxHostsPerUser</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5888"
></A
><H2
>Examples</H2
><PRE
CLASS="PROGRAMLISTING"
>MaxClientsPerClass foo 1 "Only one such client at a time."
Results in: 530 Only one such client at a time.</PRE
><P
></P
></DIV
><H1
><A
NAME="MAXCLIENTSPERHOST"
></A
>
MaxClientsPerHost</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5900"
></A
><H2
>Name</H2
>MaxClientsPerHost -- Limits the connections per client machine</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN5903"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>MaxClientsPerHost</B
> [ <CODE
CLASS="OPTION"
>MaxClientsPerHost number|none [message]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>MaxClientsPerHost none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Anonymous>, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.7 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5930"
></A
><H2
>Description</H2
><P
>The MaxClientsPerHost directive configures the maximum number of clients
allowed to connect per host. The optional argument message
may be used which will be displayed to a client attempting to exceed the maximum
value. If message is not supplied, a default message of
"Sorry, the maximum number clients (%m) from your host are already connected."
is used. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5933"
></A
><H2
>See also</H2
><P
>MaxClients, MaxHostsPerUser</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5936"
></A
><H2
>Examples</H2
><PRE
CLASS="PROGRAMLISTING"
>MaxClientsPerHost 1 "Sorry, you may not connect more than one time."
Results in: 530 Sorry, you may not connect more than one time.</PRE
><P
></P
></DIV
><H1
><A
NAME="MAXCLIENTSPERUSER"
></A
>
MaxClientsPerUser</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5948"
></A
><H2
>Name</H2
>MaxClientsPerUser -- Limit the number of connections per userid</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN5951"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>MaxClientsPerUser</B
> [ <CODE
CLASS="OPTION"
>MaxClientsPerUser number|none [message]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>MaxClientsPerUser none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global>, <Anonymous></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5978"
></A
><H2
>Description</H2
><P
>The MaxClientsPerUser directive configures the maximum number of clients
that may be connected at any given time using the same user name. The
optional argument message may be used which will be displayed to a client
attempting to exceed the maximum value. If message is not supplied, a default
message of "Sorry, the maximum number of clients (%m) for this user
already connected."</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5981"
></A
><H2
>See also</H2
><P
><A
HREF="#MAXCLIENTS"
>MaxClients</A
>,
<A
HREF="#MAXCLIENTSPERHOST"
>MaxClientsPerHost</A
>
<A
HREF="#MAXHOSTSPERUSER"
>MaxHostsPerUser</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN5987"
></A
><H2
>Examples</H2
><PRE
CLASS="PROGRAMLISTING"
>MaxClientsPerUser 1 "Only one such user at a time."
Results in: 530 Only one such user at a time.</PRE
><P
></P
></DIV
><H1
><A
NAME="MAXCONNECTIONRATE"
></A
>
MaxConnectionRate</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN5999"
></A
><H2
>Name</H2
>MaxConnectionRate -- Maximum TCP socket connection rate</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN6002"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>MaxConnectionRate</B
> [ <CODE
CLASS="OPTION"
>connections per second</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6029"
></A
><H2
>Description</H2
><P
>Set the maxiumum rate at which new TCP connections are accepted, this
applies to the entire server, therefore too low a value on a high
traffic server can result in all VirtualHosts being made unavailable
due to normal traffic levels.</P
><P
>The value is the number of connections in a given second at which
the block comes into effect, thus a value of "1" will result in all
connections being blocked.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6033"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6036"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
>MaxConnectionRate 4</P
></DIV
><H1
><A
NAME="MAXCONNECTIONSPERHOST"
></A
>
MaxConnectionsPerHost</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6047"
></A
><H2
>Name</H2
>MaxConnectionsPerHost -- Limits the unauthenticated connections per client machine</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN6050"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>MaxConnectionsPerHost</B
> [ <CODE
CLASS="OPTION"
>MaxConnectionsPerHost number|none [message]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>MaxConnectionsPerHost none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Anonymous>, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.11rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6077"
></A
><H2
>Description</H2
><P
>The MaxConnectionsPerHost directive configures the maximum number of
unauthenticated clients allowed to connect per host. The optional argument
message may be used which will be displayed to a client attempting to exceed
the maximum value. If message is not supplied, a default message of
"Sorry, the maximum number of connections (%m) from your host are already connected." is used. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6080"
></A
><H2
>See also</H2
><P
>MaxClients, MaxClientsPerHost, MaxHostsPerUser</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6083"
></A
><H2
>Examples</H2
><PRE
CLASS="PROGRAMLISTING"
>MaxConnectionsPerHost 1 "Sorry, you may not connect more than one time."
Results in: 530 Sorry, you may not connect more than one time.</PRE
><P
></P
></DIV
><H1
><A
NAME="MAXHOSTSPERUSER"
></A
>
MaxHostsPerUser</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6095"
></A
><H2
>Name</H2
>MaxHostsPerUser -- Limit the number of connections per userid</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN6098"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>MaxHostsPerUser</B
> [ <CODE
CLASS="OPTION"
>MaxHostsPerUser number|none [message]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>MaxHostsPerUser none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Anonymous>, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.4 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6125"
></A
><H2
>Description</H2
><P
>The MaxHostsPerUser directive configures the maximum number of times
different hosts, using a given login, can connect at any given time. The
optional argument message may be used which will be displayed to a client
attempting to exceed the maximum value. If message is not supplied, a default
message of "Sorry, the maximum number of hosts (%m) for this user
already connected."</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6128"
></A
><H2
>See also</H2
><P
><A
HREF="#MAXCLIENTS"
>MaxClients</A
>,
<A
HREF="#MAXCLIENTSPERHOST"
>MaxClientsPerHost</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6133"
></A
><H2
>Examples</H2
><PRE
CLASS="PROGRAMLISTING"
>MaxHostsPerUser 1 "Sorry, you may not connect more than one time."
Results in: 530 Sorry, you may not connect more than one time.</PRE
><P
></P
></DIV
><H1
><A
NAME="MAXINSTANCES"
></A
>
MaxInstances</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6145"
></A
><H2
>Name</H2
>MaxInstances -- Sets the maximum number of child processes to be spawned</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN6148"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>MaxInstances</B
> [ <CODE
CLASS="OPTION"
>MaxInstances number</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>MaxInstances none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.6pl1</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6175"
></A
><H2
>Description</H2
><P
>The MaxInstances directive configures the maximum number of child processes
that may be spawned by a parent proftpd process in standalone
mode. The directive has no effect when used on a server running in inetd
mode.
Because each child proftpd process represents a single client connection,
this directive also controls the maximum number of simultaneous connections
allowed. Additional connections beyond the configured limit are syslog'd and
silently disconnected. The MaxInstances directive can be used to prevent undesirable
denial-of-service attacks (repeatedly connecting to the ftp port, causing
proftpd to fork-bomb). By default, no limit is placed on the number of child
processes that may run at one time.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6178"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6181"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="MAXLOGINATTEMPTS"
></A
>
MaxLoginAttempts</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6192"
></A
><H2
>Name</H2
>MaxLoginAttempts -- Sets how many password attempts are allowed before disconnection</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN6195"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>MaxLoginAttempts</B
> [ <CODE
CLASS="OPTION"
>MaxLoginAttempts number</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>MaxLoginAttempts 3</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6222"
></A
><H2
>Description</H2
><P
>The MaxLoginAttempts directive configures the maximum number of times a client
may attempt to authenticate to the server during a given connection. After
the number of attempts exceeds this value, the user is disconnected and an
appropriate message is logged via the syslog mechanism.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6225"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6228"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="MAXRETRIEVEFILESIZE"
></A
>
MaxRetrieveFileSize</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6239"
></A
><H2
>Name</H2
>MaxRetrieveFileSize -- Restrict size of downloaded files</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN6242"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>MaxRetrieveFileSize</B
> [ <CODE
CLASS="OPTION"
>number|"*" units ["user"|"group"|"class" expression]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost>, <Anonymous>, <Directory>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_xfer</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6269"
></A
><H2
>Description</H2
><P
>When downloading files to clients (eg serving a RETR request), the
server will check for any configured limit against the size of the file
being requested, and abort any transfers if the requested file's size
exceeds the configured limit.</P
><P
>A single "*" argument configures unlimited file sizes, and is used
primarily to override any inherited restrictions from higher contexts.
The given number is the number of bytes for the limit, and is followed
by a units specifier of (case-insensitive) "Gb" (Gigabytes),
"Mb" (Megabytes), "Kb" (Kilobytes), or "B" (bytes). The given number of
bytes is multiplied by the appropriate factor.</P
><P
>
The optional parameters are used to restrict the file size limits only
to specific users. If the "user" restriction is given, then expression is a
user-expression specifying to which users the rule applies. Similarly for the
"group" restriction. For the "class" restriction, the expression is simply
the name of connection class for whom the rule will apply. If no matching
user, group, or class expression is found for the current user (in that
order), then a limit with no expression (i.e. no "user", "group", or "class"
identifier) is applied.</P
><P
>See Also: MaxStoreFileSize</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6275"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6278"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> # Restrict downloads to only 1 gigabyte<br>
MaxRetrieveFileSize 1 Gb<br>
<br>
# Restrict downloads for user fred, but allow unlimited download size for<br>
# everyone else<br>
MaxStoreFileSize 50 Kb user fred<br>
MaxStoreFileSize *</P
></DIV
><H1
><A
NAME="MAXSTOREFILESIZE"
></A
>
MaxStoreFileSize</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6289"
></A
><H2
>Name</H2
>MaxStoreFileSize -- Restrict size of uploaded files</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN6292"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>MaxStoreFileSize</B
> [ <CODE
CLASS="OPTION"
>number|"*" units ["user"|"group"|"class" expression]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost>, <Anonymous>, <Directory>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_xfer</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6319"
></A
><H2
>Description</H2
><P
>When uploading files from a client (eg serving a STOR request), the
server will check for any configured limit against the size of the file
being sent, and abort any transfers if/when the given file's size
exceeds the configured limit.</P
><P
>A single "*" argument configures unlimited file sizes, and is used
primarily to override any inherited restrictions from higher contexts.
The given number is the number of bytes for the limit, and is followed
by a units specifier of (case-insensitive) "Gb" (Gigabytes),
"Mb" (Megabytes), "Kb" (Kilobytes), or "B" (bytes). The given number of
bytes is multiplied by the appropriate factor.</P
><P
>The optional parameters are used to restrict the file size limits only
to specific users. If the "user" restriction is given, then expression is a
user-expression specifying to which users the rule applies. Similarly for the
"group" restriction. For the "class" restriction, the expression is simply
the name of connection class for whom the rule will apply. If no matching
user, group, or class expression is found for the current user (in that
order), then a limit with no expression (ie no "user", "group", or "class"
identifier) is applied.</P
><P
>See Also: MaxRetrieveFileSize</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6325"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6328"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> # Restrict upload to only 3 megabytes<br>
MaxStoreFileSize 3 Mb<br>
<br>
# Restrict anonymous uploads to 50k, but allow unlimited upload size for<br>
# everyone else<br>
MaxStoreFileSize 50 Kb user anonymous<br>
MaxStoreFileSize *</P
></DIV
><H1
><A
NAME="MULTILINERFC2228"
></A
>
MultilineRFC2228</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6339"
></A
><H2
>Name</H2
>MultilineRFC2228 -- Enable RFC2228 multiline response mode</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN6342"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>MultilineRFC2228</B
> [ <CODE
CLASS="OPTION"
>MultilineRFC2228 on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>MultilineRFC2228 off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0pre3 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6369"
></A
><H2
>Description</H2
><P
>By default, proftpd sends multiline responses as per RFC 959, i.e.:
200-First line
More lines...
200 Last line
RFC 2228 specifies that "6xy"
response codes will be sent as follows:
600-First line
600-More lines...
600 Last line
Note that 2228 ONLY specifies this for response codes starting with
'6'. Enabling this directive causes ALL responses to be sent in this
format, which may be more compatible with certain web browsers and clients.
Also note that this is NOT the same as wu-ftpd's multiline responses,
which do not comply with any RFC. Using this method of multilines is more likely
to be compatible with all clients, although it isn't strictly RFC, and is thus
not enabled by default.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6372"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6375"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="ORDER"
></A
>
Order</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6386"
></A
><H2
>Name</H2
>Order -- Configures the precedence of the Limit directives</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN6389"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>Order</B
> [ <CODE
CLASS="OPTION"
>Order allow,deny|deny,allow</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>Order allow,deny</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Limit></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0pl6 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6416"
></A
><H2
>Description</H2
><P
>The Order directive configures the order in which Allow and Deny directives are checked inside of a <Limit> block. Because Allow directives are permissive, and Deny directives restrictive, the order in which they are examined can significantly alter the way security functions. If the default setting of allow,deny is used, "allowed" access permissions are checked first. If an Allow directive explicitly allows access to the <Limit> context, access is granted and any Deny directives are never checked. If Allow did not explicitly permit access, Deny directives are checked. If any Deny directive applies, access is explicitly denied. Otherwise, access is granted. When deny,allow is used, "deny" access
restrictions are checked first. If any restriction applies, access is denied
immediately. If nothing is denied, Allow permissions
are checked. If an Allow explicitly permits access, access
to the entire context is permitted; otherwise access is implicitly denied.
For clarification, the following illustrates the steps used when checking
Allow/Deny access:
Order allow,deny
Check Allow directives. If one or more apply, exit with result: ALLOW
Check Deny directives. If one or more apply, exit with result: DENY
Exit with default implicit ALLOW
Order deny,allow
Check Deny directives. If one or more apply, exit with result: DENY
Check Allow directives. If one or more apply, exit with result: ALLOW
Exit with default implicit: DENY</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6419"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6422"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="PASSIVEPORTS"
></A
>
PassivePorts</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6433"
></A
><H2
>Name</H2
>PassivePorts -- Specify the ftp-data port range to be used</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN6436"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>PassivePorts</B
> [ <CODE
CLASS="OPTION"
>PassivePorts min-pasv-port max-pasv-port</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0rc2 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6463"
></A
><H2
>Description</H2
><P
>PassivePorts restricts the range of ports from which the server
will select when sent the PASV command from a client. The server will
randomly choose a number from within the specified range until an open
port is found. Should no open ports be found within the given range,
the server will default to a normal kernel-assigned port, and a
message logged.</P
><P
>The port range selected must be in the non-privileged range
(eg. greater than or equal to 1024); it is STRONGLY
RECOMMENDED that the chosen range be large enough to handle many
simultaneous passive connections (for example, 49152-65534, the
IANA-registered ephemeral port range).</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6467"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6470"
></A
><H2
>Examples</H2
><PRE
CLASS="PROGRAMLISTING"
># Use the IANA registered ephemeral port range
PassivePorts 49152 65534</PRE
><P
></P
></DIV
><H1
><A
NAME="PATHALLOWFILTER"
></A
>
PathAllowFilter</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6482"
></A
><H2
>Name</H2
>PathAllowFilter -- Only allow new files which match a specified pattern</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN6485"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>PathAllowFilter</B
> [ <CODE
CLASS="OPTION"
>PathAllowFilter regular-expression</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global>, <Directory>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.7 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6512"
></A
><H2
>Description</H2
><P
>PathAllowFilter allows the configuration of a regular expression that must
be matched for all newly uploaded (stored) files. The regular expression is
applied against the entire pathname specified by the client, so care must
be taken when creating a proper regex. Paths that fail the regex match result
in a "Forbidden filename" error being returned to the client.
If the regular-expression argument contains whitespace,
it must be enclosed in quotes.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6515"
></A
><H2
>See also</H2
><P
><A
HREF="#PATHDENYFILTER"
>PathDenyFilter</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6519"
></A
><H2
>Examples</H2
><PRE
CLASS="PROGRAMLISTING"
># Only allow a-z 0-9 . - _ in file names,
PathAllowFilter ^[a-z0-9._-]+$
# as above but with upper case characters as well
PathAllowFilter ^[A-Za-z0-9._-]+$</PRE
><P
></P
></DIV
><H1
><A
NAME="PATHDENYFILTER"
></A
>
PathDenyFilter</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6531"
></A
><H2
>Name</H2
>PathDenyFilter -- Disallow new files which match a specified pattern</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN6534"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>PathDenyFilter</B
> [ <CODE
CLASS="OPTION"
>PathDenyFilter regular-expression</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global>, <Directory>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.7 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6561"
></A
><H2
>Description</H2
><P
>Similar to PathAllowFilter, PathDenyFilter
specifies a regular expression which must not match any uploaded
pathnames. If the regex does match, a "Forbidden filename" error is returned
to the client. This can be especially useful for forbidding .ftpaccess or
.htaccess files.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6564"
></A
><H2
>See also</H2
><P
><A
HREF="#PATHALLOWFILTER"
>PathAllowFilter</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6568"
></A
><H2
>Examples</H2
><PRE
CLASS="PROGRAMLISTING"
># We don't want .ftpaccess or .htaccess files to be uploaded
PathDenyFilter "(\\.ftpaccess|\\.htaccess)$"</PRE
><P
></P
></DIV
><H1
><A
NAME="PERSISTENTPASSWD"
></A
>
PersistentPasswd</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6580"
></A
><H2
>Name</H2
>PersistentPasswd -- Sets handling of unix auth files</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN6583"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>PersistentPasswd</B
> [ <CODE
CLASS="OPTION"
>PersistentPasswd on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>Platform dependent</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth_unix</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.5 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6610"
></A
><H2
>Description</H2
><P
>The PersistentPasswd directive controls how proftpd handles authentication,
user/group lookups, and user/group to name mapping. If set to "on",
proftpd will attempt to open the system-wide /etc/passwd, /etc/group (and
/etc/shadow, potentially) files itself, holding them open even during a
chroot()ed login. Note that /etc/shadow is never held open, for security
reasons). On some platforms, you must turn this option on, as the libc
functions are incapable of accessing these databases from inside of a chroot().
At configure-time, the configuration script will attempt to detect whether or
not you need this support, and make it the default. However, such
"guessing" may fail, and you will have to manually enable or disable
the feature. If you cannot see user or group names when performing a directory
listing inside an anonymous chrooted login, this indicates you must enable the
directive. Use of the AuthUserFile or AuthGroupFile directives will force
partial support for persistent user or group database files, regardless of
PersistentPasswd's setting.</P
><P
>Note: NIS/NIS+ and NSS users will most likely want to disable this feature,
regardless of proftpd's detected configuration defaults. Failure to disable
this will make your NIS/NIS+ maps and NSS lookups not work! On certain systems,
you may also need to compile ProFTPD with the --enable-autoshadow option in
order to authenticate both users from NIS maps or NSS lookups, and local
users.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6614"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6617"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="PIDFILE"
></A
>
PidFile</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6628"
></A
><H2
>Name</H2
>PidFile -- Set the filepath to hold the pid of the master server</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN6631"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>PidFile</B
> [ <CODE
CLASS="OPTION"
>PidFile filename</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0rc2 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6658"
></A
><H2
>Description</H2
><P
>The PidFile directive sets the file to which the server records
the process id of the daemon. The filename should be relative to the
system root, ie /var/run/proftpd/pidfile. The PidFile is only used
in standalone mode.
It is often useful to be able to send the server a signal, so
that it closes and then reopens its ErrorLog and TransferLog, and
re-reads its configuration files. This is done by sending a SIGHUP
(kill -1) signal to the process id of the master daemon listed in
the PidFile.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6661"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6664"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="PORT"
></A
>
Port</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6675"
></A
><H2
>Name</H2
>Port -- Set the port for the control socket</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN6678"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>Port</B
> [ <CODE
CLASS="OPTION"
>Port port-number</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>Port 21</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6705"
></A
><H2
>Description</H2
><P
>The Port directive configures the TCP port which proftpd will listen on while
running in standalone mode. It has no effect when used upon a server running in
inetd mode (see ServerType). The directive can be used in conjunction with
<VirtualHost> in order to run a virtual server on the same IP address
as the master server, but listening on a different port.</P
><P
>For any server, either <VirtualHost> or server config, setting
Port 0 effectively turns off that server.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6709"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6712"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="RADIUSACCTSERVER"
></A
>
RadiusAcctServer</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6723"
></A
><H2
>Name</H2
>RadiusAcctServer -- Setup RADIUS accounting details</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN6726"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>RadiusAcctServer</B
> [ <CODE
CLASS="OPTION"
>server[:port] shared-secret [timeout]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_radius</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6753"
></A
><H2
>Description</H2
><P
>The RadiusAcctServer is used to specify a RADIUS server to be used for accounting. The server parameter may be either an IP address or a DNS hostname. If not specified, the port used will be the IANA-registered 1813. The optional timeout parameter is used to tell mod_radius how long to wait for a response from the server; it defaults to 30 seconds.</P
><P
>Multiple RadiusAcctServers may be configured; each will be tried, in order of appearance in the configuration file, until that server times out or mod_radius receives a response.</P
><P
>If no RadiusAcctServers are configured, mod_radius will not use RADIUS for accounting.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6758"
></A
><H2
>See also</H2
><P
><A
HREF="#RADIUSAUTHSERVER"
>RadiusAuthServer</A
></P
></DIV
><H1
><A
NAME="RADIUSAUTHSERVER"
></A
>
RadiusAuthServer</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6770"
></A
><H2
>Name</H2
>RadiusAuthServer -- Setup RADIUS authenticator details</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN6773"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>RadiusAuthServer</B
> [ <CODE
CLASS="OPTION"
>server[:port] shared-secret [timeout]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_radius</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6800"
></A
><H2
>Description</H2
><P
>The RadiusAcctServer is used to specify a RADIUS server to be used for accounting. The server parameter may be either an IP address or a DNS hostname. If not specified, the port used will be the IANA-registered 1813. The optional timeout parameter is used to tell mod_radius how long to wait for a response from the server; it defaults to 30 seconds.</P
><P
>Multiple RadiusAcctServers may be configured; each will be tried, in order of appearance in the configuration file, until that server times out or mod_radius receives a response.</P
><P
>If no RadiusAcctServers are configured, mod_radius will not use RADIUS for accounting.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6805"
></A
><H2
>See also</H2
><P
><A
HREF="#RADIUSAUTHSERVER"
>RadiusAuthServer</A
></P
></DIV
><H1
><A
NAME="RADIUSENGINE"
></A
>
RadiusEngine</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6817"
></A
><H2
>Name</H2
>RadiusEngine -- Enable RADIUS support</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN6820"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>RadiusEngine</B
> [ <CODE
CLASS="OPTION"
>on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_radius</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6847"
></A
><H2
>Description</H2
><P
>The RadiusEngine directive enables or disables the module's runtime RADIUS engine. If it is set to off this module does no RADIUS authentication or accounting at all. Use this directive to disable the module instead of commenting out all mod_radius directives. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6850"
></A
><H2
>See also</H2
><P
></P
></DIV
><H1
><A
NAME="RADIUSLOG"
></A
>
RadiusLog</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6861"
></A
><H2
>Name</H2
>RadiusLog -- Specify the logfile for reporting / debugging</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN6864"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>RadiusLog</B
> [ <CODE
CLASS="OPTION"
>"file"|none</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_radius</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6891"
></A
><H2
>Description</H2
><P
>The RadiusLog directive is used to a specify a log file for mod_radius
reporting and debugging, and can be done a per-server basis. The file
parameter must be the full path to the file to use for logging. Note
that this path must not be to a world-writeable directory and, unless
AllowLogSymlinks is explicitly set to on (generally a bad idea), the
path must not be a symbolic link.</P
><P
>If file is "none", no logging will be done at all; this setting can be
used to override a RadiusLog setting inherited from a <Global> context.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6895"
></A
><H2
>See also</H2
><P
></P
></DIV
><H1
><A
NAME="RADIUSREALM"
></A
>
RadiusRealm</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6906"
></A
><H2
>Name</H2
>RadiusRealm -- Setup the authentication realm</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN6909"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>RadiusRealm</B
> [ <CODE
CLASS="OPTION"
>realm</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_radius</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6936"
></A
><H2
>Description</H2
><P
>The RadiusRealm directive configures a realm string that will be added to the username in the constructed RADIUS packets.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6939"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6942"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> RadiusRealm .castaglia.org</P
></DIV
><H1
><A
NAME="RADIUSUSERINFO"
></A
>
RadiusUserInfo</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN6953"
></A
><H2
>Name</H2
>RadiusUserInfo -- Configure login information via RADIUS</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN6956"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>RadiusUserInfo</B
> [ <CODE
CLASS="OPTION"
>uid gid home shell [suppl-group-names suppl-group-ids]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_radius</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6983"
></A
><H2
>Description</H2
><P
>The RadiusUserInfo directive is used to configure login information used for every user authenticated via RADIUS. The optional suppl-group-names and suppl-group-ids parameters are used to specify supplemental group membership for each user; the number of names and IDs must match if these parameters are used.</P
><P
>In order to support RADIUS servers that may use custom attributes in their Access-Accept response packets to supply user information back to the RADIUS client (mod_radius in this case), this directive allows the following syntax for some of its parameters:</P
><P
> <P
CLASS="LITERALLAYOUT"
> $(attribute-id:default-value)</P
> </P
><P
>where the enclosing $() signals that the parameter is to be supplied by
the RADIUS server, attribute-id is the custom attribute ID for which to
search in the response packet, and default-value is the value to use in
case the requested attribute is not present in the response packet. This
syntax is not supported for the suppl-group-names or suppl-group-ids
parameters.</P
><P
>If RadiusUserInfo is not used, mod_radius will perform pure "yes/no"
authentication only, in the style of PAM. The information that would
have been configured via this directive will be pulled from other sources
(e.g. /etc/passwd, AuthUserFiles, MySQL tables, etc).</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN6991"
></A
><H2
>See also</H2
><P
></P
></DIV
><H1
><A
NAME="RATIOFILE"
></A
>
RatioFile</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN7002"
></A
><H2
>Name</H2
>RatioFile -- Ratio directive</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN7005"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>RatioFile</B
> [ <CODE
CLASS="OPTION"
>RatioFile foo1 foo2 foo3</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None known</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ratio</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>at least 1.2.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7032"
></A
><H2
>Description</H2
><P
>The RatioFile directive ....
Example:
RatioFile</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7035"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7038"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="RATIOS"
></A
>
Ratios</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN7049"
></A
><H2
>Name</H2
>Ratios -- (docs incomplete)</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN7052"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>Ratios</B
> [ <CODE
CLASS="OPTION"
>Ratios foo1 foo2 foo3</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None known</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ratio</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>at least 1.2.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7079"
></A
><H2
>Description</H2
><P
>The Ratios directive ....
Example:
Ratios</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7082"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7085"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="RATIOTEMPFILE"
></A
>
RatioTempFile</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN7096"
></A
><H2
>Name</H2
>RatioTempFile -- Ratio directive</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN7099"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>RatioTempFile</B
> [ <CODE
CLASS="OPTION"
>RatioTempFile foo1 foo2 foo3</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None known</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ratio</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>at least 1.2.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7126"
></A
><H2
>Description</H2
><P
>The RatioTempFile directive ....
Example:
RatioTempFile</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7129"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7132"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="REQUIREVALIDSHELL"
></A
>
RequireValidShell</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN7143"
></A
><H2
>Name</H2
>RequireValidShell -- Allow connections based on /etc/shells</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN7146"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>RequireValidShell</B
> [ <CODE
CLASS="OPTION"
>RequireValidShell on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>RequireValidShell on</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7173"
></A
><H2
>Description</H2
><P
>The RequireValidShell directive configures the server, virtual host or anonymous
login to allow or deny logins which do not have a shell binary listed in /etc/shells.
By default, proftpd disallows logins if the user's default shell is not listed
in /etc/shells. If /etc/shells cannot be found, all default shells are assumed
to be valid.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7176"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7179"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="REWRITECONDITION"
></A
>
RewriteCondition</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN7190"
></A
><H2
>Name</H2
>RewriteCondition -- Define a rule condition</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN7193"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>RewriteCondition</B
> [ <CODE
CLASS="OPTION"
>condition pattern</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost>, <Anonymous>, <Directory></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_rewrite</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.6rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7220"
></A
><H2
>Description</H2
><P
>The RewriteCondition directive defines a rule condition. Precede a
<A
HREF="#REWRITERULE"
>RewriteRule</A
> directive with one or more
RewriteCondition directives. The following rewriting rule is only used if
its pattern matches the current state of the FTP command and if these
additional conditions apply too.</P
><P
>Condition is a string which can contain the following expanded constructs
in addition to plain text:</P
><P
></P
><UL
><LI
STYLE="list-style-type: disc"
><P
> <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>RewriteRule backreferences</B
></SPAN
>
</P
><P
> These are backreferences of the form:
</P
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>$N</B
></SPAN
></P
><P
> (0 <= N <= 9) which provide access to the grouped
parts (parentheses!) of the pattern from the corresponding
RewriteRule directive (the one following the current bunch
of RewriteCondition directives). Note that $0 will refer
back to the entire original string being matched.
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
> <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>RewriteCondition backreferences</B
></SPAN
>
</P
><P
> These are backreferences of the form:
</P
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>%N</B
></SPAN
></P
><P
> (0 <= N <= 9) which provide access to the grouped parts
(parentheses!) of the pattern from the previous
RewriteCondition attached to this RewriteRule.
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
> <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>RewriteMap expansions:</B
></SPAN
>
</P
><P
> These are expansions of the form:
</P
><P
> <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>${map-name:lookup-key|default-value}</B
></SPAN
>
</P
><P
> See the documentation for <A
HREF="#REWRITEMAP"
>RewriteMap
</A
> for more details.
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
> <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>Variable substitutions:</B
></SPAN
>
</P
><P
> These are substitutions of the form:
</P
><P
></P
><UL
><LI
STYLE="list-style-type: disc"
><P
> <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>%a</B
></SPAN
>
client IP address
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
> <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>%c</B
></SPAN
>
name of Class for current session
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
> <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>%f</B
></SPAN
>
filename
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
> <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>%F</B
></SPAN
>
transfer path, as seen by the client (only useful
for upload/download commands)
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
> <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>%g</B
></SPAN
>
primary group of authenticated user
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
> <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>%G</B
></SPAN
>
supplemental groups of authenticated user
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
> <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>%h</B
></SPAN
>
client DNS name
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
> <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>%m</B
></SPAN
>
FTP command
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
> <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>%p</B
></SPAN
>
port of server handling the session
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
> <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>%u</B
></SPAN
>
name of authenticated user
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
> <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>%U</B
></SPAN
>
name of user sent by client via USER
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
> <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>%v</B
></SPAN
>
ServerName of server handling the session
</P
></LI
></UL
></LI
></UL
><P
>Pattern is the condition pattern, i.e., a regular expression which is
applied to the current instance of the condition, i.e., condition is
evaluated and then matched against pattern. You can prefix the pattern
string with a '!' character (exclamation mark) to specify a non-matching
pattern.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7290"
></A
><H2
>See also</H2
><P
><A
HREF="#REWRITERULE"
>RewriteRule</A
>
<A
HREF="#REWRITEMAP"
>RewriteMap</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7295"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
></P
></DIV
><H1
><A
NAME="REWRITEENGINE"
></A
>
RewriteEngine</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN7306"
></A
><H2
>Name</H2
>RewriteEngine -- Enable/disable mod_rewrite</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN7309"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>RewriteEngine</B
> [ <CODE
CLASS="OPTION"
>on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_rewrite</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.6rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7336"
></A
><H2
>Description</H2
><P
>The RewriteEngine directive enables or disables the module's runtime
rewriting engine. If it is set to off this module does no parsing or
rewriting at all. Use this directive to disable the module instead of
commenting out all mod_rewrite directives.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7339"
></A
><H2
>See also</H2
><P
></P
></DIV
><H1
><A
NAME="REWRITELOCK"
></A
>
RewriteLock</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN7350"
></A
><H2
>Name</H2
>RewriteLock -- Set the filename for synchronization lockfile</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN7353"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>RewriteLock</B
> [ <CODE
CLASS="OPTION"
>filename</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_rewrite</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.6rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7380"
></A
><H2
>Description</H2
><P
>The RewriteLock directive sets the filename for a synchronization lockfile
which mod_rewrite needs to communicate with RewriteMaps of type fifo. Set
file to a local absolute path (not on a NFS-mounted device) when you want
to use a rewriting FIFO. It is not required for other types of rewriting maps.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7383"
></A
><H2
>See also</H2
><P
></P
></DIV
><H1
><A
NAME="REWRITELOG"
></A
>
RewriteLog</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN7394"
></A
><H2
>Name</H2
>RewriteLog -- Specify a log file for mod_rewrite reporting</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN7397"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>RewriteLog</B
> [ <CODE
CLASS="OPTION"
>file|"none"</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_rewrite</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.6rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7424"
></A
><H2
>Description</H2
><P
>The RewriteLog directive is used to a specify a log file for mod_rewrite
reporting and debugging, and can be done a per-server basis. The file
parameter must be the full path to the file to use for logging. Note
that this path must <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>not</B
></SPAN
> be to a
world-writeable directory and, unless AllowLogSymlinks is explicitly
set to on (generally a bad idea), the path must
<SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>not</B
></SPAN
> be a symbolic link. In general,
this directive should only be used for debugging your mod_rewrite
configuration, and should be removed once debugging is completed;
<SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>do not use this directive in a production
configuration.</B
></SPAN
></P
><P
>If file is "none", no logging will be done at all; this setting can be
used to override a RewriteLog setting inherited from a <Global> context. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7431"
></A
><H2
>See also</H2
><P
></P
></DIV
><H1
><A
NAME="REWRITEMAP"
></A
>
RewriteMap</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN7442"
></A
><H2
>Name</H2
>RewriteMap -- Define a rewrite map</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN7445"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>RewriteMap</B
> [ <CODE
CLASS="OPTION"
>map-name map-type:map-soure</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_rewrite</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.6rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7472"
></A
><H2
>Description</H2
><P
>The RewriteMap directive defines a rewriting map which can be used inside
rule substitution strings by the mapping-functions to insert/substitute
fields through a key lookup. The source of this lookup can be of various types.</P
><P
>The map-name is the name of the map and will be used to specify a
mapping-function for the substitution strings of a rewriting rule via
one of the following constructs:</P
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>${ map-name : lookup-key }</B
></SPAN
></P
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>${ map-name : lookup-key</B
></SPAN
>
|
<SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>default-value</B
></SPAN
></P
><P
>When such a construct occurs the map map-name is consulted and the key
lookup-key is resolved. If the key is found, the map-function construct
is substituted by subst-value. If the key is not found then it is
substituted by default-value or by the empty string if no default-value
was specified.</P
><P
>The following combinations for map-type and map-src can be used:</P
><P
></P
><UL
><LI
STYLE="list-style-type: disc"
><P
> <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>Standard Plain Text</B
></SPAN
>
</P
><P
> map-type: txt, map-src: Unix filesystem path to
valid regular file.
</P
><P
> This is the standard rewriting map feature where
the map-src is a plain ASCII file containing either blank
lines, comment lines (starting with a '#' character) or
pairs like the following - one per line.
</P
><P
> <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>matching-key subst-value</B
></SPAN
>
</P
><DIV
CLASS="EXAMPLE"
><A
NAME="EXAMPLE-USERMAP"
></A
><P
><B
>Example 1-1. Example Usermap</B
></P
><PRE
CLASS="PROGRAMLISTING"
> # --------------------------------------------
# usermap.txt -- map for rewriting user names
# --------------------------------------------
Dave.Admin dave # The Uber-admin
root anonymous # no one should be logging in as root anyway
</PRE
></DIV
><P
> And, to configure this map to be used:
</P
><PRE
CLASS="PROGRAMLISTING"
> RewriteMap real-to-user txt:/path/to/file/usermap.txt
</PRE
></LI
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>FIFO/Named Pipe</B
></SPAN
></P
><P
> map-type: fifo, map-src: Unix filesystem path
to valid FIFO.
</P
><P
> For this rewriting map, map-src is a FIFO (a.k.a. named pipe).
To create it, you can use the mkfifo(1) command. An
external program that opens the FIFO for reading and
writing <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>must</B
></SPAN
> be started
before proftpd is started. This program can communicate
with the rewriting engine via the FIFO. For each mapping
lookup, it can read the key to lookup as a newline-terminated
string from the FIFO. It then has to write back to the FIFO
the looked-up value as a newline-terminated string, or just
simply newline character (denoting an empty string) if there
is no corresponding value for the given key).
</P
><P
> An example program which will implement a 1:1 mapping
(i.e., key == value) could be:
</P
><DIV
CLASS="EXAMPLE"
><A
NAME="EXAMPLE-FIFONAMEDPIPE"
></A
><P
><B
>Example 1-2. Example FIFO/Named Pipe 1:1 mapping</B
></P
><PRE
CLASS="PROGRAMLISTING"
>#!/usr/bin/perl
use strict;
use File::Basename qw(basename);
use Getopt::Long;
use IO::Handle;
use IO::Select;
my $default_delay = 0.5;
my $program = basename($0);
my %opts = ();
GetOptions(\%opts, 'delay=f', 'fifo=s', 'help', 'verbose');
usage() if $opts{'help'};
my $delay = $opts{'delay'} ? $opts{'delay'} : $default_delay;
die "$program: missing required --fifo parameter\n" unless $opts{'fifo'};
my $fifo = $opts{'fifo'};
my $verbose = $opts{'verbose'} ? 1 : 0;
open(my $fifo_fh, "+> $fifo") or die "$program: unable to open $fifo: $!\n";
# Instantiate a Select object for knowing when to read from and write to
# the FIFO.
my $sel = IO::Select->new();
while (1) {
# Blocking select() for reading.
$sel->add($fifo_fh);
print STDERR "$program: selecting for reading\n" if $verbose;
my ($rfh) = $sel->can_read();
my $key = <$rfh>;
print STDERR "$program: read '$key'\n" if $verbose;
# Lookup a value for the given key.
my $value = lookup_value($key);
# Clear the Select object's filehandles.
$sel->remove();
print $fifo_fh "$value\n" if $verbose;
$fifo_fh->flush();
print STDERR "$program: wrote '$value'\n" if $verbose;
# Wait for the buffer's byte to be cleared before reading again.
wait_fifo($fifo_fh);
}
close($fifo_fh);
print STDOUT "$program: done\n" if $verbose;
exit 0;
# --------------------------------------------------------------------------
sub lookup_value {
my ($key) = @_;
# NOTE: do something to obtain a value for the given key here.
chomp(my $value = $key);
return $value;
}
# --------------------------------------------------------------------------
sub usage {
print STDOUT <<END_OF_USAGE;
usage: $program [options]
--delay Configure the buffer check delay.
The default is $default_delay seconds.
--fifo Configure the path to the FIFO. Required.
--help Displays this message.
--verbose Enables verbose output while $program runs.
END_OF_USAGE
exit 0;
}
# --------------------------------------------------------------------------
sub wait_fifo {
my ($fh) = @_;
# Now we get tricky. Use ioctl(2) to poll the number of bytes to
# be read from the FIFO filehandle. When the number drops to zero,
# it means that the data we just wrote has been read from the buffer
# by some other process, so we can go back to the top of this loop.
# Otherwise, if this program loops faster than the reader/writer on
# the other end of the FIFO, we'd end up reading the data we just
# wrote. Quite annoying, actually.
#
# Note: this value must be manually extracted from the system header files
# using the following program:
#
# -------- fionread.c -------------------
# #include <sys/ioctl.h>
#
# int main(int argc, char *argv[]) {
# printf("%#08x\n", FIONREAD);
# return 0;
# }
# ---------------------------------------
#
# > cc -o fionread fionread.c
# > ./fionread
my $FIONREAD = 0x00541b;
my $size = pack('L', 0);
ioctl($fh, $FIONREAD, $size) or die "$program: unable to use ioctl: $!\n";
$size = unpack('L', $size);
while ($size != 0) {
print STDERR "$program: waiting for buffer to be read\n" if $verbose;
select(undef, undef, undef, $delay);
$size = pack('L', 0);
ioctl($fh, $FIONREAD, $size) or die "$program: unable to use ioctl: $!\n";
$size = unpack('L', $size);
}
}
</PRE
></DIV
><P
> To make use of this example script, simply implement your
lookup code in the lookup_value() subroutine. Be very
careful with such scripts, though:
</P
><P
></P
><OL
TYPE="1"
><LI
STYLE="list-style-type: disc"
><P
> "Keep it simple, stupid" (KISS), because if
this program hangs it will hang proftpd when
the rule occurs. Well, keep it as simple as
possible...
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
> Avoid one common mistake: avoid buffered I/O
if possible. This can cause a deadloop. If
necessary, be sure to flush the filehandle
before reading, and after writing.
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
> Use the RewriteLock directive to define a
lockfile mod_rewrite can use to synchronize
the communication to the FIFO program. By
default no such synchronization takes place.
</P
></LI
></OL
></LI
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>Internal Function</B
></SPAN
></P
><P
> map-type: int, map-src: Internal mod_rewrite function.
</P
><P
> Here the map-src is a mod_rewrite built-in function.
Currently you cannot create your own, but the following
functions already exist:
</P
><P
></P
><UL
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>toupper</B
></SPAN
></P
><P
> Converts the looked up key to all upper case.
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>tolower</B
></SPAN
></P
><P
> Converts the looked up key to all lower case.
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>unescape</B
></SPAN
></P
><P
> Translates hex-encodings in the looked up key back
to special characters.
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>utf8trans</B
></SPAN
></P
><P
> Translates UTF-8 encodings in the lookup up key into
Latin-1 characters.
</P
></LI
></UL
></LI
></UL
><P
>The RewriteMap directive can occur more than once. For each mapping-function
use one RewriteMap directive to declare its rewriting map name.</P
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>Note:</B
></SPAN
> For plain text files the looked-up
keys are cached in-core until the mtime of the text map file changes or
the server does a restart. This way you can have map-functions in rules
which are used for <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>every</B
></SPAN
> request. This
is no problem, because the parsing of the text files only happens once!</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7540"
></A
><H2
>See also</H2
><P
><A
HREF="#REWRITECONDITION"
>RewriteCondition</A
></P
></DIV
><H1
><A
NAME="REWRITERULE"
></A
>
RewriteRule</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN7552"
></A
><H2
>Name</H2
>RewriteRule -- Define a rewrite rule</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN7555"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>RewriteRule</B
> [ <CODE
CLASS="OPTION"
>pattern substitution</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost>, <Anonymous>, <Directory></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_rewrite</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.6rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7582"
></A
><H2
>Description</H2
><P
>The RewriteRule directive is the real rewriting workhorse. The configuration
directive can occur more than once. Each directive defines a single
rewriting rule. The order of definition of these rules is important,
because this order is used when applying the rules at run-time.</P
><P
>Pattern can be POSIX regular expression which gets applied to the current
FTP command argument(s).</P
><P
>Some hints about the syntax of regular expressions:</P
><P
></P
><UL
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>Text:</B
></SPAN
></P
><PRE
CLASS="PROGRAMLISTING"
> . Any single character
[chars] Character class: one of chars
[^chars] Character class: none of chars
text1|text2 Alternative: text1 or text2
</PRE
></LI
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>Quantifiers:</B
></SPAN
></P
><PRE
CLASS="PROGRAMLISTING"
> ? 0 or 1 of the preceding text
* 0 or N of the preceding text (N > 0)
+ 1 or N of the preceding text (N > 1)
</PRE
></LI
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>Grouping:</B
></SPAN
></P
><PRE
CLASS="PROGRAMLISTING"
> (text) Grouping of text
(either to set the borders of an alternative or
for making backreferences where the Nth group can
be used on the RHS of a RewriteRule with $N)
</PRE
></LI
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>Anchors:</B
></SPAN
></P
><PRE
CLASS="PROGRAMLISTING"
> ^ Start of line anchor
$ End of line anchor
</PRE
></LI
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>Escaping:</B
></SPAN
></P
><PRE
CLASS="PROGRAMLISTING"
> \char Escape that particular char
(for instance to specify the chars ".[]()" etc.)
</PRE
></LI
></UL
><P
>For more information about regular expressions have a look at your local
regex(3) manpage. If you are interested in more detailed information about
regular expressions and their variants (POSIX regex, Perl regex, etc.) have
a look at the following dedicated book on this topic:</P
><P
>Mastering Regular Expressions
Jeffrey E.F. Friedl
Nutshell Handbook Series
O'Reilly & Associates, Inc. 1997
ISBN 1-56592-257-3</P
><P
>Additionally in mod_rewrite the NOT character ('!') is a possible pattern
prefix. This gives you the ability to negate a pattern; to say, for instance:
"if the current argument(s) does NOT match this pattern". This can be used
for exceptional cases, where it is easier to match the negative pattern,
or as a last default rule.</P
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>Notice:</B
></SPAN
> When using the NOT character to
negate a pattern you cannot have grouped wildcard parts in the pattern.
This is impossible because when the pattern does NOT match, there are no
contents for the groups. In consequence, if negated patterns are used,
you cannot use $N in the substitution string.</P
><P
>Substitution of a rewriting rule is the string which is substituted for
(or replaces) the original argument(s) for which pattern matched. Beside
plain text you can use:</P
><P
></P
><OL
TYPE="1"
><LI
><P
> $N backreferences to the RewriteRule pattern
</P
></LI
><LI
><P
> %N backreferences to the last matched RewriteCondition pattern
</P
></LI
><LI
><P
> variables as in RewriteCondition test strings
</P
></LI
><LI
><P
> map function calls (${map-name:lookup-key|default-value})
</P
></LI
></OL
><P
>Backreferences are $<SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>N</B
></SPAN
>
(<SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>N</B
></SPAN
>=0..9) identifiers which will be replaced
by the contents of the <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>N</B
></SPAN
>th group of the
matched pattern. The variables are the same as for the condition of a
<A
HREF="#REWRITECONDITION"
>RewriteCondition</A
> directive, with two
additions:</P
><P
></P
><UL
><LI
><P
> %<SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>P</B
></SPAN
>
process ID
</P
></LI
><LI
><P
> %<SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>t</B
></SPAN
>
Unix time since the epoch, in seconds
</P
></LI
></UL
><P
>The map functions come from the <A
HREF="#REWRITEMAP"
>RewriteMap</A
>
directive and are explained there. These four types of variables are
expanded in the order of the above list.</P
><P
>All of the rewriting rules are applied to substitution. The command
argument(s) is completely replaced by the substitution.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7638"
></A
><H2
>See also</H2
><P
><A
HREF="#REWRITECONDITION"
>RewriteCondition</A
>
<A
HREF="#REWRITEMAP"
>RewriteMap</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7643"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
></P
></DIV
><H1
><A
NAME="RLIMITCPU"
></A
>
RLimitCPU</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN7654"
></A
><H2
>Name</H2
>RLimitCPU -- Configure the maximum CPU time in seconds used by a process</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN7657"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>RLimitCPU</B
> [ <CODE
CLASS="OPTION"
>RLimitCPU ["daemon"|"session"|"none"] soft-limit|"max" [hard-limit|"max"]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>System defaults</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.1rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7684"
></A
><H2
>Description</H2
><P
>RLimitCPU takes from one to three parameters. The first parameter may be one
of "daemon" (applies the limit only to the daemon process), "session" (applies
the limit only to child processes handling each FTP session), or "none"
(disables any possibly inherited limits). Note that if "daemon" is used, the
directive may then only occur in the "server config" context. If none of
these keywords are used, the limit is assumed to apply to both daemon and
session processes. After any potential keyword, the resource limit must be
set. The next parameter is also optional, and sets the maximum resource
limit. Either limit parameter can be a number, or "max" to indicate to the
server that the limit should be set to the maximum allowed by the operating
system.</P
><P
>CPU resource limits are expressed in seconds per process.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7688"
></A
><H2
>See Also:</H2
><P
><A
HREF="#RLIMITMEMORY"
>RLimitMemory</A
>,
<A
HREF="#RLIMITOPENFILES"
>RLimitOpenFiles</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7693"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="RLIMITMEMORY"
></A
>
RLimitMemory</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN7704"
></A
><H2
>Name</H2
>RLimitMemory -- Configure the maximum memory in bytes used by a process</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN7707"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>RLimitMemory</B
> [ <CODE
CLASS="OPTION"
>RLimitMemory ["daemon"|"session"|"none"] soft-limit[units]|"max" [hard-limit[units]|"max"]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.1rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7734"
></A
><H2
>Description</H2
><P
>RLimitMemory takes from one to three parameters. The first parameter may be one
of "daemon" (applies the limit only to the daemon process), "session" (applies
the limit only to child processes handling each FTP session), or "none"
(disables any possibly inherited limits). Note that if "daemon" is used, the
directive may then only occur in the "server config" context. If none of
these keywords are used, the limit is assumed to apply to both daemon and
session processes. After any potential keyword, the resource limit must be
set. The next parameter is also optional, and sets the maximum resource
limit. Either limit parameter can be a number, or "max" to indicate to the
server that the limit should be set to the maximum allowed by the operating
system.</P
><P
>Memory resource limits are expressed in bytes per process. An optional
case-insensitive units specifier may follow the number of bytes given:
G (Gigabytes), M (Megabytes), K (Kilobytes), or B (bytes). If the units
specifier is used, the given number of bytes is multiplied by the appropriate
factor.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7738"
></A
><H2
>See Also</H2
><P
>RLimitCPU, RLimitOpenFiles</P
></DIV
><H1
><A
NAME="RLIMITOPENFILES"
></A
>
RLimitOpenFiles</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN7749"
></A
><H2
>Name</H2
>RLimitOpenFiles -- Configure the maximum number of open files used by a process</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN7752"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>RLimitOpenFiles</B
> [ <CODE
CLASS="OPTION"
>RLimitOpenFiles ["daemon"|"session"|"none"] soft-limit|"max" [hard-limit|"max"]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.1rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7779"
></A
><H2
>Description</H2
><P
>RLimitOpenFiles takes from one to three parameters. The first parameter may be
one of "daemon" (applies the limit only to the daemon process), "session"
(applies the limit only to child processes handling each FTP session), or "none"
(disables any possibly inherited limits). Note that if "daemon" is used, the
directive may then only occur in the "server config" context. If none of
these keywords are used, the limit is assumed to apply to both daemon and
session processes. After any potential keyword, the resource limit must be
set. The next parameter is also optional, and sets the maximum resource
limit. Either limit parameter can be a number, or "max" to indicate to the
server that the limit should be set to the maximum allowed by the operating
system.</P
><P
>File resource limits are expressed in number of files per process.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7783"
></A
><H2
>See Also:</H2
><P
>RLimitCPU, RLimitMemory</P
></DIV
><H1
><A
NAME="ROOTLOGIN"
></A
>
RootLogin</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN7794"
></A
><H2
>Name</H2
>RootLogin -- Permit root user logins</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN7797"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>RootLogin</B
> [ <CODE
CLASS="OPTION"
>RootLogin on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>RootLogin off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.5 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7824"
></A
><H2
>Description</H2
><P
>Normally, proftpd disallows root logins under any circumstance. If a client
attempts to login as root, using the correct password, a special security
message is sent to syslog. When the RootLogin directive is turned On, the
root user may authenticate just as any other user could (assuming no other
access control measures deny access); however the root login security message
is still sysloged. Obviously, extreme
care should be taken when using this directive.</P
><P
>The use of RootLogin in the Anonymous context is only valid when the User / Group defined in the Anonymous block is set to 'root'</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7828"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7831"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="ROOTREVOKE"
></A
>
RootRevoke</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN7842"
></A
><H2
>Name</H2
>RootRevoke -- Drop root privileges completely</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN7845"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>RootRevoke</B
> [ <CODE
CLASS="OPTION"
>RootRevoke on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>RootRevoke off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global>, <Anonymous></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.9rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7872"
></A
><H2
>Description</H2
><P
>The RootRevoke directive causes all root privileges to be dropped once a user
is authenticated. This will also cause active transfers to be disabled, if
the server is listening on a port less than 1025. Note that this only affects
active transfers; passive transfers will not be blocked.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7875"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7878"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="SAVERATIOS"
></A
>
SaveRatios</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN7889"
></A
><H2
>Name</H2
>SaveRatios -- FIXME FIXME</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN7892"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SaveRatios</B
> [ <CODE
CLASS="OPTION"
>SaveRatios foo1 foo2 foo3</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None known</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ratio</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>at least 1.2.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7919"
></A
><H2
>Description</H2
><P
>The SaveRatios directive ....
Example:
SaveRatios</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7922"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7925"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="SCOREBOARDFILE"
></A
>
ScoreboardFile</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN7936"
></A
><H2
>Name</H2
>ScoreboardFile -- Sets the name and path of the scoreboard file</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN7939"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>ScoreboardFile</B
> [ <CODE
CLASS="OPTION"
>path</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>ScoreboardFile /usr/local/var/proftpd.scoreboard</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7966"
></A
><H2
>Description</H2
><P
>The ScoreboardFile directive sets the path to the file where the daemon will
store its run-time "scoreboard" session information. This file is necessary
for MaxClients to work properly, as well as other utilities (such as ftpwho and ftpcount). Note that the directory containing the scoreboard cannot be
world-writable.</P
><P
>This directive deprecates ScoreboardPath.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7970"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN7973"
></A
><H2
>Examples</H2
><P
>ScoreboardFile /var/run/proftpd.scoreboard</P
></DIV
><H1
><A
NAME="SERVERADMIN"
></A
>
ServerAdmin</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN7984"
></A
><H2
>Name</H2
>ServerAdmin -- Set the address for the server admin</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN7987"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>ServerAdmin</B
> [ <CODE
CLASS="OPTION"
>ServerAdmin "admin-email-address"</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>ServerAdmin root@[ServerName]</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0pl10 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8014"
></A
><H2
>Description</H2
><P
>The ServerAdmin directive sets the email address of the administrator for
the server or virtualhost. This address is displayed in magic cookie replacements
(see DisplayLogin and DisplayFirstChdir).</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8017"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8020"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="SERVERIDENT"
></A
>
ServerIdent</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN8031"
></A
><H2
>Name</H2
>ServerIdent -- Set the message displayed on connect</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN8034"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>ServerIdent</B
> [ <CODE
CLASS="OPTION"
>ServerIdent off|on [identification string]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>ServerIdent on "ProFTPD [version] Server (server name) [hostname]"</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0pre2 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8061"
></A
><H2
>Description</H2
><P
>The ServerIdent directive sets the default message displayed when a new client
connects. Setting this to off displays "[hostname]
FTP server ready." If set to on, the directive
can take an optional string argument, which will be displayed instead of the
default text. Sites desiring to give out minimal information will probably
want a setting like ServerIdent on "FTP Server ready.", which won't
even reveal the hostname. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8064"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8067"
></A
><H2
>Examples</H2
><P
>ServerIdent on "Welcome to ftp.linux.co.uk"</P
></DIV
><H1
><A
NAME="SERVERLOG"
></A
>
ServerLog</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN8078"
></A
><H2
>Name</H2
>ServerLog -- Configure logs on a per-server basis</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN8081"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>ServerLog</B
> [ <CODE
CLASS="OPTION"
>path</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_log</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.8rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8108"
></A
><H2
>Description</H2
><P
>The ServerLog directive disables the daemon's use of the syslog mechanism and
instead redirects all logging output for the server to the specified filename.
The filename argument must contain an absolute path. Use of this directive
overrides any facility set by the SyslogFacility directive, as well as
overriding any configured SystemLog.</P
></DIV
><H1
><A
NAME="SERVERNAME"
></A
>
ServerName</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN8119"
></A
><H2
>Name</H2
>ServerName -- Configure the name displayed to connecting users</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN8122"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>ServerName</B
> [ <CODE
CLASS="OPTION"
>ServerName "name"</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>ServerName "ProFTPD Server [version]"</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8149"
></A
><H2
>Description</H2
><P
>The ServerName directive configures the string that will be displayed to
a user connecting to the server (or virtual server if the directive is located
in a <VirtualHost> block).
See Also: <VirtualHost></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8152"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8155"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="SERVERTYPE"
></A
>
ServerType</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN8166"
></A
><H2
>Name</H2
>ServerType -- Set the mode proftpd runs in</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN8169"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>ServerType</B
> [ <CODE
CLASS="OPTION"
>ServerType type-identifier</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>ServerType standalone</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8196"
></A
><H2
>Description</H2
><P
>The ServerType directive configures the server daemon's operating mode. The
type-identifier can be one of two values:
inetd
The daemon will expect to be run from the inetd "super server."
New connections are passed from inetd to proftpd and serviced immediately.
standalone
The daemon starts and begins listening to the configured port for incoming connections. New connections
result in spawned child processes dedicated to servicing all requests from
the newly connected client.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8199"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8202"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="SETENV"
></A
>
SetEnv</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN8213"
></A
><H2
>Name</H2
>SetEnv -- (docs incomplete)</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN8216"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SetEnv</B
> [ <CODE
CLASS="OPTION"
>key value</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.10rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8243"
></A
><H2
>Description</H2
><P
>(docs incomplete)</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8246"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8249"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
>(docs incomplete)</P
></DIV
><H1
><A
NAME="SHOWSYMLINKS"
></A
>
ShowSymlinks</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN8260"
></A
><H2
>Name</H2
>ShowSymlinks -- Toggle the display of symlinks</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN8263"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>ShowSymlinks</B
> [ <CODE
CLASS="OPTION"
>ShowSymlinks on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>(versions 1.1.5 and beyond) ShowSymlinks On</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
></P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8290"
></A
><H2
>Description</H2
><P
>Compatibility: 0.99.0pl6 and later
Symbolic links (if supported on the host OS and filesystem) can be either
shown in directory listings (including the target of the link) or can be "hidden"
(proftpd dereferences symlinks and reports the target's permissions and ownership).
The default behavior is to show all symbolic links when normal users are logged
in, and hide them for anonymous sessions. If a symbolic link cannot be dereferenced
for any reason (permissions, target does not exist, etc) and ShowSymlinks
is off, proftpd displays the link as a directory entry of type 'l' (link)
with the ownership and permissions of the actual link.
Under ProFTPD versions 1.1.5 and higher, the default behavior in regard to
ShowSymlinks has been changed so that symbolic links are always displayed
as such (in all cases), unless ShowSymlinks off is explicitly set.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8293"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8296"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="SOCKETBINDTIGHT"
></A
>
SocketBindTight</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN8307"
></A
><H2
>Name</H2
>SocketBindTight -- Controls how TCP/IP sockets are created</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN8310"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SocketBindTight</B
> [ <CODE
CLASS="OPTION"
>SocketBindTight on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>SocketBindTight off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0pl6 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8337"
></A
><H2
>Description</H2
><P
>The SocketBindTight directive controls how proftpd creates and binds its
initial tcp listen sockets in standalone mode (see
ServerType). The directive has no effect upon servers
running in inetd mode, because listen sockets are
not needed or created. When SocketBindTight is set to off
(the default), a single listening socket is created for each port that the
server must listen on, regardless of the number of IP addresses being used
by <VirtualHost> configurations. This has
the benefit of typically requiring a relatively small number of file descriptors
for the master daemon process, even if a large number of virtual servers are
configured. If SocketBindTight is set to on, a listen
socket is created and bound to a specific IP address for the master server
and all configured virtual servers. This allows for situations where an administrator
may wish to have a particular port be used by both proftpd (on one IP address)
and another daemon (on a different IP address). The drawback is that considerably
more file descriptors will be required if a large number of virtual servers
must be supported.
Example: Two servers have been configured (one master and one virtual), with
the IP addresses 10.0.0.1 and 10.0.0.2, respectively. The 10.0.0.1 server
runs on port 21, while 10.0.0.2 runs on port 2001.
SocketBindTight off #default
# proftpd creates two sockets, both bound to ALL available addresses.
# one socket listens on port 21, the other on 2001. Because each socket is
# bound to all available addresses, no other daemon or user process will be
# allowed to bind to ports 21 or 2001.
...
SocketBindTight on
# proftpd creates two sockets again, however one is bound to 10.0.0.1, port
21
# and the other to 10.0.0.2, port 2001. Because these sockets are "tightly"
# bound to IP addresses, port 21 can be reused on any address OTHER than
# 10.0.0.1, and visa-versa with 10.0.0.2, port 2001.
One side-effect of setting SocketBindTight to on
is that connections to non-bound addresses will result in a "connection
refused" message rather than the typical "500 Sorry, no server available
to handle request on xxx.xxx.xxx.xxx.", due to the fact that no listen
socket has been bound to the particular address/port pair. This may or may
not be aesthetically desirable, depending on your circumstances.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8340"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8343"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="SOCKETOPTIONS"
></A
>
SocketOptions</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN8354"
></A
><H2
>Name</H2
>SocketOptions -- Tune socket-level options</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN8357"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SocketOptions</B
> [ <CODE
CLASS="OPTION"
>[maxseg <size>] [rcvbuf <size>] [sndbuf <size>]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>"server config", <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.9rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8384"
></A
><H2
>Description</H2
><P
>The rcvbuf and sndbuf parameters are used for setting the TCP send/receive
window sizes. The maxseg parameter is used for setting a MSS (Maximum Segment
Size) via setsockopt(2)'s TCP_MAXSEG option. If the MSS is larger than the
interface's MTU, it is ignored and has no effect.</P
><P
>If the send/receive window size is increased, it is helpful for performance
to increase the internal buffer size. See the
--enable-buffer-size argument to ./configure.</P
></DIV
><H1
><A
NAME="SQLAUTHENTICATE"
></A
>
SQLAuthenticate</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN8396"
></A
><H2
>Name</H2
>SQLAuthenticate -- Specify authentication methods and what to authenticate
</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN8399"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLAuthenticate</B
> {on | off}</P
><P
> or</P
><P
><B
CLASS="COMMAND"
>SQLAuthenticate</B
> [ users
] [ groups
] [ userset [fast]
] [ groupset [fast]
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> SQLAuthenticate <SAMP
CLASS="COMPUTEROUTPUT"
>on</SAMP
>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <Global>, <VirtualHost>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
> mod_sql
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> 1.2.5rc1 and later
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8437"
></A
><H2
>Description</H2
><P
>The SQLAuthenticate directive configures mod_sql's authentication behavior,
controlling whether to provide user and/or group information during
authentication, and how that provisioning is performed. The parameters may
appear in any order.</P
><P
>The available parameter values are:</P
><P
></P
><UL
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>on</B
></SPAN
></P
><P
> Shorthand for SQLAuthenticate users groups userset groupset.
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>off</B
></SPAN
></P
><P
> Disables all mod_sql authentication functions.
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>users</B
></SPAN
></P
><P
> If present, mod_sql will do user lookups. If not present,
mod_sql will do no user lookups at all, including the
{set|get|end}pwent() calls (see below).
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>groups</B
></SPAN
></P
><P
> If present, mod_sql will do group lookups. If not present,
mod_sql will do no group lookups at all, including the
{set|get|end}grent() calls (see below).
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>userset[fast]</B
></SPAN
></P
><P
> If present, mod_sql will process the potentially expensive
{set|get|end}pwent() calls. If not present, mod_sql will
not process these calls. Adding the suffix "fast" tells
mod_sql to process the users as a single large query, rather
than making a query per user. This may significantly reduce
the number of queries against the database at the expense
of increased memory use. This parameter will have no effect
if "users" is not specified.
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>groupset[fast]</B
></SPAN
></P
><P
> If present, mod_sql will process the potentially expensive
{set|get|end}grent() calls. If not present, mod_sql will
not process these calls. Adding the suffix "fast" tells
mod_sql to process the groups as a single large query,
rather than making a query per group. This may significantly
reduce the number of queries against the database at the
expense of increased memory use. This parameter will have no
effect if "groups" is not specified.
</P
></LI
></UL
><P
>The SQLLog and SQLShowInfo directives will always be processed by mod_sql.
The SQLAuthenticate directive only affects the user and group
lookup/authentication portions of the module.</P
><P
>Turning off (i.e. by not including) the userset or groupset parameters
affects the functionality of mod_sql. Not allowing these lookups may remove
the ability to control access or control functionality by group membership,
depending on your other authentication handlers and the data available to
them. At the same time, choosing not to do these lookups may dramatically
speed login for many large sites.</P
><P
>The "fast" suffix is not appropriate for every site. Normally, mod_sql will
retrieve a list of users and groups, and get information from the database
on a per-user or per-group basis. This is query intensive: it requires
(nn + 1) queries, where n is the number of users or groups to lookup. By
choosing "fast" lookups, mod_sql will make a single SELECT query to get
information from the database.</P
><P
>In exchange for the radical reduction in the number of queries, the single
query will increase the memory consumption of the process; all group or user
information will be read at once rather than in discrete chunks.</P
></DIV
><DIV
CLASS="REFSECT2"
><A
NAME="AEN8470"
></A
><H3
>Group Table Structure</H3
><P
>Normally <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>mod_sql</B
></SPAN
> allows multiple group
members per row, and multiple rows per group. If you use the "fast"
option for groupset, you <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>must</B
></SPAN
> use only one
row per group. For example, normally mod_sql treats the following three
tables in exactly the same way:</P
><P
CLASS="LITERALLAYOUT"
>|--------------------------------------------------|<br>
| GROUPNAME | GID | MEMBERS |<br>
|--------------------------------------------------|<br>
| group1 | 1000 | naomi |<br>
| group1 | 1000 | priscilla |<br>
| group1 | 1000 | gertrude |<br>
|--------------------------------------------------|<br>
<br>
|--------------------------------------------------|<br>
| GROUPNAME | GID | MEMBERS |<br>
|--------------------------------------------------|<br>
| group1 | 1000 | naomi, priscilla |<br>
| group1 | 1000 | gertrude |<br>
|--------------------------------------------------|<br>
<br>
|--------------------------------------------------|<br>
| GROUPNAME | GID | MEMBERS |<br>
|--------------------------------------------------|<br>
| group1 | 1000 | naomi, priscilla, gertrude |<br>
|--------------------------------------------------|</P
><P
>If you use the "fast" option, mod_sql assumes that all entries are
structured like the last example.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8477"
></A
><H2
>See also</H2
><P
> <A
HREF="#SQLUSERINFO"
>SQLUserInfo</A
>
<A
HREF="#SQLGROUPINFO"
>SQLGroupInfo</A
>
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8482"
></A
><H2
>Examples</H2
></DIV
><H1
><A
NAME="SQLAUTHTYPES"
></A
>
SQLAuthTypes</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN8492"
></A
><H2
>Name</H2
>SQLAuthTypes -- Specify the allowed authentication types and their check order</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN8495"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLAuthTypes</B
> [ <CODE
CLASS="OPTION"
>[OpenSSL]</CODE
>] [ <CODE
CLASS="OPTION"
>[Crypt]</CODE
>] [ <CODE
CLASS="OPTION"
>[Backend]</CODE
>] [ <CODE
CLASS="OPTION"
>[Plaintext]</CODE
>] [ <CODE
CLASS="OPTION"
>[Empty]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_sql</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8530"
></A
><H2
>Description</H2
><P
>This directive deprecates 'SQLEmptyPasswords',
'SQLScrambledPasswords', 'SQLSSLHashedPasswords',
'SQLPlaintextPasswords', and 'SQLEncryptedPasswords'.</P
><P
>The SQLAuthTypes directive specifies which authentication method
are to be allowed, and their order of use.
<SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>You must specify at least one authentication
method.</B
></SPAN
></P
><P
>The current supported authentication methods are:</P
><P
></P
><UL
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>Backend</B
></SPAN
></P
><P
> Allows database-specific backend passwords. Not all
backend databases support this option. For example,
MySQL datatabases use this option to authenticate MySQL
'PASSWORD()' encrypted passwords. The Postgres backend,
however, does nothing.<SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>Caveat
</B
></SPAN
>: if your MySQL activity log is world-readable,
the user password <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>will be visible
</B
></SPAN
>. You have been warned.
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>Crypt</B
></SPAN
></P
><P
> Allows passwords in the database to be of Unix crypt(3) form.
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>Empty</B
></SPAN
></P
><P
> Allows empty passwords in the database, which match
against <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>any</B
></SPAN
> password
the user may give. The database field must be a truly
empty string; NULL values are not acceptable as empty
passwords. <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>Be very careful if using
this authentication method.</B
></SPAN
>
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>OpenSSL</B
></SPAN
></P
><P
> Allows passwords in the database to be of the form
'{digest-name}hashed-value', where hashed-value
is the base64-encoded digest of the passsword.
Only available if you define HAVE_OPENSSL when you
compile proftpd and you link with OpenSSL's libcrypto
library.
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>Plaintext</B
></SPAN
></P
><P
> Allows passwords in the database to be in plaintext.
</P
></LI
></UL
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8561"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8564"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> SQLAuthTypes Crypt Empty</P
><P
>configures mod_sql to first attempt to verify the password using the
Unix crypt(3) function, then, if that fails, determine if the password
in the database is empty (thus matching any given password). If all of
the configured authentication methods fail, mod_sql will fail to
authenticate the user.</P
></DIV
><H1
><A
NAME="SQLBACKEND"
></A
>
SQLBackend</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN8576"
></A
><H2
>Name</H2
>SQLBackend -- Set the SQL backend module</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN8579"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLBackend</B
> [ <CODE
CLASS="OPTION"
>backend</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>Depends</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_sql</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.3.0rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8606"
></A
><H2
>Description</H2
><P
>In 1.3.0rc1, the mod_sql module gained the ability to be compiled with multiple
backend modules supported, e.g. to have both mod_sql_mysql and mod_sql_postgres
usable in the same proftpd daemon. The SQLBackend directive configures which of
these different database backends should be used.</P
><P
>If there is only one backend module compiled in, the SQLBackend directive is not
needed. If there are multiple backend modules compiled and no SQLBackend directive
is specified, then mod_sql will default to using the first backend module listed.
For instance, if you configured proftpd using a configure command such as:
./configure --with-modules=mod_sql:mod_sql_postgres:mod_sql_mysql ...
then mod_sql would default to using mod_sql_postgres as the backend module to use.</P
><P
>You might have multiple <VirtualHost> sections which use different SQL backends.
Use "mysql" for the mod_sql_mysql module, and "postgres" for the mod_sql_postgres
module.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8611"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8614"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> <VirtualHost 1.2.3.4><br>
SQLBackend mysql<br>
...<br>
</VirtualHost><br>
<br>
<VirtualHost 5.6.7.8><br>
SQLBackend postgres<br>
...<br>
</VirtualHost></P
></DIV
><H1
><A
NAME="SQLCONNECTINFO"
></A
>
SQLConnectInfo</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN8625"
></A
><H2
>Name</H2
>SQLConnectInfo -- Specify connection information for the backend</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN8628"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLConnectInfo</B
> [ <CODE
CLASS="OPTION"
>connection-info</CODE
>] [ <CODE
CLASS="OPTION"
>[username]</CODE
>] [ <CODE
CLASS="OPTION"
>[password]</CODE
>] [ <CODE
CLASS="OPTION"
>[policy]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_sql</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8661"
></A
><H2
>Description</H2
><P
>This directive deprecates 'MySQLInfo', 'PostgresInfo', and
'PostgresPort'.</P
><P
>The SQLConnectInfo directive configures the information necessary to
connect to the backend database. The connection-info parameter specifies
the database, host, port, and other backend-specific information. The
optional username and password parameters specify a username and password
to use when connecting to the database. Both default to NULL, which the
backend will treat in some backend-specific manner. If you specify a
password, you <SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>must</B
></SPAN
> specify a username.
If no SQLConnectInfo directive is specified, mod_sql will disable itself.</P
><P
>Any given database backend has the opportunity, though not necessarily
the responsibility, to check for syntax errors in the connection-info
field at server startup, but you should not expect semantic errors
(i.e., cannot connect to the database) to be caught until mod_sql
attempts to connect for a given host.</P
><P
>A given database connection is governed by a connection policy that
specifies when a connection should be opened and when it should be
closed. There are three options:</P
><P
></P
><UL
><LI
STYLE="list-style-type: disc"
><P
><SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>PERSESSION</B
></SPAN
></P
><P
> Open a database connection at the start of the session
and close the database connection at the end of the session.
</P
></LI
><LI
STYLE="list-style-type: disc"
><P
>number (<SPAN
CLASS="bold"
><B
CLASS="EMPHASIS"
>TIMED</B
></SPAN
>)</P
><P
> Timed database connections that close themselves
after number seconds of inactivity.
</P
></LI
></UL
><P
>If a connection policy is not specified, if the policy is not a number or
is a number less than 1, or if the policy is the string "PERSESSION",
the PERSESSION policy will be used.</P
><P
>If the connection policy is any number greater than 0, it specifies the
number of seconds that a connection will be held open without activity.
After that many seconds of database inactivity, the connection to the
database will be closed. As soon as database activity starts again,
the connection will be opened and the timer will restart.</P
><P
>The MySQL and Postgres backends' connection-info is expected to be of the form:</P
><P
>database[@hostname][:port]</P
><P
>hostname will default to a backend-specific hostname (which happens to be
'localhost' for both the MySQL and Postgres backends), and port will default
to a backend-specific default port (3306 for the MySQL backend, 5432 for
the Postgres backend).</P
><P
>From the MySQL documentation:</P
><P
>the value of host may be either a hostname or an IP address. If host is
NULL or the string "localhost", a connection to the local host is assumed.
If the OS supports sockets (Unix) or named pipes (Windows), they are used
instead of TCP/IP to connect to the server.</P
><P
>From the PostgreSQL documentation:</P
><P
>If [the hostname] begins with a slash, it specifies Unix-domain
communication rather than TCP/IP communication; the value is the
name of the directory in which the socket file is stored. The default
is to connect to a Unix-domain socket in /tmp.</P
><P
>If you plan to use the TIMED connection policy, consider the effect of
directives such as DefaultRoot on local socket communication: once a user
has been chroot()ed, the local socket file will probably not be available
within the chroot directory tree, and attempts to reopen communication will
fail. One way around this may be to use hardlinks within the user's
directory tree. PERSESSION connections are not affected by this because
the database will be opened prior to the chroot() call, and held open
for the life of the session. Network communications are not affected by
this problem. For example, while localhost would not work for MySQL since
the MySQL client library will try to use socket communications for that
host, 127.0.0.1 will work (as long as your database is setup to accept
these connections).</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8687"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8690"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> # Connect to the database 'ftpusers' via the default port at host<br>
# 'foo.com'. Use a NULL username and NULL password when connecting.<br>
# A connection policy of PERSESSION is used.<br>
SQLConnectInfo ftpusers@foo.com<br>
<br>
# Connect to the database 'ftpusers' via port 3000 at host 'localhost'.<br>
# Use the username 'admin' and a NULL password when connecting.<br>
# A connection policy of PERSESSION is used.<br>
SQLConnectInfo ftpusers:3000 admin<br>
<br>
# Connect to the database 'ftpusers' via port 3000 at host 'foo.com'.<br>
# Use the username 'admin' and password 'mypassword' when connecting.<br>
# A connection policy of PERSESSION is used.<br>
SQLConnectInfo ftpusers@foo.com:3000 admin mypassword<br>
<br>
# Connect to the database 'ftpusers' via port 3000 at host 'foo.com'.<br>
# Use a username of 'admin' and a password of 'mypassword' when<br>
# connecting. A 30 second timer of connection inactivity is activated.<br>
SQLConnectInfo ftpusers@foo.com:3000 admin mypassword 30</P
><P
>Backends may require different information in the connection-info field;
check your backend module for more detailed information.</P
></DIV
><H1
><A
NAME="SQLDEFAULTGID"
></A
>
SQLDefaultGID</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN8702"
></A
><H2
>Name</H2
>SQLDefaultGID -- Configure the default GID for users</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN8705"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLDefaultGID</B
> [ <CODE
CLASS="OPTION"
>defaultgid</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>65533</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_sql</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8732"
></A
><H2
>Description</H2
><P
>Sets the default GID for users. Must be greater than SQLMinID.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8735"
></A
><H2
>See also</H2
><P
><A
HREF="#SQLMINID"
>SQLMinID</A
>
<A
HREF="#SQLMINUSERGID"
>SQLMinUserGID</A
></P
></DIV
><H1
><A
NAME="SQLDEFAULTHOMEDIR"
></A
>
SQLDefaultHomedir</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN8748"
></A
><H2
>Name</H2
>SQLDefaultHomedir -- Configure the default homedir</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN8751"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLDefaultHomedir</B
> [ <CODE
CLASS="OPTION"
>path</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_sql</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.5rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8778"
></A
><H2
>Description</H2
><P
>The SQLDefaultHomedir directive configures a default home directory for all
users authenticated with this module, overriding any (deprecated)
SQLHomedirField directive. If no home directory is set with either directive,
authentication fails. This directive does not change the data retrieved from
the database: if you specify a home directory field to SQLUserInfo, that
field's data will be returned as the user's home directory, whether that
data is a legal directory, or an empty string, or NULL.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8781"
></A
><H2
>See also</H2
><P
><A
HREF="#SQLUSERINFO"
>SQLUserInfo</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8785"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
></P
></DIV
><H1
><A
NAME="SQLDEFAULTUID"
></A
>
SQLDefaultUID</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN8796"
></A
><H2
>Name</H2
>SQLDefaultUID -- Configure the default UID for users</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN8799"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLDefaultUID</B
> [ <CODE
CLASS="OPTION"
>defaultuid</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>65533</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_sql</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8826"
></A
><H2
>Description</H2
><P
>Sets the default UID for users. Must be greater than SQLMinID.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8829"
></A
><H2
>See also</H2
><P
><A
HREF="#SQLMINID"
>SQLMinID</A
>
<A
HREF="#SQLMINUSERUID"
>SQLMinUserUID</A
></P
></DIV
><H1
><A
NAME="SQLENGINE"
></A
>
SQLEngine</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN8842"
></A
><H2
>Name</H2
>SQLEngine -- Configure how mod_sql will operate</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN8845"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLEngine</B
> [ <CODE
CLASS="OPTION"
>on|off|auth|log</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>SQLEngine on</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost>, <Anonymous></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_sql</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.3.0rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8872"
></A
><H2
>Description</H2
><P
>The SQLEngine directive is used to specify how mod_sql will operate. By
default, SQLEngine is on, and mod_sql will operate as normal. Setting
SQLEngine to off will effectively disable the module.</P
><P
>In addition to on and off, SQLEngine accepts two other values: auth and
log. If you wish to use mod_sql for authentication and not for logging
(via SQLLog), use auth. Conversely, to do only SQLLog-type logging, and
no authentication, use log.</P
><P
>This directive can be used to have <Anonymous> sections that do not use
mod_sql (see the example below).</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8877"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8880"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> <Anonymous ~ftp><br>
...<br>
SQLEngine off<br>
...<br>
</Anonymous></P
></DIV
><H1
><A
NAME="SQLGROUPINFO"
></A
>
SQLGroupInfo</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN8891"
></A
><H2
>Name</H2
>SQLGroupInfo -- Configure the group table and fields that hold group information</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN8894"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLGroupInfo</B
> [ <CODE
CLASS="OPTION"
>group-table group-name gid members</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>"groups groupname gid members"</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_sql</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.5rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8921"
></A
><H2
>Description</H2
><P
>The SQLGroupInfo directive configures the group table and fields that hold group information. The parameters for this directive are described below:</P
><P
></P
><UL
><LI
STYLE="list-style-type: disc"
><P
>grouptable</P
><P
> Specifies the name of the table that holds group information.</P
></LI
><LI
STYLE="list-style-type: disc"
><P
>groupname</P
><P
> Specifies the field in the group table that holds the group name.</P
></LI
><LI
STYLE="list-style-type: disc"
><P
>gid</P
><P
> Specifies the field in the group table that holds the group's GID.</P
></LI
><LI
STYLE="list-style-type: disc"
><P
>members</P
><P
> Specifies the field in the group table that holds the group members.</P
></LI
></UL
><P
>If you need to change any of these field names from the default, you need
to specify all of them.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8938"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8941"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
></P
></DIV
><H1
><A
NAME="SQLGROUPWHERECLAUSE"
></A
>
SQLGroupWhereClause</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN8952"
></A
><H2
>Name</H2
>SQLGroupWhereClause -- Configure a WHERE clause for every group query</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN8955"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLGroupWhereClause</B
> [ <CODE
CLASS="OPTION"
>where-clause</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_sql</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.5rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8982"
></A
><H2
>Description</H2
><P
>The directive is used to configure a WHERE clause that is added to every
group query. The WHERE clause must contain all relevant punctuation, and
must not contain a leading "and".</P
><P
>Starting with ProFTPD 1.3.1rc1 the SQLGroupWhereClause also supports the
variables supported by <A
HREF="#SQLNAMEDQUERY"
>SQLNamedQuery</A
>
except for the "%{n}" variable</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8987"
></A
><H2
>See also</H2
><P
><A
HREF="#SQLNAMEDQUERY"
>SQLNamedQuery</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN8991"
></A
><H2
>Examples</H2
><P
>As an example of a possible use for this directive, imagine if your group
table included a "LoginAllowed" field:</P
><P
CLASS="LITERALLAYOUT"
> SQLGroupWhereClause "LoginAllowed = 'true'"</P
><P
>would be appended to every group-related query as the string:</P
><P
CLASS="LITERALLAYOUT"
> " WHERE (LoginAllowed = 'true')"</P
></DIV
><H1
><A
NAME="SQLLOG"
></A
>
SQLLog</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9005"
></A
><H2
>Name</H2
>SQLLog -- Log information to a database table</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN9008"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLLog</B
> [ <CODE
CLASS="OPTION"
>cmd-set query-name ["IGNORE_ERRORS"</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_sql</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.5rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9035"
></A
><H2
>Description</H2
><P
>This directive is used to log information to a database table. Multiple
SQLLog directives can be in effect for any command; for example, a user
changing directories can trigger multiple logging statements.</P
><P
>The first parameter to SQLLog, the cmd-set, is a comma-separated (no spaces)
list of FTP commands for which this log command will trigger. The list of
commands is too long to list in entirety; commands include CWD, DELE, HELP,
LIST, MKD, MODE, NLST, PASS, PASV, PORT and many more. For the complete list
check the FTP RFCs. Normally mod_sql will log events after they have
completed successfully; in the case of the QUIT command, mod_sql logs prior
to the server's processing of the command. (Note, however, that the client
may not issue a QUIT before logging out; in this case, use a command of EXIT
rather than QUIT. EXIT is not a real FTP command, but it is used here to
provide a means for having SQLLog work whenever a session ends.)</P
><P
>FTP commands in the command set will only be logged if they complete
successfully. Prefixing any command with "ERR_" will cause logging to occur
only if there was an error in the command's processing. To log both errors
and successful completion of a given command X, therefore, you'll need both
"X" and "ERR_X" in your cmd-set.</P
><P
>The special command "*" matches all FTP commands, while "ERR_*" matches all
errors.</P
><P
>The second parameter is the name of a query defined by a SQLNamedQuery
directive. The query must be an UPDATE, INSERT, or FREEFORM type query;
explicit SELECT queries will not be processed.</P
><P
>The third parameter is optional. If you add "IGNORE_ERRORS" as the third
parameter, SQLLog will not check for errors in the processing of the named
query. Any value for this parameter other than the string "IGNORE_ERRORS"
(case-insensitive) will not cause errors to be ignored.</P
><P
>Normally, SQLLog directives are considered important enough that errors in
their processing will cause mod_sql to abort the client session. References
to non-existent named queries will not abort the client session, but may
result in database corruption (in the sense that the expected database
UPDATE or INSERT will not occur). Check your directives carefully.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9044"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9047"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> SQLLog PASS updatecount<br>
SQLNamedQuery updatecount UPDATE "count=count+1 WHERE userid='%u'" users</P
><P
>together, these replicate the deprecated "SQLLoginCountField count" directive;
if the current user was "joe", this would translate into the query "UPDATE
users SET count=count+1 WHERE userid='joe'". This query would run whenever a
user was first authenticated.</P
><P
CLASS="LITERALLAYOUT"
> SQLLog CWD updatedir<br>
SQLNamedQuery updatedir UPDATE "cwd='%d' where userid='%u'" users</P
><P
>together these replicate the logging side of the deprecated "SQLLogDirs cwd"
directive; if the current user was "joe" and the current working directory
were /tmp, this would translate into the query "UPDATE users SET cwd='/tmp'
WHERE userid='joe'". This query would run whenever a user changed directories.</P
><P
CLASS="LITERALLAYOUT"
> SQLLog RETR,STOR insertfileinfo<br>
SQLNamedQuery insertfileinfo INSERT "'%f', %b, '%u@%v', now()" filehistory</P
><P
>would log the name of any file stored or retrieved, the number of bytes
transferred, the user and host doing the transfer, and the time of transfer
(at least in MySQL). This would translate into a query like: "INSERT INTO
filehistory VALUES ('somefile', 12345, 'joe@joe.org', '21-05-2001 20:01:00')"</P
></DIV
><H1
><A
NAME="SQLLOGFILE"
></A
>
SQLLogFile</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9063"
></A
><H2
>Name</H2
>SQLLogFile -- Specify a log file for mod_sql reporting and debugging</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN9066"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLLogFile</B
> [ <CODE
CLASS="OPTION"
>file</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_sql</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.8rc2 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9093"
></A
><H2
>Description</H2
><P
>The SQLLogFile directive is used to a specify a log file for mod_sql
reporting and debugging, and can be done a per-server basis. The file
parameter must be the full path to the file to use for logging. Note
that this path must not be to a world-writeable directory and, unless
AllowLogSymlinks is explicitly set to on (generally a bad idea), the
path must not be a symbolic link.</P
><P
>If file is "none", no logging will be done at all; this setting can be
used to override a SQLLogFile setting inherited from a ;ltgt& context. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9097"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9100"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
></P
></DIV
><H1
><A
NAME="SQLMINID"
></A
>
SQLMinID</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9111"
></A
><H2
>Name</H2
>SQLMinID -- Set SQLMinUserGID and SQLMinUserID in one place</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN9114"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLMinID</B
> [ <CODE
CLASS="OPTION"
>minimum-id</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>999</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_sql</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9141"
></A
><H2
>Description</H2
><P
>SQLMinID is a quick way of setting both SQLMinUserGID and SQLMinUserUID.
These values are checked whenever retrieving a user's GID or UID.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9144"
></A
><H2
>See also</H2
><P
><A
HREF="#SQLMINUSERGID"
>SQLMinUserGID</A
>
<A
HREF="#SQLMINUSERUID"
>SQLMinUserUID</A
></P
></DIV
><H1
><A
NAME="SQLMINUSERGID"
></A
>
SQLMinUserGID</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9157"
></A
><H2
>Name</H2
>SQLMinUserGID -- Set a minimum GID</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN9160"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLMinUserGID</B
> [ <CODE
CLASS="OPTION"
>minimum-gid</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>999</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_sql</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.5rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9187"
></A
><H2
>Description</H2
><P
>SQLMinUserGID is checked whenever retrieving a user's GID. If the retrieved
value for GID is less than the value of SQLMinUserGID, it is reported as the
value of SQLDefaultGID.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9190"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9193"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
></P
></DIV
><H1
><A
NAME="SQLMINUSERUID"
></A
>
SQLMinUserUID</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9204"
></A
><H2
>Name</H2
>SQLMinUserUID -- Set a minimum UID</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN9207"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLMinUserUID</B
> [ <CODE
CLASS="OPTION"
>minimum-uid</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>999</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_sql</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.5rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9234"
></A
><H2
>Description</H2
><P
>SQLMinUserUID is checked whenever retrieving a user's UID. If the retrieved
value for UID is less than the value of SQLMinUserUID, it is reported as the
value of SQLDefaultUID.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9237"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9240"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
></P
></DIV
><H1
><A
NAME="SQLNAMEDQUERY"
></A
>
SQLNamedQuery</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9251"
></A
><H2
>Name</H2
>SQLNamedQuery -- Specify a query and an identifier for SQLShowInfo and SQLLog</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN9254"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLNamedQuery</B
> [ <CODE
CLASS="OPTION"
>"name" limit|regex|ip value</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>(docs incomplete)</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost>, <Anonymous>, <Limit>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_sql</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.5rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9281"
></A
><H2
>Description</H2
><P
>SQLNamedQuery specifies a query and an identifier (name) for later use by
SQLShowInfo and SQLLog.</P
><P
>It is strongly recommended that you read documentation on the LogFormat
and ExtendedLog directives, as the meta-sequences available to SQLNamedQuery
are largely equivalent.</P
><P
>The first parameter, name, should be unique across all named queries and
must not contain spaces. The result of re-using a name is undefined.</P
><P
>The second parameter, type, is the type of query, either "SELECT", "UPDATE",
"INSERT", or "FREEFORM". See the note below for information on FREEFORM type
queries.</P
><P
>The third parameter is the substance of the database query itself; this
should match the form of the second parameter. The meta-sequences accepted
are exactly equivalent to the LogFormat directive except the following are
not accepted:</P
><P
></P
><UL
><LI
STYLE="list-style-type: disc"
><P
>%{FOOBAR}e</P
><P
>For LogFormat, this logs the content of environment variable "FOOBAR". This
is not bavailable in mod_sql.</P
></LI
><LI
STYLE="list-style-type: disc"
><P
>%{format}t and %t</P
><P
>These two meta-sequences logged the local server time; they are not available
in mod_sql. Your database undoubtedly provides another way to get the time;
for example, MySQL provides the now() function.</P
></LI
></UL
><P
>and the following is in addition to the LogFormat meta-sequences:</P
><P
> <P
></P
><UL
><LI
STYLE="list-style-type: disc"
><P
>%d</P
><P
>The current working directory or "-" if none.</P
></LI
><LI
STYLE="list-style-type: disc"
><P
>%{n}</P
><P
>This meta-sequence is used internally by mod_sql and other third-party
modules and patches to pass information to the database. Using this
meta-sequence in anything other than an INSERT or UPDATE query is an
error, and using this meta-sequence unless directed to by a third-party
module or patch is also an error.</P
></LI
><LI
STYLE="list-style-type: disc"
><P
>%{env:VAR}</P
><P
>Starting with ProFTPD 1.3.1rc1 the SQLNamedQuery directive is able to make
use of environment variables in the format "%{env:VAR}". The value
of the environment variable VAR will be substituted into the SQL statement.</P
></LI
></UL
> </P
><P
>The correct form of a query will be built from the directive arguments,
except in the case of FREEFORM queries which will be sent directly to the
database. The examples below show the way queries are built from the arguments.</P
><P
>The fourth parameter, table, is only necessary for UPDATE or INSERT type
queries, but is required for those types.</P
><P
>Note: FREEFORM queries are a necessary evil; the simplistic query semantics
of the UPDATE, INSERT, and SELECT type queries do not sufficiently expose
the capabilities of most backend databases. At the same time, using a
FREEFORM query makes it impossible for mod_sql to check whether the query
type is appropriate, making sure that a SELECT query is not used in a SQLLog
directive, for instance. Wherever possible, it is recommended that a specific
query type be used.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9310"
></A
><H2
>See also</H2
><P
><A
HREF="#SQLSHOWINFO"
>SQLShowInfo</A
>
<A
HREF="#SQLLOG"
>SQLLog</A
>
<A
HREF="#LOGFORMAT"
>LogFormat</A
>
<A
HREF="#EXTENDEDLOG"
>ExtendedLog</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9317"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
>SQLNamedQuery count SELECT "count from users where userid='%u'"</P
><P
>creates a query named "count" which could be used by SQLShowInfo to inform
a user of their login count. The actual query would look something like
"SELECT count FROM users WHERE userid='matilda'" for user "matilda".</P
><P
CLASS="LITERALLAYOUT"
>SQLNamedQuery updatecount UPDATE "count=count+1 WHERE userid='%u'" users</P
><P
>creates a query named "updatecount" which could be used by SQLLog to update
a user login counter in the table users. The actual query would look something
like "UPDATE users SET count=count+1 WHERE userid='persephone'" for user
"persephone".</P
><P
CLASS="LITERALLAYOUT"
>SQLNamedQuery accesslog INSERT "now(), '%u'" accesslog</P
><P
>creates a query named "accesslog" which could be used by SQLLog to track
access times by clients. The actual query would look something like "INSERT
INTO accesslog VALUES (now(), 'pandora')" for user "pandora". Note that this
may be too simplistic for your table structure, since most databases require
data for all columns to be provided in an INSERT statement of this form. See
the following FREEFORM query for an example of something which may suit your
needs better.</P
><P
CLASS="LITERALLAYOUT"
>SQLNamedQuery accesslog FREEFORM "INSERT INTO accesslog(date, user) VALUES (now(), '%u')"</P
><P
>creates a query named "accesslog" which could be used by SQLLog to track
access times by clients. The actual query would look something like "INSERT
INTO accesslog(date, user) VALUES (now(), 'tilda')" for user "tilda".</P
></DIV
><H1
><A
NAME="SQLNEGATIVECACHE"
></A
>
SQLNegativeCache</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9335"
></A
><H2
>Name</H2
>SQLNegativeCache -- Enable negative caching for SQL lookups</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN9338"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLNegativeCache</B
> [ <CODE
CLASS="OPTION"
>on</CODE
>
<CODE
CLASS="OPTION"
>off</CODE
>
]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
> SQLNegativeCache off
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
> server config, <VirtualHost>, <Global>
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_sql
</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
> mod_sql v4.10 and later
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9366"
></A
><H2
>Description</H2
><P
>SQLNegativeCache specifies whether or not to cache negative
responses from SQL lookups when using SQL for UID/GID lookups.
Depending on your SQL tables, there can be a significant delay
when a directory listing is performed as the UIDs not in the
SQL database are repeatedly looked up in an attempt to present
usernames instead of UIDs in directory listings. With
SQLNegativeCache set to on, negative ("not found") responses from
SQL queries will be cached and speed will improve on directory
listings that contain many users not present in the SQL
database.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9369"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9372"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="SQLRATIOS"
></A
>
SQLRatios</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9383"
></A
><H2
>Name</H2
>SQLRatios -- (docs incomplete)</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN9386"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLRatios</B
> [ <CODE
CLASS="OPTION"
>"name" limit|regex|ip value</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_sql</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.5rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9413"
></A
><H2
>Description</H2
><P
>mod_ratio is currently lacking a module maintainer. This directive is
left over and not officially supported.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9416"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9419"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
>(docs incomplete)</P
></DIV
><H1
><A
NAME="SQLRATIOSTATS"
></A
>
SQLRatioStats</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9430"
></A
><H2
>Name</H2
>SQLRatioStats -- (docs incomplete)</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN9433"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLRatioStats</B
> [ <CODE
CLASS="OPTION"
>"name" limit|regex|ip value</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_sql</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.5rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9460"
></A
><H2
>Description</H2
><P
>mod_ratio is currently lacking a module maintainer. This directive is
left over and not officially supported.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9463"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9466"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
>(docs incomplete)</P
></DIV
><H1
><A
NAME="SQLSHOWINFO"
></A
>
SQLShowInfo</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9477"
></A
><H2
>Name</H2
>SQLShowInfo -- Create a message to be sent to the user after any successful command</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN9480"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLShowInfo</B
> [ <CODE
CLASS="OPTION"
>cmd-set numeric query-string</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_sql</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.5rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9507"
></A
><H2
>Description</H2
><P
>This directive creates a message to be sent to the user after any successful
command.</P
><P
>The first parameter, the cmd-set, is a comma separated (no spaces) list of
FTP commands for which this log command will trigger. The list of commands
is too long to list in entirety; commands include: CWD, DELE, HELP, LIST,
MKD, MODE, NLST, PASS, PASV, PORT and many more. For the complete list check
the FTP RFCs.</P
><P
>FTP commands in the command set will only be triggered if they complete
successfully. Prefixing any command with "ERR_" will show information only
if there was an error in command processing. To send a message on both
errors and successfull completion of a given command X, therefore, you'll
need both "X" and "ERR_X" in your cmd-set.</P
><P
>The special command "*" matches all FTP commands, while "ERR_*" matches
all errors.</P
><P
>The second parameter, numeric, specifies the numeric value of the message
returned to the FTP client. Do not choose a number blindly: message numbers
may be parsed by clients. In most cases you will want to use 214, the "Help
message" numeric. It specifies that the information is only meant to be human
readable.</P
><P
>The third parameter, query-string, is exactly equivalent to the query-string
parameter to the SQLLog directive, with one addition:</P
><P
></P
><UL
><LI
STYLE="list-style-type: disc"
><P
>%{name}</P
><P
>The first return value from the SQLNamedQuery identified by "name". There
is currently no way to retrieve more than one value from the database at
a time.</P
></LI
></UL
><P
>Any references to non-existent named queries, non-SELECT or -FREEFORM type
queries, or references to queries which return a NULL first value, will be
replaced with the string "{null}".</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9520"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9523"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> SQLNamedQuery count SELECT "count from users where userid='%u'"<br>
SQLShowInfo PASS "230" "You've logged on %{count} times, %u"</P
><P
>As long as the information is in the database, these two directives specify
that the user will be greeted with their login count each time they
successfully login. Note the use of the "230" numeric, which means "User
logged in, proceed". "230" is appropriate in this case because the message
will be sent immediately after their password has been accepted and the
session has started.</P
></DIV
><H1
><A
NAME="SQLUSERINFO"
></A
>
SQLUserInfo</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9535"
></A
><H2
>Name</H2
>SQLUserInfo -- Configure the user table and fields that hold user information</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN9538"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLUserInfo</B
> [ <CODE
CLASS="OPTION"
>user-table user-name passwd uid gid home-dir shell</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>"users userid passwd uid gid homedir shell"</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_sql</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.5rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9565"
></A
><H2
>Description</H2
><P
>The SQLUserInfo directive configures the user table and fields that hold
user information. If you need to change any of these field names from the
default, you must specify all of them, whether NULL or not. The parameters
are described below:</P
><P
></P
><UL
><LI
STYLE="list-style-type: disc"
><P
>usertable</P
><P
>Specifies the name of the table that holds user information.</P
></LI
><LI
STYLE="list-style-type: disc"
><P
>username</P
><P
>Specifies the field in the user table that holds the username.</P
></LI
><LI
STYLE="list-style-type: disc"
><P
>passwd</P
><P
>Specifies the field in the user table that holds the user's password.</P
></LI
><LI
STYLE="list-style-type: disc"
><P
>uid</P
><P
>Specifies the field in the user table that holds the user's UID. When a
UID is retrieved from the database it is checked against the value of
SQLMinUserUID. If the field name is specified as "NULL" the database will
not be queried for this value and the user's UID will be set to the value
of SQLDefaultUID.</P
></LI
><LI
STYLE="list-style-type: disc"
><P
>gid</P
><P
>Specifies the field in the user table that holds the user's GID. When a GID
is retrieved from the database it is checked against the value of
SQLMinUserGID. If the field name is specified as "NULL" the database will
not be queried for this value and the user's GID will be set to the value
of SQLDefaultGID.</P
></LI
><LI
STYLE="list-style-type: disc"
><P
>homedir</P
><P
>Specifies the field in the user table that holds the user's home directory.
If the fieldname is specified as "NULL" the database will not be queried for
this value and the user's home directory will be set to the value of
SQLDefaultHomedir. If no home directory is set with either directive, user
authentication will be automatically turned off.</P
></LI
><LI
STYLE="list-style-type: disc"
><P
>shell</P
><P
>Specifies the field in the user table that holds the user's shell. If the
fieldname is specified as "NULL" the database will not be queried and the
shell will be reported as an empty string ("").</P
></LI
></UL
><P
>As of 1.2.9rc1, the SQLUserInfo directive accepts an alternate syntax:</P
><P
CLASS="LITERALLAYOUT"
> SQLUserInfo custom:/name</P
><P
>where name refers to a configured SELECT SQLNamedQuery. This named query
must return one row, and return the following columns, in this order:
username, passwd, uid, gid, homedir, shell. The configured query may make use
of the variables mentioned in the SQLLog description. This syntax allows the
administrator a flexible way of constructing queries as needed. Note that if
you want use the given USER name, you should use the %U variable, not %u; the
latter requires the locally authenticated user name, which is exactly what
SQLUserInfo is meant to provide.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9593"
></A
><H2
>See also</H2
><P
><A
HREF="#SQLLOG"
>SQLLog</A
>
<A
HREF="#SQLNAMEDQUERY"
>SQLNamedQuery</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9598"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
></P
></DIV
><H1
><A
NAME="SQLUSERWHERECLAUSE"
></A
>
SQLUserWhereClause</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9609"
></A
><H2
>Name</H2
>SQLUserWhereClause -- Configure a WHERE clause for every user query<</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN9612"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SQLUserWhereClause</B
> [ <CODE
CLASS="OPTION"
>where-clause</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_sql</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.5rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9639"
></A
><H2
>Description</H2
><P
>The directive is used to configure a WHERE clause that is added to every
user query. The WHERE clause must contain all relevant punctuation, and
must not contain a leading "and".</P
><P
>Starting with ProFTPD 1.3.1rc1 the SQLUserWhereClause also supports the
variables supported by <A
HREF="#SQLNAMEDQUERY"
>SQLNamedQuery</A
>
except for the "%{n}" variable</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9644"
></A
><H2
>See also</H2
><P
><A
HREF="#SQLNAMEDQUERY"
>SQLNamedQuery</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9648"
></A
><H2
>Examples</H2
><P
>As an example of a possible use for this directive, imagine if your user
table included a "LoginAllowed" field:</P
><P
CLASS="LITERALLAYOUT"
> SQLUserWhereClause "LoginAllowed = 'true'"</P
><P
>would be appended to every user-related query as the string:</P
><P
CLASS="LITERALLAYOUT"
> " WHERE (LoginAllowed = 'true')"</P
></DIV
><H1
><A
NAME="STOREUNIQUEPREFIX"
></A
>
StoreUniquePrefix</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9662"
></A
><H2
>Name</H2
>StoreUniquePrefix -- Set the prefix to be added to uniquely generated filenames</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN9665"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>StoreUniquePrefix</B
> [ <CODE
CLASS="OPTION"
>"prefix"</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost>, <Global>, <Anonymous>, <Directory> .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_xfer</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.6rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9692"
></A
><H2
>Description</H2
><P
>The StoreUniquePrefix is used to configure a prefix for the generated
unique random filenames used for the STOU FTP command. The last
six characters of the filename will be random. Slashes are not allowed
in the prefix string.</P
><P
>All valid filename characters are allowed except '/'</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9696"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9699"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
>StoreUniquePrefix "Wibble"</P
></DIV
><H1
><A
NAME="SYSLOGFACILITY"
></A
>
SyslogFacility</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9710"
></A
><H2
>Name</H2
>SyslogFacility -- Set the facility level used for logging</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN9713"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SyslogFacility</B
> [ <CODE
CLASS="OPTION"
>SyslogFacility facility-level</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.6 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9740"
></A
><H2
>Description</H2
><P
>Proftpd logs its activity via the Unix syslog mechanism, which allows for
several different general classifications of logging messages, known as "facilities."
Normally, all authentication related messages are logged with the AUTHPRIV
(or AUTH) facility [intended to be secure, and never seen by unwanted eyes],
while normal operational messages are logged with the DAEMON facility. The
SyslogFacility directive allows ALL logging messages to be directed to a different
facility than the default. When this directive is used, ALL logging is done
with the specified facility, both authentication (secure) and otherwise.
The facility-level argument must be one of the
following: AUTH (or AUTHPRIV), CRON,
DAEMON, KERN, LPR, MAIL, NEWS, USER, UUCP, LOCAL0, LOCAL1, LOCAL2, LOCAL3,
LOCAL4, LOCAL5, LOCAL6 or LOCAL7.
See Also: SystemLog</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9743"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9746"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="SYSLOGLEVEL"
></A
>
SyslogLevel</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9757"
></A
><H2
>Name</H2
>SyslogLevel -- Set the verbosity level of system logging</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN9760"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SyslogLevel</B
> [ <CODE
CLASS="OPTION"
>SyslogLevel emerg|alert|crit|error|warn|notice|info|debug</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0rc2+cvs and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9787"
></A
><H2
>Description</H2
><P
>SyslogLevel adjusts the verbosity of the messages recorded in the
error logs. The following levels are available, in order
of decreasing significance:
Level
Description
emerg
Emergencies - system is unusable.
alert
Action must be taken immediately.
crit
Critical Conditions.
error
Error conditions.
warn
Warning conditions.
notice
Normal but significant condition.
info
Informational.
debug
Debug-level messages
When a particular level is specified, messages from all other
levels of higher significance will be reported as well.
E.g., when SyslogLevel info is specified, then
messages with log levels of notice and
warn will also be posted.
Using a level of at least crit is recommended.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9790"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9793"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="SYSTEMLOG"
></A
>
SystemLog</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9804"
></A
><H2
>Name</H2
>SystemLog -- Redirect syslogging to a file</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN9807"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>SystemLog</B
> [ <CODE
CLASS="OPTION"
>SystemLog filename|NONE</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_log</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.6pl1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9834"
></A
><H2
>Description</H2
><P
>The SystemLog directive disables proftpd's use of the syslog mechanism and
instead redirects all logging output to the specified filename.
The filename argument should contain an absolute
path, and should not be to a file in a nonexistent directory, in a
world-writeable directory, or be a symbolic link (unless AllowLogSymlinks
is set to on). Use of this directive overrides any facility set by the
SyslogFacility directive. Additionally, the special keyword NONE can be used
which disables all syslog style logging for the entire configuration.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9837"
></A
><H2
>See also</H2
><P
><A
HREF="#ALLOWLOGSYMLINKS"
>AllowLogSymlinks</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9841"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="TCPACCESSFILES"
></A
>
TCPAccessFiles</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9852"
></A
><H2
>Name</H2
>TCPAccessFiles -- Sets the access files to use</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN9855"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TCPAccessFiles</B
> [ <CODE
CLASS="OPTION"
>allow-filename deny-filename</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global>, <Anonymous></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_wrap</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9882"
></A
><H2
>Description</H2
><P
>TCPAccessFiles specifies two files, an allow and a deny file, each
of which contain the IP addresses, networks or name-based masks to be
allowed or denied connections to the server. The files have the same
format as the standard tcpwrappers hosts.allow/deny files.</P
><P
>Both file names are required. Also, the paths to both files must
be the full path, with two exceptions: if the path starts with ~/, the
check of that path will be delayed until a user requests a connection,
at which time the path will be resolved to that user's home directory;
or if the path starts with ~user/, where user is some system user. In
this latter case, mod_wrap will attempt to resolve and verify the given
user's home directory on start-up.</P
><P
>The service name for which mod_wrap will look in the indicated
access files is proftpd by default; this can be configured via the
TCPServiceName directive. There is a built-in precedence to the
TCPAccessFiles, TCPGroupAccessFiles, and TCPUserAccessFiles directives,
if all are used. mod_wrap will look for applicable TCPUserAccessFiles
for the connecting user first. If no applicable TCPUserAccessFiles is
found, mod_wrap will search for TCPGroupAccessFiles which pertain to
the connecting user. If not found, mod_wrap will then look for the
server-wide TCPAccessFiles directive. This allows for access control to
be set on a per-server basis, and allow for per-user or per-group access
control to be handled without interfering with the server access rules.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9887"
></A
><H2
>See also</H2
><P
><A
HREF="#TCPGROUPACCESSFILES"
>TCPGroupAccessFiles</A
>,
<A
HREF="#TCPSERVICENAME"
>TCPServiceName</A
>,
<A
HREF="#TCPUSERACCESSFILES"
>TCPUserAccessFiles</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9893"
></A
><H2
>Examples</H2
><P
># server-wide access files
TCPAccessFiles /etc/ftpd.allow /etc/ftpd.deny
# per-user access files, which are to be found in the user's home directory
TCPAccessFiles ~/my.allow ~/my.deny</P
></DIV
><H1
><A
NAME="TCPACCESSSYSLOGLEVELS"
></A
>
TCPAccessSyslogLevels</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9904"
></A
><H2
>Name</H2
>TCPAccessSyslogLevels -- Sets the logging levels for mod_wrap</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN9907"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TCPAccessSyslogLevels</B
> [ <CODE
CLASS="OPTION"
>allow-level deny-level</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>TCPAccessSyslogLevels info warn</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global>, <Anonymous></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_wrap</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9934"
></A
><H2
>Description</H2
><P
>ProFTPD can log when a connection is allowed, or denied, as the result
of rules in the files specified in TCPAccessFiles, to the Unix syslog
mechanism. A discussion on the syslog levels which can be used is given
in the SyslogLevel directive.</P
><P
>The allow-level parameter sets the syslog level at which allowed connections
are logged; the deny-level parameter sets the syslog level for denied
connections. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9938"
></A
><H2
>See also</H2
><P
><A
HREF="#SYSLOGLEVEL"
>SyslogLevel</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9942"
></A
><H2
>Examples</H2
><P
>TCPAccessSyslogLevels debug warn</P
></DIV
><H1
><A
NAME="TCPBACKLOG"
></A
>
tcpBackLog</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9953"
></A
><H2
>Name</H2
>tcpBackLog -- Control the tcp backlog in standalone mode</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN9956"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>tcpBackLog</B
> [ <CODE
CLASS="OPTION"
>tcpBackLog backlog-size</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>tcpBackLog 5</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9983"
></A
><H2
>Description</H2
><P
>The tcpBackLog directive controls the tcp "backlog queue" when
listening for connections in standalone mode (see
ServerType). It has no affect upon
servers in inetd mode. When a tcp connection is
established by the tcp/ip stack inside the kernel, there is a short period
of time between the actual establishment of the connection and the acceptance
of the connection by a user-space program. The duration of this latency period
is widely variable, and can depend upon several factors (hardware, system
load, etc). During this period tcp connections cannot be accepted, as the
port that was previously "listening" has become filled with the
new connection. Under heavy connection load this can result in occasional
(or even frequent!) "connection refused" messages returned to the
incoming client, even when there is a service available to handle requests.
To eliminate this problem, most modern tcp/ip stacks implement a "backlog
queue" which is simply a pre-allocation of resources necessary to handle
backlog-size connections during the latency period.
The larger the backlog queue, the more connections can be established in a
very short time period. The trade-off, of course, is kernel memory and/or
other kernel resources.
Generally it is not necessary to use a tcpBackLog directive, unless you intend
to service a large number of virtual hosts (see <VirtualHost>),
or have a consistently heavy system load. If you begin to notice or hear of
"connection refused" messages from remote clients, try setting a
slightly higher value to this directive.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9986"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN9989"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="TCPGROUPACCESSFILES"
></A
>
TCPGroupAccessFiles</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN10000"
></A
><H2
>Name</H2
>TCPGroupAccessFiles -- Sets the access files to use</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10003"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TCPGroupAccessFiles</B
> [ <CODE
CLASS="OPTION"
>group-expression allow-filename deny-filename</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_wrap</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10030"
></A
><H2
>Description</H2
><P
>TCPGroupAccessFiles allows for access control files, the same types of
files required by TCPAccessFiles, to be applied to select groups. The
given group-expression is a logical AND expression, which means that
the connecting user must be a member of all the groups listed for this
directive to apply. Group names may be negated with a ! prefix.</P
><P
>The rules for the filename paths are the same as for TCPAccessFiles settings.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10034"
></A
><H2
>See also</H2
><P
><A
HREF="#TCPACCESSFILES"
>TCPAccessFiles</A
>,
<A
HREF="#TCPUSERACCESSFILES"
>TCPUserAccessFiles</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10039"
></A
><H2
>Examples</H2
><P
># every member of group wheel must connect from restricted locations
TCPGroupAccessFiles wheel /etc/ftpd-strict.allow /etc/ftpd-strict.deny
# everyone else gets the standard access rules
TCPGroupAccessFiles !wheel /etc/hosts.allow /etc/hosts.deny</P
></DIV
><H1
><A
NAME="TCPNODELAY"
></A
>
tcpNoDelay</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN10050"
></A
><H2
>Name</H2
>tcpNoDelay -- Control the use of TCP_NODELAY</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10053"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>tcpNoDelay</B
> [ <CODE
CLASS="OPTION"
>tcpNoDelay on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>tcpNoDelay on</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0pre3a and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10080"
></A
><H2
>Description</H2
><P
>The tcpNoDelay directive controls the use of the TCP_NODELAY socket option
(which disables the Nagle algorithm). ProFTPd uses TCP_NODELAY by default,
which usually is a benefit but this can occasionally lead to problems with
some clients, so tcpNoDelay is provided as a way to disable this option. You
will not normally need to use this directive but if you have clients reporting
unusually slow connections, try setting this to off. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10083"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10086"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="TCPSERVICENAME"
></A
>
TCPServiceName</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN10097"
></A
><H2
>Name</H2
>TCPServiceName -- Configures the name proftpd will use with mod_wrap</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10100"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TCPServiceName</B
> [ <CODE
CLASS="OPTION"
>name</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>TCPServiceName proftpd</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_wrap</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10127"
></A
><H2
>Description</H2
><P
>TCPServiceName is used to configure the name of the service under which mod_wrap will check the allow/deny files. By default, this is the name of the program started, i.e. "proftpd". However, some administrators may want to use a different, more generic service name, such as "ftpd"; use this directive for such needs.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10130"
></A
><H2
>See also</H2
><P
></P
></DIV
><H1
><A
NAME="TCPUSERACCESSFILES"
></A
>
TCPUserAccessFiles</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN10141"
></A
><H2
>Name</H2
>TCPUserAccessFiles -- Sets the access files to use</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10144"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TCPUserAccessFiles</B
> [ <CODE
CLASS="OPTION"
>user-expression allow-filename deny-filename</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>none</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_wrap</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10171"
></A
><H2
>Description</H2
><P
>TCPUserAccessFiles allows for access control files, the same types of
files required by TCPAccessFiles, to be applied to select users. The given
user-expression is a logical AND expression. Listing multiple users in
a user-expression does not make much sense; however, this type of AND
evaluation allows for expressions such as "everyone except this user"
with the use of the ! negation prefix.</P
><P
>The rules for the filename paths are the same as for TCPAccessFiles settings.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10175"
></A
><H2
>See also</H2
><P
><A
HREF="#TCPACCESSFILES"
>TCPAccessFiles</A
>,
<A
HREF="#TCPGROUPACCESSFILES"
>TCPGroupAccessFiles</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10180"
></A
><H2
>Examples</H2
><P
># user admin might be allowed to connect from anywhere
TCPUserAccessFiles admin /etc/ftpd-anywhere.allow /etc/ftpd-anywhere.deny
# while every other user has to connect from LAN addresses
TCPUserAccessFiles !admin /etc/ftpd-lan.allow /etc/ftpd-lan.deny</P
></DIV
><H1
><A
NAME="TIMEOUTIDLE"
></A
>
TimeoutIdle</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN10191"
></A
><H2
>Name</H2
>TimeoutIdle -- Sets the idle connection timeout</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10194"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TimeoutIdle</B
> [ <CODE
CLASS="OPTION"
>TimeoutIdle seconds</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>TimeoutIdle 600</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global>, <Anonymous></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10221"
></A
><H2
>Description</H2
><P
>The TimeoutIdle directive configures the maximum number of seconds that proftpd
will allow clients to stay connected without receiving any data on either
the control or data connection. If data is received on either connection,
the idle timer is reset. Setting TimeoutIdle to 0 disables the idle timer
completely (clients can stay connected for ever, without sending data). This
is generally a bad idea as a "hung" tcp connection which is never
properly disconnected (the remote network may have become disconnected from
the Internet, etc) will cause a child server to never exit (at least not for
a considerable period of time) until manually killed
See Also: TimeoutLogin, TimeoutNoTransfer</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10224"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10227"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="TIMEOUTLINGER"
></A
>
TimeoutLinger</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN10238"
></A
><H2
>Name</H2
>TimeoutLinger -- Sets the timeout used for lingering closes</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10241"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TimeoutLinger</B
> [ <CODE
CLASS="OPTION"
>TimeoutLinger seconds</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>TimeoutLinger 30</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.10rc2 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10268"
></A
><H2
>Description</H2
><P
>The TimeoutLinger directive configures the maximum number of seconds that
proftpd will wait (or "linger") when closing a data connection. Once
the data connection is closed, proftpd will send a message on the control
connection indicating the closure. This delay is necessary for properly
handling some FTP clients.</P
><P
>If the client aborts a transfer and there is a long delay, this lingering
close is the most likely culprit. So if you encounter this delay,
set TimeoutLinger to a low number to remove the delay.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10272"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10275"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="TIMEOUTLOGIN"
></A
>
TimeoutLogin</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN10286"
></A
><H2
>Name</H2
>TimeoutLogin -- Sets the login timeout</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10289"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TimeoutLogin</B
> [ <CODE
CLASS="OPTION"
>TimeoutLogin seconds</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>TimeoutLogin 300</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10316"
></A
><H2
>Description</H2
><P
>The TimeoutLogin directive configures the maximum number of seconds a client
is allowed to spend authenticating. The login timer is not reset when a client
transmits data, and is only removed once a client has transmitted an acceptable
USER/PASS command combination.
See Also: TimeoutIdle, TimeoutNoTransfer</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10319"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10322"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="TIMEOUTNOTRANSFER"
></A
>
TimeoutNoTransfer</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN10333"
></A
><H2
>Name</H2
>TimeoutNoTransfer -- Sets the connection without transfer timeout</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10336"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TimeoutNoTransfer</B
> [ <CODE
CLASS="OPTION"
>TimeoutNoTransfer seconds</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>TimeoutNoTransfer 300</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global>, <Anonymous></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_xfer</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10363"
></A
><H2
>Description</H2
><P
>The TimeoutNoTransfer directive configures the maximum number of seconds
a client is allowed to spend connected, after authentication, without issuing
a command which results in creating an active or passive data connection (i.e.
sending/receiving a file, or receiving a directory listing).
See Also: TimeoutIdle, TimeoutLogin</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10366"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10369"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="TIMEOUTSESSION"
></A
>
TimeoutSession</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN10380"
></A
><H2
>Name</H2
>TimeoutSession -- Sets a timeout for an entire session</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10383"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TimeoutSession</B
> [ <CODE
CLASS="OPTION"
>seconds ["user"|"group"|"class" expression]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global>, <Anonymous></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.6rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10410"
></A
><H2
>Description</H2
><P
>The TimeoutSession directive sets the maximum number of seconds a control
connection between the proftpd server and an FTP client can exist after the
client has successfully authenticated. If the seconds argument is set to 0,
sessions are allowed to last indefinitely (the default).</P
><P
>The optional parameters are used to restrict the session time limit only
to specific users. If "user" restriction is given, then expression is a
user-expression specifying to which users the time limit applies. Similarly
for the "group" restriction. For the "class" restriction, the expression is
simply the name of connection class for whom the time limit will apply.
Note that use of the "user" or "group" classifiers within an <Anonymous>
context will not make much sense.</P
><P
>Example:
# set a draconian session time limit
TimeoutSession 60
# set session time limits for everyone except a few privileged users
TimeoutSession 300 user !bob,!dave,!jenni</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10415"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10418"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
># Kick the user off after 60 minutes<br>
TimeoutSession 3600</P
></DIV
><H1
><A
NAME="TIMEOUTSTALLED"
></A
>
TimeoutStalled</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN10429"
></A
><H2
>Name</H2
>TimeoutStalled -- Sets the timeout on stalled data transfers</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10432"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TimeoutStalled</B
> [ <CODE
CLASS="OPTION"
>TimeoutStalled seconds</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>TimeoutStalled 3600</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global>, <Anonymous></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_xfer</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.6 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10459"
></A
><H2
>Description</H2
><P
>The TimeoutStalled directive sets the maximum number of seconds a data
connection between the proftpd server and an FTP client can exist but have no
actual data transferred (i.e. "stalled"). If the seconds argument is
set to 0, data transfers are allowed to stall indefinitely.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10462"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10465"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="TIMESGMT"
></A
>
TimesGMT</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN10476"
></A
><H2
>Name</H2
>TimesGMT -- Toggle time display between GMT and local</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10479"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TimesGMT</B
> [ <CODE
CLASS="OPTION"
>TimesGMT on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>(versions 1.2.0pre9 and beyond) on</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
></P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10506"
></A
><H2
>Description</H2
><P
>Compatibility: 1.2.0pre9 and later
The TimesGMT option causes the server to report all ls and MDTM times in
GMT and not local time.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10509"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10512"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="TLSCACERTIFICATEFILE"
></A
>
TLSCACertificateFile</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN10523"
></A
><H2
>Name</H2
>TLSCACertificateFile -- Define a CA certificate used to verify your client certificates</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10526"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TLSCACertificateFile</B
> [ <CODE
CLASS="OPTION"
>CA certificate filename</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_tls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10553"
></A
><H2
>Description</H2
><P
>The TLSCACertificateFile directive configures one file where you can assemble
the certificates of Certification Authorities (CA) for your clients. The CA
certificates in the file are then used to verify client certificates, if
presented. Such a file is merely the concatenation of the various PEM-encoded CA
certificates, in order of preference. This directive can be used in addition to,
or as an alternative for, TLSCACertificatePath.</P
><P
>If neither TLSCACertificateFile nor TLSCACertificatePath are specified, the
following message will appear in the TLSLog:</P
><P
><P
CLASS="LITERALLAYOUT"
> using default OpenSSL verification locations (see $SSL_CERT_DIR)</P
></P
><P
>This means that the SSL_CERT_DIR environment variable, if set, will be used to
determine the location of a CA certificate directory, to be used when verifying clients.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10560"
></A
><H2
>See also</H2
><P
><A
HREF="#TLSCACERTIFICATEPATH"
>TLSCACertificatePath</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10564"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> TLSCACertificateFile /etc/ftpd/ca-bundle.pem</P
></DIV
><H1
><A
NAME="TLSCACERTIFICATEPATH"
></A
>
TLSCACertificatePath</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN10575"
></A
><H2
>Name</H2
>TLSCACertificatePath -- Define a path to the CAs used to verify your client certificates</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10578"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TLSCACertificatePath</B
> [ <CODE
CLASS="OPTION"
>Path to your CA certificates</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_tls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10605"
></A
><H2
>Description</H2
><P
>The TLSCACertificatePath directive sets the directory for the certificates of
Certification Authorities (CAs) for your clients. These are used to verify the
client certificates presented. This directive may be used in addition to, or as
alternative for, TLSCACertificateFile.</P
><P
>The files in the configured directory have to be PEM-encoded, and are accessed
through hash filenames. This means one cannot simply place the CA certificates
there: one also has to create symbolic links named hash-value.N. The c_rehash
utility that comes with OpenSSL can be used to create the necessary symlinks.</P
><P
>If neither TLSCACertificateFile nor TLSCACertificatePath are specified, the
following message will appear in the TLSLog:</P
><P
><P
CLASS="LITERALLAYOUT"
> using default OpenSSL verification locations (see $SSL_CERT_DIR)<br>
<A
NAME="AEN10612"
HREF="#FTN.AEN10612"
><SPAN
CLASS="footnote"
>[1]</SPAN
></A
></P
></P
><P
>This means that the SSL_CERT_DIR environment variable, if set, will be used to
determine the location of a CA certificate directory, to be used when verifying clients.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10615"
></A
><H2
>See also</H2
><P
><A
HREF="#TLSCACERTIFICATEFILE"
>TLSCACertificateFile</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10619"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> TLSCACertificatePath /etc/ftpd/ca/</P
></DIV
><H1
><A
NAME="TLSCAREVOCATIONFILE"
></A
>
TLSCARevocationFile</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN10630"
></A
><H2
>Name</H2
>TLSCARevocationFile -- Define a file with your CA revocation certifcates</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10633"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TLSCARevocationFile</B
> [ <CODE
CLASS="OPTION"
>CA revocation filename</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>Define a file holding your Certificate Revocation Lists</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_tls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10660"
></A
><H2
>Description</H2
><P
>The TLSCARevocationFile directive configures one file that can contain the
Certificate Revocation Lists (CRL) of Certification Authorities (CA) for your
clients. These CRLs are used during the verification of client certificates, if
presented. Such a file is merely the concatenation of the various PEM-encoded
CRL files, in order of preference. This directive can be used in addition to,
or as an alternative for, TLSCARevocationPath.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10663"
></A
><H2
>See also</H2
><P
><A
HREF="#TLSCAREVOCATIONPATH"
>TLSCARevocationPath</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10667"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> TLSCARevocationFile /etc/ftpd/ca-crl-bundle.pem</P
></DIV
><H1
><A
NAME="TLSCAREVOCATIONPATH"
></A
>
TLSCARevocationPath</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN10678"
></A
><H2
>Name</H2
>TLSCARevocationPath -- Define a path to your CA revocation certificates</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10681"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TLSCARevocationPath</B
> [ <CODE
CLASS="OPTION"
>Path to a directory with CA revocation certificates</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_tls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10708"
></A
><H2
>Description</H2
><P
>The TLSCARevocationPath directive sets the directory for the
Certificate Revocation Lists (CRL) of Certification Authorities (CAs) for your
clients. These are used during the verification of client certificates, if
presented. This directive may be used in addition to, or as alternative for,
TLSCARevocationFile.</P
><P
>The files in the configured directory have to be PEM-encoded, and are accessed
through hash filenames. This means one cannot simply place the CRLs there: one
also has to create symbolic links named hash-value.N. The c_rehash utility that
comes with OpenSSL can be used to create the necessary symlinks. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10712"
></A
><H2
>See also</H2
><P
><A
HREF="#TLSCAREVOCATIONFILE"
>TLSCARevocationFile</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10716"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> TLSCARevocationPath /etc/ftpd/crl/</P
></DIV
><H1
><A
NAME="TLSCERTIFICATECHAINFILE"
></A
>
TLSCertificateChainFile</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN10727"
></A
><H2
>Name</H2
>TLSCertificateChainFile -- Define an all in one certification file</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10730"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TLSCertificateChainFile</B
> [ <CODE
CLASS="OPTION"
>TLSCertificateChainFile filename</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_tls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10757"
></A
><H2
>Description</H2
><P
>The TLSCertificateChainFile directive sets the optional all-in-one file where
you can assemble the certificates of Certification Authorities (CA) which form
the certificate chain of the server certificate. This starts with the issuing CA
certificate of the server certificate and can range up to the root CA
certificate. Such a file is simply the concatenation of the various PEM-encoded
CA Certificate files in certificate chain order. This server certificate chain is
sent to the client, in addition to the server's certificate.</P
><P
>If TLSCertificateChainFile is not used, and TLSCACertificatePath is used, the
certificate chain is built from the certificates in that path.
TLSCertificateChainFile should be used as an alternative to TLSCACertificatePath
for explicitly constructing the server certificate chain. It is especially useful
to avoid conflicts with CA certificates when using client authentication. For
although placing a CA certificate of the server certificate chain into the
TLSCACertificatePath has the same effect for the certificate chain construction,
it has the side-effect that client certificates issued by this same CA certificate
are also accepted on client authentication. This is usually not what one expects.</P
><P
>Be careful: providing the certificate chain works only if you are using a single
(either RSA or DSA) based server certificate. If you are using a coupled RSA+DSA
certificate pair, this will work only if actually both certificates use the same
certificate chain. Otherwise, clients will become confused. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10762"
></A
><H2
>See also</H2
><P
><A
HREF="#TLSCACERTIFICATEFILE"
>TLSCACertificateFile</A
>
<A
HREF="#TLSCACERTIFICATEPATH"
>TLSCACertificatePath</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10767"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> TLSCertificateChainFile /etc/ftpd/client-ca-list.pem</P
></DIV
><H1
><A
NAME="TLSCIPHERSUITE"
></A
>
TLSCipherSuite</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN10778"
></A
><H2
>Name</H2
>TLSCipherSuite -- Define a cipher list</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10781"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TLSCipherSuite</B
> [ <CODE
CLASS="OPTION"
>cipher-list</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>ALL:!ADH</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_tls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10808"
></A
><H2
>Description</H2
><P
>How to put together a cipher list parameter:</P
><P
><P
CLASS="LITERALLAYOUT"
> Key Exchange Algorithms:<br>
"kRSA" RSA key exchange<br>
"kDHr" Diffie-Hellman key exchange (key from RSA cert)<br>
"kDHd" Diffie-Hellman key exchange (key from DSA cert)<br>
"kEDH' Ephemeral Diffie-Hellman key exchange (temporary key)</P
></P
><P
><P
CLASS="LITERALLAYOUT"
> Authentication Algorithm:<br>
"aNULL" No authentication<br>
"aRSA" RSA authentication<br>
"aDSS" DSS authentication<br>
"aDH" Diffie-Hellman authentication</P
></P
><P
><P
CLASS="LITERALLAYOUT"
> Cipher Encoding Algorithm:<br>
"eNULL" No encodiing<br>
"DES" DES encoding<br>
"3DES" Triple DES encoding<br>
"RC4" RC4 encoding<br>
"RC2" RC2 encoding<br>
"IDEA" IDEA encoding</P
></P
><P
><P
CLASS="LITERALLAYOUT"
> MAC Digest Algorithm:<br>
"MD5" MD5 hash function<br>
"SHA1" SHA1 hash function<br>
"SHA" SHA hash function (should not be used)</P
></P
><P
><P
CLASS="LITERALLAYOUT"
> Aliases:<br>
"ALL" all ciphers<br>
"SSLv2" all SSL version 2.0 ciphers (should not be used)<br>
"SSLv3" all SSL version 3.0 ciphers<br>
"EXP" all export ciphers (40-bit)<br>
"EXPORT56" all export ciphers (56-bit)<br>
"LOW" all low strength ciphers (no export)<br>
"MEDIUM" all ciphers with 128-bit encryption<br>
"HIGH" all ciphers using greater than 128-bit encryption<br>
"RSA" all ciphers using RSA key exchange<br>
"DH" all ciphers using Diffie-Hellman key exchange<br>
"EDH" all ciphers using Ephemeral Diffie-Hellman key exchange<br>
"ADH" all ciphers using Anonymous Diffie-Hellman key exchange<br>
"DSS" all ciphers using DSS authentication<br>
"NULL" all ciphers using no encryption</P
></P
><P
><P
CLASS="LITERALLAYOUT"
>Each item in the list may include a prefix modifier:<br>
<br>
"+" move cipher(s) to the current location in the list<br>
"-" remove cipher(s) from the list (may be added again by a<br>
subsequent list entry)<br>
"!" kill cipher from the list (it may not be added again by a<br>
subsequent list entry)<br>
<br>
If no modifier is specified the entry is added to the list at the current position. "+" may also be used to combine tags to specify entries such as "RSA+RC4" describes all ciphers that use both RSA and RC4. </P
></P
><P
CLASS="LITERALLAYOUT"
>The OpenSSL command<br>
<br>
openssl ciphers -v <list of ciphers><br>
<br>
may be used to list all of the ciphers and the order described by a specific <FONT
COLOR="RED"
>.</FONT
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10825"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10828"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
>For example, all available ciphers not including ADH key exchange:<br>
<br>
ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP<br>
<br>
All algorithms including ADH and export but excluding patented algorithms:<br>
<br>
HIGH:MEDIUM:LOW:EXPORT56:EXP:ADH:!kRSA:!aRSA:!RC4:!RC2:!IDEA</P
></DIV
><H1
><A
NAME="TLSDHPARAMFILE"
></A
>
TLSDHParamFile</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN10839"
></A
><H2
>Name</H2
>TLSDHParamFile -- Define a file used in Diffie-Hellman key exchange</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10842"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TLSDHParamFile</B
> [ <CODE
CLASS="OPTION"
>Absolute path to the Diffie-Hellman param file</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_tls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10869"
></A
><H2
>Description</H2
><P
>The TLSDHParamFile directive is used to configure a file that mod_tls will use
when engaging in a Diffie-Hellman key exchange. Such a key exchange can be
computationally intensive, in terms for parameter generation; to help speed up
the process, the parameters used may be generated in advance, and stored in a
file. The dhparam utility that comes with OpenSSL may be used to generate an
appropriate file for this directive. The file parameter must be an absolute path.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10872"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10875"
></A
><H2
>Examples</H2
></DIV
><H1
><A
NAME="TLSDSACERTIFICATEFILE"
></A
>
TLSDSACertificateFile</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN10885"
></A
><H2
>Name</H2
>TLSDSACertificateFile -- Point to the file containing the DSA certificate</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10888"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TLSDSACertificateFile</B
> [ <CODE
CLASS="OPTION"
>TLSDSACertificateFile filename</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_tls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10915"
></A
><H2
>Description</H2
><P
>The TLSDSACertificateFile directive points to the PEM-encoded file containing the
DSA certificate file for the server and optionally also the corresponding DSA
private key file.</P
><P
>If the contained private key is encrypted, the administrator will be prompted for
the passphrase when the daemon starts up, and when the daemon is restarted. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10919"
></A
><H2
>See also</H2
><P
><A
HREF="#TLSDSACERTIFICATEKEYFILE"
>TLSDSACertificateKeyFile</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10923"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
>TLSDSACertificateKeyFile /etc/ftpd/server-dsa-key.pem</P
></DIV
><H1
><A
NAME="TLSDSACERTIFICATEKEYFILE"
></A
>
TLSDSACertificateKeyFile</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN10934"
></A
><H2
>Name</H2
>TLSDSACertificateKeyFile -- Point to the file containing the private DSA key</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10937"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TLSDSACertificateKeyFile</B
> [ <CODE
CLASS="OPTION"
>TLSDSACertificateKeyFile filename</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_tls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10964"
></A
><H2
>Description</H2
><P
>The TLSDSACertificateKeyFile directive points to the PEM-encoded private key file
for the server. If the private key is not combined with the certificate in the
TLSDSACertificateFile, use this additional directive to point to the file with
the standalone private key. When TLSDSACertificateFile is used and the file
contains both the certificate and the private key, this directive need not be
used. However, this practice is strongly discouraged. Instead we recommend you to
separate the certificate and the private key.</P
><P
>If the contained private key is encrypted, the administrator will be prompted for the passphrase when the daemon starts up, and when the daemon is restarted. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10968"
></A
><H2
>See also</H2
><P
><A
HREF="#TLSDSACERTIFICATEKEYFILE"
>TLSDSACertificateKeyFile</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN10972"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
>TLSDSACertificateKeyFile /etc/ftpd/server-dsa-key.pem</P
></DIV
><H1
><A
NAME="TLSENGINE"
></A
>
TLSEngine</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN10983"
></A
><H2
>Name</H2
>TLSEngine -- Enable TLS/SSL connections</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN10986"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TLSEngine</B
> [ <CODE
CLASS="OPTION"
>[ on off ]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_tls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11013"
></A
><H2
>Description</H2
><P
>The TLSEngine directive toggles the use of the SSL/TLS protocol engine (e.g.
mod_tls). This is usually used inside a <VirtualHost> section to enable
SSL/TLS sessions for a particular virtual host. By default mod_tls is disabled
for both the main server and all configured virtual hosts.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11016"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11019"
></A
><H2
>Examples</H2
></DIV
><H1
><A
NAME="TLSLOG"
></A
>
TLSLog</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN11029"
></A
><H2
>Name</H2
>TLSLog -- Specify a logfile for mod_tls's reporting on a per-server basis</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN11032"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TLSLog</B
> [ <CODE
CLASS="OPTION"
>TLSLog filename</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_tls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11059"
></A
><H2
>Description</H2
><P
>The TLSLog directive is used to specify a log file for mod_tls's reporting on a
per-server basis. The file parameter given must be the full path to the file to
use for logging.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11062"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11065"
></A
><H2
>Examples</H2
></DIV
><H1
><A
NAME="TLSOPTIONS"
></A
>
TLSOptions</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN11075"
></A
><H2
>Name</H2
>TLSOptions -- Configure optional behaviour of mod_tls</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN11078"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TLSOptions</B
> [ <CODE
CLASS="OPTION"
>[ AllowDotLogin ] [ Allow PerUser ] [ ExportCertData ] [ NoCertRequest ] [ StdEnvVars ]
[ dNSNameRequired ] [ iPAddressRquired ]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_tls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11105"
></A
><H2
>Description</H2
><P
>The TLSOptions directive is used to configure various optional behavior of
mod_tls. The currently implemented options are:</P
><P
></P
><UL
><LI
STYLE="list-style-type: disc"
><P
>AllowDotLogin</P
><P
>By default, mod_tls still requires that a user supply a password for
authentication, even if a valid client certificate is presented. If this option
is enabled, mod_tls will check in the user's home directory for a .tlslogin file,
which should contain one or more PEM-encoded certificates. If the certificate
presented by the client, if any, matches a certificate in this .tlslogin file,
the user will be considered authenticated. The server will still prompt for a
password, and if the user's .tlslogin does not exist, or does not contain the
client's certificate, then the server will fallback to using the password for
authentication.</P
></LI
><LI
STYLE="list-style-type: disc"
><P
>AllowPerUser</P
><P
>This option affects how mod_tls evaluates any TLSRequired directives. Usually
mod_tls will reject any FTP commands, when TLSRequired on or TLSRequired ctrl
is in effect, if the client has not successfully negotiated a SSL/TLS handshake.
The FTPS specification requires that the SSL/TLS handshake occur, via the AUTH
FTP command, before the USER and PASS commands. This means that mod_tls does not
know the identity of the connecting client when enforcing TLSRequired. If this
AllowPerUser is used, mod_tls will wait until after the PASS command has been
processed to enforce any TLSRequired settings.</P
><P
>Important: if AllowPerUser is used, even if TLSRequired on or TLSRequired ctrl
are in effect, it will be possible for the connecting client to send usernames
and passsword unprotected before mod_tls rejects the connection. This results
in a slightly weaker security policy enforcement; please consider carefully if
this tradeoff is acceptable for your site.</P
></LI
><LI
STYLE="list-style-type: disc"
><P
>ExportCertData</P
><P
>Sets the following environment variables, if applicable. Note that doing so
increases the memory size of the process quite a bit:
<DIV
CLASS="TABLE"
><A
NAME="AEN11119"
></A
><P
><B
>Table 1-1. Enviroment variables</B
></P
><TABLE
BORDER="1"
FRAME="border"
CLASS="CALSTABLE"
><COL><COL><TBODY
><TR
><TD
>TLS_SERVER_CERT</TD
><TD
>Server certificate, PEM-encoded</TD
></TR
><TR
><TD
>TLS_CLIENT_CERT</TD
><TD
>CLient certificate, PEM-encoded</TD
></TR
><TR
><TD
>TLS_CLIENT_CERT_CHAINn</TD
><TD
>PEM-encoded certificates in client certificate chain</TD
></TR
></TBODY
></TABLE
></DIV
></P
></LI
><LI
STYLE="list-style-type: disc"
><P
>NoCertRequest</P
><P
>Some FTP clients are known to be buggy when handling a server's certificate
request. This option causes the server not to include such a request during
an SSL handshake.</P
></LI
><LI
STYLE="list-style-type: disc"
><P
>StdEnvVars</P
><P
>Sets the following environment variables, if applicable. These environment
variables are then avaiable for use, such as in LogFormats. Note that doing
so increases the memory size of the process quite a bit:
increases the memory size of the process quite a bit:
<DIV
CLASS="TABLE"
><A
NAME="AEN11138"
></A
><P
><B
>Table 1-2. Enviroment variables</B
></P
><TABLE
BORDER="1"
FRAME="border"
CLASS="CALSTABLE"
><COL><COL><TBODY
><TR
><TD
>FTPS</TD
><TD
>Present if FTP over SSL/TLS is being used</TD
></TR
><TR
><TD
>TLS_PROTOCOL</TD
><TD
>SSL protocol version (e.g. SSLv3, TLSv1)</TD
></TR
><TR
><TD
>TLS_SESSION_ID</TD
><TD
>Hex-encoded SSL session ID</TD
></TR
><TR
><TD
>TLS_CIPHER</TD
><TD
>Cipher specification name</TD
></TR
><TR
><TD
>TLS_CIPHER_EXPORT</TD
><TD
>Present if cipher is an export cipher</TD
></TR
><TR
><TD
>TLS_CIPHER_KEYSIZE_POSSIBLE</TD
><TD
>Number of cipher bits possible</TD
></TR
><TR
><TD
>TLS_CIPHER_KEYSIZE_USED</TD
><TD
>Number of cipher bits used</TD
></TR
><TR
><TD
>TLS_LIBRARY_VERSION</TD
><TD
>OpenSSL version</TD
></TR
><TR
><TD
>TLS_CLIENT_M_VERSION</TD
><TD
>Client certificate version</TD
></TR
><TR
><TD
>TLS_CLIENT_M_SERIAL</TD
><TD
>Client certificate serial number</TD
></TR
><TR
><TD
>TLS_CLIENT_S_DN</TD
><TD
>Subject DN of client certificate</TD
></TR
><TR
><TD
>TLS_CLIENT_S_DN_x509</TD
><TD
>Component of client certificate's Subject DN, where x509 is a component of a X509 DN: C,CN,D,I,G,L,O,OU,S,ST,T,UID,Email</TD
></TR
><TR
><TD
>TLS_CLIENT_I_DN</TD
><TD
>Issuer DN of client certificate</TD
></TR
><TR
><TD
>TLS_CLIENT_I_DN_x509</TD
><TD
>Component of client certificate's Issuer DN, where x509 is a component of a X509 DN: C,CN,D,I,G,L,O,OU,S,ST,T,UID,Email</TD
></TR
><TR
><TD
>TLS_CLIENT_V_START</TD
><TD
>Start time of client certificate validity</TD
></TR
><TR
><TD
>TLS_CLIENT_V_END</TD
><TD
>End time of client certificate validity</TD
></TR
><TR
><TD
>TLS_CLIENT_A_SIG</TD
><TD
>Client certificate's signature algorithm</TD
></TR
><TR
><TD
>TLS_CLIENT_A_KEY</TD
><TD
>Client certificate's public key algorithm</TD
></TR
><TR
><TD
>TLS_CLIENT_CERT</TD
><TD
>Client certificate, PEM-encoded</TD
></TR
><TR
><TD
>TLS_CLIENT_CERT_CHAINn</TD
><TD
>PEM-encoded certificates in client certificate chain</TD
></TR
><TR
><TD
>TLS_SERVER_M_VERSION</TD
><TD
>Server certificate version</TD
></TR
><TR
><TD
>TLS_SERVER_M_SERIAL</TD
><TD
>Server certificate serial number</TD
></TR
><TR
><TD
>TLS_SERVER_S_DN</TD
><TD
>Subject DN of server certificate</TD
></TR
><TR
><TD
>TLS_SERVER_S_DN_x509</TD
><TD
>Component of server certificate's Subject DN, where x509 is a component of a X509 DN: C,CN,D,I,G,L,O,OU,S,ST,T,UID,Email</TD
></TR
><TR
><TD
>TLS_SERVER_I_DN</TD
><TD
>Issuer DN of server certificate</TD
></TR
><TR
><TD
>TLS_SERVER_I_DN_x509</TD
><TD
>Component of server certificate's Issuer DN, where x509 is a component of a X509 DN: C,CN,D,I,G,L,O,OU,S,ST,T,UID,Email</TD
></TR
><TR
><TD
>TLS_SERVER_V_START</TD
><TD
>Start time of server certificate validity</TD
></TR
><TR
><TD
>TLS_SERVER_V_END</TD
><TD
>End time of server certificate validity</TD
></TR
><TR
><TD
>TLS_SERVER_A_SIG</TD
><TD
>Server certificate's signature algorithm</TD
></TR
><TR
><TD
>TLS_SERVER_A_KEY</TD
><TD
>Server certificate's public key algorithm</TD
></TR
><TR
><TD
>TLS_SERVER_CERT</TD
><TD
>Server certificate, PEM-encoded</TD
></TR
></TBODY
></TABLE
></DIV
></P
></LI
><LI
STYLE="list-style-type: disc"
><P
>dNSNameRequired</P
><P
>This option will cause mod_tls to perform checks on a client's certificate once
the SSL handshake has been completed: the client's certificate will be searched
for the subjectAltName X509v3 extension, and, in that extension, the dNSName
value will be looked up. Unless a dNSName value is present, and the value matches
the DNS name to which the client's IP address resolves, the SSL session is
closed. This check is only performed during SSL handshakes on the control
channel. Note that if UseReverseDNS is off, this option is automatically disabled.</P
></LI
><LI
STYLE="list-style-type: disc"
><P
>iPAddressRequired</P
><P
>This option will cause mod_tls to perform checks on a client's certificate once
the SSL handshake has been completed: the client's certificate will be searched
for the subjectAltName X509v3 extension, and, in that extension, the iPAddress
value will be looked up. Unless an iPAddress value is present, and the value
matches the IP address of the client, the SSL session is closed. This check is
only performed during SSL handshakes on the control channel.</P
></LI
></UL
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11241"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11244"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
>TLSOptions iPAddressRequired StdEnvVars</P
></DIV
><H1
><A
NAME="TLSPASSPHRASEPROVIDER"
></A
>
TLSPassPhraseProvider</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN11255"
></A
><H2
>Name</H2
>TLSPassPhraseProvider -- FIXFIXFIX</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN11258"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TLSPassPhraseProvider</B
> [ <CODE
CLASS="OPTION"
>"name" limit|regex|ip value</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>FIXFIXFIX</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost>, <Anonymous>, <Limit>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_tls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.3.1rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11285"
></A
><H2
>Description</H2
><P
>FIX FIX FIX</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11288"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11291"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
>FIXFIXFIX</P
><P
>FIXFIX</P
></DIV
><H1
><A
NAME="TLSPROTOCOL"
></A
>
TLSProtocol</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN11303"
></A
><H2
>Name</H2
>TLSProtocol -- Define the SSL/TLS protocol version mod_tls should use</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN11306"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TLSProtocol</B
> [ <CODE
CLASS="OPTION"
>[ SSLv23 SSLv3 TLSv1 ]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>SSLv23</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_tls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11333"
></A
><H2
>Description</H2
><P
>The TLSProtocol directive is used to configure the SSL/TLS protocol versions
that mod_tls should use when establishing SSL/TLS sessions. Clients can then
only connect using the configured protocol.</P
><P
>Since the protocol version used by mod_tls is set only once, when the daemon
starts, the TLSProtocol directive is only allowed in the "server config" context.</P
><P
>The allowed protocols are:</P
><P
>SSLv23 Compatibility mode, used to allow both SSLv3 and TLSv1</P
><P
>SSLv3 Allow only SSLv3</P
><P
>TLSv1 Allow only TLSv1</P
><P
>All use of SSLv2 is disabled. SSLv2 should not be used. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11342"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11345"
></A
><H2
>Examples</H2
></DIV
><H1
><A
NAME="TLSRANDOMSEED"
></A
>
TLSRandomSeed</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN11355"
></A
><H2
>Name</H2
>TLSRandomSeed -- Define a file for PRNG seeding</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN11358"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TLSRandomSeed</B
> [ <CODE
CLASS="OPTION"
>Absolute path to the file</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>openssl-dir /.rnd</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_tls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11385"
></A
><H2
>Description</H2
><P
>The TLSRandomSeed directive configures the file that mod_tls will use for
seeding the PRNG. seed must be an absolute path.</P
><P
>When the daemon shuts down, any random data left will be written out to the
random seed file, so that that data may be used for seeding when the daemon is
started again. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11389"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11392"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
>TLSRandomSeed /etc/ftpd/server.rnd</P
></DIV
><H1
><A
NAME="TLSRENEGOTIATE"
></A
>
TLSRenegotiate</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN11403"
></A
><H2
>Name</H2
>TLSRenegotiate -- Configure SSL renegotiations</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN11406"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TLSRenegotiate</B
> [ <CODE
CLASS="OPTION"
>["ctrl" secs] ["data" Kbytes] ["timeout" secs]|["required" on|off]|"none"</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_tls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11433"
></A
><H2
>Description</H2
><P
>The TLSRenegotiate directive is used to configure when SSL renegotiations are to
occur. Renegotiations, and thus this directive, are only supported by mod_tls if
the version of OpenSSL installed is 0.9.7 or greater.</P
><P
>If supported, renegotiations will occur on control channels that have been
established for four hours by default, and on data channels that have transferred
over one gigabyte of data by default. When renegotiations are requested, the
client is given a timeout of 30 seconds, by default, to perform the renegotiation.
To change the default control channel renegotiation timeout, use ctrl followed by
a number, greater than zero, in seconds. Use data followed by a number, greater
than zero, of kilobytes to change the default data channel renegotiation
threshhold. The timeout parameter, followed by a positive number of seconds, is
used to change the length of time given to a client to complete a requested
renegotiation, after which the SSL session will be shutdown. By default, mod_tls
will require that the client comply with the requested renegotiation within the
TLSRenegotiate timeout. If, however, the client is unwilling or unable to do so,
and the daemon needs to support these clients, set required to off. Doing so will
cause renegotiations to be requested, but not required.</P
><P
>By default, mod_tls will perform renegotiations if supported, on the control
channel after 4 hours, and on the data channel after one gigabyte of transferred
data. The default timeout for a renegotiation is 30 seconds.</P
><P
>Use none to disable all renegotiation requirements. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11439"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11442"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> # Change renegotiations to occur on control channels after 1 hour<br>
TLSRenegotiate ctrl 3600<br>
<br>
# Change renegotiations to occur on data channels after 500 MB<br>
TLSRenegotiate data 512000<br>
<br>
# Change renegotiations so that they are not required, only requested<br>
TLSRenegotiate required off<br>
<br>
# Change only the timeout for renegotiations to be 5 minutes<br>
TLSRenegotiate timeout 300<br>
<br>
# Change all of the above renegotiation threshholds using one directive<br>
TLSRenegotiate ctrl 3600 data 512000 required off timeout 300<br>
<br>
# To disable renegotiations entirely<br>
TLSRenegotiate none</P
></DIV
><H1
><A
NAME="TLSREQUIRED"
></A
>
TLSRequired</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN11453"
></A
><H2
>Name</H2
>TLSRequired -- Require SSL/TLS on the control and/or data channel</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN11456"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TLSRequired</B
> [ <CODE
CLASS="OPTION"
>on | off | ctrl | data | auth | auth+data</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_tls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
><P
></P
><P
>1.3.1rc1 and later provide the auth and auth+data options
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11485"
></A
><H2
>Description</H2
><P
>The TLSRequired directive is used to define a basic security policy, one that
dictates whether the control channel, or data channel, or both, of an FTP
session must occur over SSL/TLS.</P
><P
>The "on" parameter enables SSL/TLS requirements on both control
and data channels; "off" disables the requirements on both channels.
Use "ctrl" and "data" to require SSL/TLS on either
channel individually. </P
><P
>The "auth" parameter requires that SSL/TLS be used on the control
channel, but only for authentication. To use this setting and require SSL/TLS
for data transfers, use the "auth+data" parameter.</P
><P
>This "auth+data" parameter allows a very specific security policy:
authentication via the USER/PASS commands must be protected via SSL/TLS, as
must the data channel, but after authenticating, the client can request that
protection be removed from the control channel. This policy allows clients to
use the CCC (Clear Command Channel) command, which in turn enables SSL/TLS
protected data transfers that are operate better with firewalls that monitor
the FTP control channel.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11491"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11494"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> # Require SSL/TLS on the control channel, so that passwords are not sent<br>
# in the clear.<br>
TLSRequired ctrl<br>
<br>
# Require SSL/TLS on both channels.<br>
TLSRequired on<br>
<br>
# Allow the client to use the CCC command to remove SSL/TLS from the<br>
# control channel, but only after authentication has been performed.<br>
# Still enforce the policy of using SSL/TLS for data transfers.<br>
#<br>
# Note that if we did not need to protect data transfers, we would<br>
# set 'TLSRequired auth' instead of using 'TLSRequired auth+data'.<br>
TLSRequired auth+data</P
></DIV
><H1
><A
NAME="TLSRSACERTIFICATEFILE"
></A
>
TLSRSACertificateFile</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN11505"
></A
><H2
>Name</H2
>TLSRSACertificateFile -- Point to the file containing the RSA certificate</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN11508"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TLSRSACertificateFile</B
> [ <CODE
CLASS="OPTION"
>TLSRSACertificateFile filename</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_tls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11535"
></A
><H2
>Description</H2
><P
>The TLSRSACertificateFile directive points to the PEM-encoded file containing the
RSA certificate file for the server and optionally also the corresponding RSA
private key file.</P
><P
>If the contained private key is encrypted, the administrator will be prompted for
the passphrase when the daemon starts up, and when the daemon is restarted. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11539"
></A
><H2
>See also</H2
><P
><A
HREF="#TLSRSACERTIFICATEKEYFILE"
>TLSRSACertificateKeyFile</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11543"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> TLSRSACertificateFile /etc/ftpd/server-rsa-cert.pem</P
></DIV
><H1
><A
NAME="TLSRSACERTIFICATEKEYFILE"
></A
>
TLSRSACertificateKeyFile</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN11554"
></A
><H2
>Name</H2
>TLSRSACertificateKeyFile -- Point to the file containing the private RSA key</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN11557"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TLSRSACertificateKeyFile</B
> [ <CODE
CLASS="OPTION"
>TLSRSACertificateKeyFile filename</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_tls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11584"
></A
><H2
>Description</H2
><P
>The TLSRSACertificateKeyFile directive points to the PEM-encoded private key file
for the server. If the private key is not combined with the certificate in the
TLSRSACertificateFile, use this additional directive to point to the file with
the standalone private key. When TLSRSACertificateFile is used and the file
contains both the certificate and the private key, this directive need not be
used. However, this practice is strongly discouraged. Instead we recommend you to
separate the certificate and the private key.</P
><P
>If the contained private key is encrypted, the administrator will be prompted for the passphrase when the daemon starts up, and when the daemon is restarted. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11588"
></A
><H2
>See also</H2
><P
><A
HREF="#TLSRSACERTIFICATEFILE"
></A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11592"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> TLSRSACertificateKeyFile /etc/ftpd/server-rsa-key.pem</P
></DIV
><H1
><A
NAME="TLSVERIFYCLIENT"
></A
>
TLSVerifyClient</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN11603"
></A
><H2
>Name</H2
>TLSVerifyClient -- Configure how to candle certificates presented by clients -- </DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN11607"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TLSVerifyClient</B
> [ <CODE
CLASS="OPTION"
>on off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_tls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11634"
></A
><H2
>Description</H2
><P
>The TLSVerifyClient directive configures how mod_tls handles certificates
presented by clients. If off, the module will accept the certificate and
establish an SSL/TLS session, but will not verify the certificate. If on, the
module will verify a client's certificate and, furthermore, will fail all SSL
handshake attempts unless the client presents a certificate when the server
requests one. Note that the server can be configured to not request a client
certificate via the TLSOptions directive's "NoCertRequest" parameter.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11637"
></A
><H2
>See also</H2
><P
><A
HREF="#TLSOPTIONS"
></A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11641"
></A
><H2
>Examples</H2
></DIV
><H1
><A
NAME="TLSVERIFYDEPTH"
></A
>
TLSVerifyDepth</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN11651"
></A
><H2
>Name</H2
>TLSVerifyDepth -- Define how deeply mod_tls should verify a client certificate</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN11654"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TLSVerifyDepth</B
> [ <CODE
CLASS="OPTION"
>depth</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>9</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_tls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.7rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11681"
></A
><H2
>Description</H2
><P
>The TLSVerifyDepth directive sets how deeply mod_tls should verify before
deciding that the client does not have a valid certificate. The depth actually
is the maximum number of intermediate certificate issuers, i.e. the number of CA
certificates which are allowed to be followed while verifying the client
certificate. A depth of 0 means that only self-signed client certificates are
accepted, a depth of 1 means the client certificate can be self-signed or has to
be signed by a CA which is directly known to the server (i.e. the CA's
certificate is under TLSCACertificatePath), etc.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11684"
></A
><H2
>See also</H2
><P
><A
HREF="#TLSVERIFYCLIENT"
></A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11688"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
> TLSVerifyDepth 10</P
></DIV
><H1
><A
NAME="TRANSFERLOG"
></A
>
TransferLog</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN11699"
></A
><H2
>Name</H2
>TransferLog -- Specify the path to the transfer log</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN11702"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TransferLog</B
> [ <CODE
CLASS="OPTION"
>TransferLog filename|NONE</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>TransferLog /var/log/xferlog</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Anonymous>, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.4 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11729"
></A
><H2
>Description</H2
><P
>The TransferLog directive configures the full path to the "wu-ftpd style"
file transfer log. Separate log files can be created for each Anonymous
and/or VirtualHost.
Additionally, the special keyword NONE can be used,
which disables wu-ftpd style transfer logging for the context in which the
directive is used (only applicable to version 1.1.7 and later).
See Also: ExtendedLog, LogFormat</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11732"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11735"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="TRANSFERRATE"
></A
>
TransferRate</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN11746"
></A
><H2
>Name</H2
>TransferRate -- Configure upload, download transfer rates</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN11749"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>TransferRate</B
> [ <CODE
CLASS="OPTION"
>cmds</CODE
>] [ <CODE
CLASS="OPTION"
>kilobytes-per-sec[:free-bytes]</CODE
>] [ <CODE
CLASS="OPTION"
>["user"|"group"|"class" expression]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global>, <Anonymous>, <Directory>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_xfer</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.8rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11780"
></A
><H2
>Description</H2
><P
>The TransferRate directive is used to set transfer rates limits on the transfer
of data. This directive allows for transfer rates to be set in a wide variety
of contexts, on a per-command basis, and for certain subsets of users. Note
that this limit only applies to a single connection, and not to the overall
transfer rate of the server.</P
><P
>The cmds parameter may be an comma-separated list of any of the following
commands: APPE, RETR, STOR, and STOU.</P
><P
>The kilobytes-per-sec parameter is the actual transfer rate to be applied.</P
><P
>The free-bytes parameter, if configured, allows that many bytes to be
transferred before the rate controls are applied. This allows for clients
transferring small files to be unthrottled, but for larger files, such as
MP3s and ISO images, to be throttled.</P
><P
>The optional parameters are used to restrict the application of the rate
controls only to specific users. If the "user" restriction is given, then
expression is a user-expression specifying to which users the rate applies.
Similarly for the "group" restriction. For the "class" restriction, the
expression is simply the name of connection class for whom the rate will apply.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11787"
></A
><H2
>Examples</H2
><P
> # Limit downloads for everyone except the special group of users
TransferRate RETR 1.5 group !special-users</P
><P
> # Limit uploads (and appends!) to the prolific users in the
# lotsofuploadfiles.net domain. This presumes that a Class has been defined
# for that domain, and that that Class has been named "uploaders". Let them
# upload small files without throttling, though.
TransferRate APPE,STOR 8.0:1024 class uploaders</P
></DIV
><H1
><A
NAME="UMASK"
></A
>
Umask</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN11799"
></A
><H2
>Name</H2
>Umask -- Set the default Umask</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN11802"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>Umask</B
> [ <CODE
CLASS="OPTION"
>Umask file octal-mask [directory octal-mask]</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Anonymous>, <VirtualHost>, <Directory>, <Global>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11829"
></A
><H2
>Description</H2
><P
>Umask sets the mask applied to newly created file and directory
permissions within a given context. By default, the Umask in the server
configuration, <VirtualHost> or <Anonymous> block is used,
unless overridden by a "per-directory" Umask setting. Any
arguments supplied must be an octal number, in the format 0xxx. An
optional second argument can specify a Umask to be used when creating
directories. If a second argument isn't specified, directories are created
using the default Umask in the first argument. For more information on
umasks, consult your operating system documentation/man pages.</P
><P
>Proftpd will not create files that have the execution bit turned
on, this is a security driven design decision. The permissions of the
uploaded file can be changed by issuing a SITE CHMOD command can be
used to change the mode of the uploaded file. Syntax of the command is:
SITE CHMOD <mode> <file>.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11833"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11836"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="UNSETENV"
></A
>
UnsetEnv</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN11847"
></A
><H2
>Name</H2
>UnsetEnv -- (docs incomplete)</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN11850"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>UnsetEnv</B
> [ <CODE
CLASS="OPTION"
>key</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.10rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11877"
></A
><H2
>Description</H2
><P
>(docs incomplete)</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11880"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11883"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
>(docs incomplete)</P
></DIV
><H1
><A
NAME="USEFTPUSERS"
></A
>
UseFtpUsers</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN11894"
></A
><H2
>Name</H2
>UseFtpUsers -- Block based on /etc/ftpusers</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN11897"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>UseFtpUsers</B
> [ <CODE
CLASS="OPTION"
>UseFtpUsers on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>UseFtpUsers on</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Anonymous>, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11924"
></A
><H2
>Description</H2
><P
>Legacy FTP servers generally check a special authorization file (typically
/etc/ftpusers) when a client attempts to authenticate. If the user's name
is found in this file, FTP access is denied. For compatibility sake, proftpd
defaults to checking this file during authentication. This behavior can be
suppressed using the UseFtpUsers configuration directive.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11927"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11930"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="USEGLOBBING"
></A
>
UseGlobbing</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN11941"
></A
><H2
>Name</H2
>UseGlobbing -- Toggles use of glob() functionality</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN11944"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>UseGlobbing</B
> [ <CODE
CLASS="OPTION"
>on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>UseGlobbing on</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global>, <Anonymous></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ls</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.5rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11971"
></A
><H2
>Description</H2
><P
>The UseGlobbing directive controls use of glob() functionality, which is
needed for supporting wildcard characters such as *.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN11974"
></A
><H2
>See also</H2
><P
></P
></DIV
><H1
><A
NAME="USEIPV6"
></A
>
UseIPv6</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN11985"
></A
><H2
>Name</H2
>UseIPv6 -- Disable IPv6 support</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN11988"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>UseIPv6</B
> [ <CODE
CLASS="OPTION"
>"on"|"off"</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>UseIPv6 on</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.3.1rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12015"
></A
><H2
>Description</H2
><P
>This directive enables or disables the IPv6 support within proftpd. It's also
possible to control this behaviour with command-line options.</P
><P
CLASS="LITERALLAYOUT"
>-4, --ipv4 Support IPv4 functionality only<br>
-6, --ipv6 Support IPv6 functionality</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12019"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12022"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
>proftpd -4</P
><P
>Start Proftpd only with IPv4 functionality enabled.</P
></DIV
><H1
><A
NAME="USER"
></A
>
User</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12034"
></A
><H2
>Name</H2
>User -- Set the user the daemon will run as</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12037"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>User</B
> [ <CODE
CLASS="OPTION"
>User userid</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12064"
></A
><H2
>Description</H2
><P
>The User directive configures which user the proftpd daemon will normally
run as. By default, proftpd runs as root which is considered undesirable
in all but the most trustful network configurations. The User directive used
in conjunction with the Group directive
instructs the daemon to switch to the specified user and group as quickly
as possible after startup. On some unix variants, the daemon will occasionally
switch back to root in order to accomplish a task which requires super-user
access. Once the task is completed, root privileges are relinquished and the
server continues to run as the specified user and group. When applied to a
<VirtualServer> block, proftpd
will run as the specified user/group on connections destined for the virtual
server's address or port. If either User or Group
is applied to an <Anonymous>
block, proftpd will establish an anonymous login when a user attempts to login
with the specified userid, as well as permanently switching to the corresponding
uid/gid (matching the User/Group parameters found in the anonymous block)
after login.
Note: When an authorized unix user is authenticated and logs in, all former
privileges are released, the daemon switches permanently to the logged in
user's uid/gid, and is never again capable of switching back to root or any
other user/group.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12067"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12070"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="USERALIAS"
></A
>
UserAlias</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12081"
></A
><H2
>Name</H2
>UserAlias -- Alias a username to a system user</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12084"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>UserAlias</B
> [ <CODE
CLASS="OPTION"
>login-user real-user</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12111"
></A
><H2
>Description</H2
><P
>ProFTPD requires a real username/uid when authenticating users as
provided by PAM, AuthUserFile or another authentication mechanism.
There are however times when additional aliases are required but it is
undesirable to provide additional login accounts.</P
><P
>UserAlias provides a mechanism to do this, a typical and common
example is within Anonymous configuration blocks. It is normal for the
server to use 'ftp' as the primary authentication user, however it is
common practice for users to login using "anonymous". This is achieved
by adding the following to the config file.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12115"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12118"
></A
><H2
>Examples</H2
><P
> <P
CLASS="LITERALLAYOUT"
>UserAlias anonymous ftp</P
> </P
></DIV
><H1
><A
NAME="USERDIRROOT"
></A
>
UserDirRoot</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12130"
></A
><H2
>Name</H2
>UserDirRoot -- Set the chroot directory to a subdirectory of the anonymous server</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12133"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>UserDirRoot</B
> [ <CODE
CLASS="OPTION"
>UserDirRoot on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>off</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Anonymous></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2.0pre2 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12160"
></A
><H2
>Description</H2
><P
>When set to true, the chroot base directory becomes a subdirectory of the
anonymous ftp directory, based on the username of the current user. For
example, assuming user "foo" is aliased to "ftp", logging in as "foo" causes
proftpd to run as real user ftp, but to chroot into ~ftp/foo
instead of just ~ftp.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12163"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12166"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="USEREVERSEDNS"
></A
>
UseReverseDNS</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12177"
></A
><H2
>Name</H2
>UseReverseDNS -- Toggle rDNS lookups</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12180"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>UseReverseDNS</B
> [ <CODE
CLASS="OPTION"
>UseReverseDNS on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>UseReverseDNS on</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.7 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12207"
></A
><H2
>Description</H2
><P
>Normally, incoming active mode data connections and outgoing passive mode
data connections have a reverse DNS lookup performed on the remote host's
IP address. In a chroot environment (such as <Anonymous>
or DefaultRoot), the /etc/hosts file cannot be
checked and the only possible resolution is via DNS. If for some reason, DNS
is not available or improperly configured this can result in proftpd blocking
("stalling") until the libc resolver code times out. Disabling this
directive prevents proftpd from attempting to reverse-lookup data connection
IP addresses. </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12210"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12213"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="USEROWNER"
></A
>
UserOwner</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12224"
></A
><H2
>Name</H2
>UserOwner -- Set the user ownership of new files / directories</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12227"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>UserOwner</B
> [ <CODE
CLASS="OPTION"
>UserOwner username</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Anonymous>, <Directory></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.2pre11 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12254"
></A
><H2
>Description</H2
><P
>The UserOwner directive configures which user all newly created directories
and files will be owned by, within the context that UserOwner is applied to.
The user ID of username cannot be 0 (root).
Where it is used, the GroupOwner directive is not
restricted to groups that the current user is a member of.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12257"
></A
><H2
>See also</H2
><P
><A
HREF="#GROUPOWNER"
>GroupOwner</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12261"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="USERPASSWORD"
></A
>
UserPassword</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12272"
></A
><H2
>Name</H2
>UserPassword -- Creates a hardcoded username/password pair</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12275"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>UserPassword</B
> [ <CODE
CLASS="OPTION"
>UserPassword userid hashed-password</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_auth</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0pl5 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12302"
></A
><H2
>Description</H2
><P
>The UserPassword directive creates a password for a particular user which
overrides the user's normal password in /etc/passwd (or /etc/shadow). The
override is only effective inside the context to which UserPassword is applied.
The hashed-password argument is a cleartext string
which has been passed through the standard unix crypt() function. Do
NOT use a cleartext password. This can be useful when combined with
UserAlias to provide multiple logins to an Anonymous FTP site.
See Also: GroupPassword</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12305"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12308"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="USERRATIO"
></A
>
UserRatio</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12319"
></A
><H2
>Name</H2
>UserRatio -- Ratio directive</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12322"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>UserRatio</B
> [ <CODE
CLASS="OPTION"
>UserRatio foo1 foo2 foo3</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None known</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
><Directory>, <Anonymous>, <Limit>,.ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_ratio</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>at least 1.2.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12349"
></A
><H2
>Description</H2
><P
>The UserRatio directive ....
Example:
UserRatio</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12352"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12355"
></A
><H2
>Examples</H2
><P
></P
></DIV
><H1
><A
NAME="USESENDFILE"
></A
>
UseSendfile</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12366"
></A
><H2
>Name</H2
>UseSendfile -- Toggles use of sendfile() functionality</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12369"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>UseSendfile</B
> [ <CODE
CLASS="OPTION"
>on|off</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>UseSendfile on</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_xfer</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.3.0rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12396"
></A
><H2
>Description</H2
><P
>The UseSendfile directive controls use of sendfile functionality, which is
an optimization for sending files to clients. Use of sendfile functionality
avoids separate read and send operations, and buffer allocations. But on some
platforms or within some filesystems, it is better to disable this feature to
avoid operational problems:</P
><PRE
CLASS="PROGRAMLISTING"
> * Some platforms may have broken sendfile support that the build system
did not detect, especially if the binaries were built on another box
and moved to such a machine with broken sendfile support.
* On Linux the use of sendfile triggers TCP-checksum offloading bugs on
certain networking cards when using IPv6.
* With a network-mounted directories (e.g. NFS or SMB), the kernel may be
unable to serve the network file through its own cache.</PRE
><P
>Note that if sendfile support is enabled, tools like ftpwho and ftptop
will not show the transfer rate for downloads. These tools work by reading
the ScoreboardFile, and the ScoreboardFile is updated periodically during
uploads and downloads. However, when sendfile support is used, the
ScoreboardFile does not have a chance to be updated. This is only true for
downloads; the tools will continue to show the transfer rate for uploads.</P
></DIV
><H1
><A
NAME="USEUTF8"
></A
>
UseUTF8</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12409"
></A
><H2
>Name</H2
>UseUTF8 -- FIXFIXFIX</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12412"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>UseUTF8</B
> [ <CODE
CLASS="OPTION"
>"name" limit|regex|ip value</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>FIXFIXFIX</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <Global>, <VirtualHost>, <Anonymous>, <Limit>, .ftpaccess</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.3.1rc1 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12439"
></A
><H2
>Description</H2
><P
>FIX FIX FIX</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12442"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12445"
></A
><H2
>Examples</H2
><P
CLASS="LITERALLAYOUT"
>FIXFIXFIX</P
><P
>FIXFIX</P
></DIV
><H1
><A
NAME="VIRTUALHOST"
></A
>
VirtualHost</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12457"
></A
><H2
>Name</H2
>VirtualHost -- Define a virtual ftp server</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12460"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>VirtualHost</B
> [ <CODE
CLASS="OPTION"
><VirtualHost addresses seperated by spaces></CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>None</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>0.99.0 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12487"
></A
><H2
>Description</H2
><P
>The VirtualHost configuration block is used to create an independent set
of configuration directives that apply to a particular hostname or IP address.
It is often used in conjunction with system level IP aliasing or dummy network
interfaces in order to establish one or more "virtual" servers which
all run on the same physical machine. The block is terminated with a </VirtualHost>
directive. By utilizing the
Port directive inside a VirtualHost block, it is
possible to create a virtual server which uses the same address as the master
server, but listens on a separate tcp port (incompatible with ServerType inetd).
When proftpd starts, virtual server connections are handled in one of two
ways, depending on the
ServerType setting:
inetd
The daemon examines the destination address and port of the incoming connection
handed off from inetd. If the connection matches one of the configured virtual
hosts, the connection is serviced based on the appropriate configuration.
If no virtual host matches, and the main server does not match, the client
is informed that no server is available to service their requests and disconnected.
standalone
After parsing the configuration file, the daemon begins listening for connections
on all configured ports, spawning child processes as necessary to handle
connections for either the main server or any virtual servers.
Because of the method that the daemon uses to listen for connections when
in standalone mode, it is possible to support an
exceedingly large number of virtual servers, potentially exceeding the number
of per-process file descriptors. This is due to the fact that a single file
descriptor is used to listen to each configured port, regardless of the number
of addresses being monitored. Note that it may be necessary to increase
the
tcpBackLog value on heavily loaded
servers in order to avoid kernel rejected client connections ("Connection
refused").</P
><P
>Starting with ProFTPD 1.3.0rc1 it's possible to use more than one FQDN or IP
Address. With this change the old Bind directive has been deprecated.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12491"
></A
><H2
>See also</H2
><P
><A
HREF="#DEFAULTADDRESS"
>DefaultAddress</A
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12495"
></A
><H2
>Examples</H2
><P
><VirtualHost host1.domain.com host2.domain.com>
...
</VirtualHost></P
></DIV
><H1
><A
NAME="WTMPLOG"
></A
>
WtmpLog</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12506"
></A
><H2
>Name</H2
>WtmpLog -- Toggle logging to wtmp</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12509"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>WtmpLog</B
> [ <CODE
CLASS="OPTION"
>WtmpLog on|off|NONE</CODE
>]</P
><P
></P
><DIV
CLASS="VARIABLELIST"
><P
><B
></B
></P
><DL
><DT
><PRE
CLASS="SYNOPSIS"
>Default</PRE
></DT
><DD
><P
>WtmpLog on</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Context</PRE
></DT
><DD
><P
>server config, <VirtualHost>, <Anonymous>, <Global></P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Module</PRE
></DT
><DD
><P
>mod_core</P
></DD
><DT
><PRE
CLASS="SYNOPSIS"
>Compatibility</PRE
></DT
><DD
><P
>1.1.7 and later</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12536"
></A
><H2
>Description</H2
><P
>The WtmpLog directive controls proftpd's logging of ftp
connections to the host system's wtmp file (used by such commands as
`last'). By default, all connections are logged via wtmp.
Please report any corrections or additions via http://bugs.proftpd.net/ </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12539"
></A
><H2
>See also</H2
><P
></P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12542"
></A
><H2
>Examples</H2
><P
></P
></DIV
></DIV
><DIV
CLASS="CHAPTER"
><HR><H1
><A
NAME="AEN12545"
></A
>Chapter 2. List of modules</H1
><H1
><A
NAME="MOD-AUTH"
></A
>
mod_auth</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12552"
></A
><H2
>Name</H2
>mod_auth -- Authentication module</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12555"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>mod_auth</B
> </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12558"
></A
><H2
>Description</H2
><P
>FIXME
FIXME
FIXME</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12561"
></A
><H2
>See also</H2
><P
><A
HREF="#ACCESSDENYMSG"
>AccessDenyMsg</A
>
<A
HREF="#ACCESSGRANTMSG"
>AccessGrantMsg</A
>
<A
HREF="#ANONREJECTPASSWORDS"
>AnonRejectPasswords</A
>
<A
HREF="#ANONREQUIREPASSWORD"
>AnonRequirePassword</A
>
<A
HREF="#AUTHALIASONLY"
>AuthAliasOnly</A
>
<A
HREF="#AUTHGROUPFILE"
>AuthGroupFile</A
>
<A
HREF="#AUTHPAM"
>AuthPAM</A
>
<A
HREF="#AUTHPAMCONFIG"
>AuthPAMConfig</A
>
<A
HREF="#AUTHUSERFILE"
>AuthUserFile</A
>
<A
HREF="#AUTHUSINGALIAS"
>AuthUsingAlias</A
>
<A
HREF="#CREATEHOME"
>CreateHome</A
>
<A
HREF="#DEFAULTCHDIR"
>DefaultChdir</A
>
<A
HREF="#DEFAULTROOT"
>DefaultRoot</A
>
<A
HREF="#GROUPPASSWORD"
>GroupPassword</A
>
<A
HREF="#LOGINPASSWORDPROMPT"
>LoginPasswordPrompt</A
>
<A
HREF="#MAXCLIENTS"
>MaxClients</A
>
<A
HREF="#MAXCLIENTSPERCLASS"
>MaxClientsPerClass</A
>
<A
HREF="#MAXCLIENTSPERHOST"
>MaxClientsPerHost</A
>
<A
HREF="#MAXCLIENTSPERUSER"
>MaxClientsPerUser</A
>
<A
HREF="#MAXCONNECTIONSPERHOST"
>MaxConnectionsPerHost</A
>
<A
HREF="#MAXHOSTSPERUSER"
>MaxHostsPerUser</A
>
<A
HREF="#MAXLOGINATTEMPTS"
>MaxLoginAttempts</A
>
<A
HREF="#PERSISTENTPASSWD"
>PersistentPasswd</A
>
<A
HREF="#REQUIREVALIDSHELL"
>RequireValidShell</A
>
<A
HREF="#ROOTLOGIN"
>RootLogin</A
>
<A
HREF="#ROOTREVOKE"
>RootRevoke</A
>
<A
HREF="#TIMEOUTLOGIN"
>TimeoutLogin</A
>
<A
HREF="#TIMEOUTSESSION"
>TimeoutSession</A
>
<A
HREF="#USEFTPUSERS"
>UseFtpUsers</A
>
<A
HREF="#USERALIAS"
>UserAlias</A
>
<A
HREF="#USERDIRROOT"
>UserDirRoot</A
>
<A
HREF="#USERPASSWORD"
>UserPassword</A
></P
></DIV
><H1
><A
NAME="MOD-CORE"
></A
>
mod_core</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12601"
></A
><H2
>Name</H2
>mod_core -- Core module</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12604"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>mod_core</B
> </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12607"
></A
><H2
>Description</H2
><P
>This module provides all the core functionality ProFTPD needs to function, this
module must be compiled in.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12610"
></A
><H2
>See also</H2
><P
><A
HREF="#ALLOW"
>Allow</A
>
<A
HREF="#ALLOWALL"
>AllowAll</A
>
<A
HREF="#ALLOWCLASS"
>AllowClass</A
>
<A
HREF="#ALLOWFILTER"
>AllowFilter</A
>
<A
HREF="#ALLOWFOREIGNADDRESS"
>AllowForeignAddress</A
>
<A
HREF="#ALLOWGROUP"
>AllowGroup</A
>
<A
HREF="#ALLOWOVERRIDE"
>AllowOverride</A
>
<A
HREF="#ALLOWRETRIEVERESTART"
>AllowRetrieveRestart</A
>
<A
HREF="#ALLOWSTORERESTART"
>AllowStoreRestart</A
>
<A
HREF="#ALLOWUSER"
>AllowUser</A
>
<A
HREF="#ANONYMOUS"
>Anonymous</A
>
<A
HREF="#ANONYMOUSGROUP"
>AnonymousGroup</A
>
<A
HREF="#AUTHORDER"
>AuthOrder</A
>
<A
HREF="#BIND"
>Bind</A
>
<A
HREF="#CDPATH"
>CDPath</A
>
<A
HREF="#CLASS"
>Class</A
>
<A
HREF="#COMMANDBUFFERSIZE"
>CommandBufferSize</A
>
<A
HREF="#DEBUGLEVEL"
>DebugLevel</A
>
<A
HREF="#DEFAULTADDRESS"
>DefaultAddress</A
>
<A
HREF="#DEFAULTSERVER"
>DefaultServer</A
>
<A
HREF="#DEFAULTTRANSFERMODE"
>DefaultTransferMode</A
>
<A
HREF="#DEFERWELCOME"
>DeferWelcome</A
>
<A
HREF="#DEFINE"
>Define</A
>
<A
HREF="#DENY"
>Deny</A
>
<A
HREF="#DENYALL"
>DenyAll</A
>
<A
HREF="#DENYCLASS"
>DenyClass</A
>
<A
HREF="#DENYFILTER"
>DenyFilter</A
>
<A
HREF="#DENYGROUP"
>DenyGroup</A
>
<A
HREF="#DENYUSER"
>DenyUser</A
>
<A
HREF="#DIRECTORY"
>Directory</A
>
<A
HREF="#DISPLAYCHDIR"
>DisplayChdir</A
>
<A
HREF="#DISPLAYCONNECT"
>DisplayConnect</A
>
<A
HREF="#DISPLAYGOAWAY"
>DisplayGoAway</A
>
<A
HREF="#DISPLAYLOGIN"
>DisplayLogin</A
>
<A
HREF="#DISPLAYQUIT"
>DisplayQuit</A
>
<A
HREF="#GLOBAL"
>Global</A
>
<A
HREF="#GROUP"
>Group</A
>
<A
HREF="#GROUPOWNER"
>GroupOwner</A
>
<A
HREF="#HIDEFILES"
>HideFiles</A
>
<A
HREF="#HIDEGROUP"
>HideGroup</A
>
<A
HREF="#HIDENOACCESS"
>HideNoAccess</A
>
<A
HREF="#HIDEUSER"
>HideUser</A
>
<A
HREF="#IDENTLOOKUPS"
>IdentLookups</A
>
<A
HREF="#IFDEFINE"
>IfDefine</A
>
<A
HREF="#IFMODULE"
>IfModule</A
>
<A
HREF="#IGNOREHIDDEN"
>IgnoreHidden</A
>
<A
HREF="#INCLUDE"
>Include</A
>
<A
HREF="#LIMIT"
>Limit</A
>
<A
HREF="#MASQUERADEADDRESS"
>MasqueradeAddress</A
>
<A
HREF="#MAXCONNECTIONRATE"
>MaxConnectionRate</A
>
<A
HREF="#MAXINSTANCES"
>MaxInstances</A
>
<A
HREF="#MULTILINERFC2228"
>MultilineRFC2228</A
>
<A
HREF="#ORDER"
>Order</A
>
<A
HREF="#PASSIVEPORTS"
>PassivePorts</A
>
<A
HREF="#PATHALLOWFILTER"
>PathAllowFilter</A
>
<A
HREF="#PATHDENYFILTER"
>PathDenyFilter</A
>
<A
HREF="#PIDFILE"
>PidFile</A
>
<A
HREF="#PORT"
>Port</A
>
<A
HREF="#RLIMITCPU"
>RLimitCPU</A
>
<A
HREF="#RLIMITMEMORY"
>RLimitMemory</A
>
<A
HREF="#RLIMITOPENFILES"
>RLimitOpenFiles</A
>
<A
HREF="#SCOREBOARDFILE"
>ScoreboardFile</A
>
<A
HREF="#SERVERADMIN"
>ServerAdmin</A
>
<A
HREF="#SERVERIDENT"
>ServerIdent</A
>
<A
HREF="#SERVERNAME"
>ServerName</A
>
<A
HREF="#SERVERTYPE"
>ServerType</A
>
<A
HREF="#SETENV"
>SetEnv</A
>
<A
HREF="#SOCKETBINDTIGHT"
>SocketBindTight</A
>
<A
HREF="#SOCKETOPTIONS"
>SocketOptions</A
>
<A
HREF="#SYSLOGFACILITY"
>SyslogFacility</A
>
<A
HREF="#SYSLOGLEVEL"
>SyslogLevel</A
>
<A
HREF="#TCPBACKLOG"
>tcpBackLog</A
>
<A
HREF="#TCPNODELAY"
>tcpNoDelay</A
>
<A
HREF="#TIMEOUTIDLE"
>TimeoutIdle</A
>
<A
HREF="#TIMEOUTLINGER"
>TimeoutLinger</A
>
<A
HREF="#TIMESGMT"
>TimesGMT</A
>
<A
HREF="#TRANSFERLOG"
>TransferLog</A
>
<A
HREF="#UMASK"
>Umask</A
>
<A
HREF="#UNSETENV"
>UnsetEnv</A
>
<A
HREF="#USEIPV6"
>UseIPv6</A
>
<A
HREF="#USER"
>User</A
>
<A
HREF="#USEREVERSEDNS"
>UseReverseDNS</A
>
<A
HREF="#USEROWNER"
>UserOwner</A
>
<A
HREF="#USEUTF8"
>UseUTF8</A
>
<A
HREF="#VIRTUALHOST"
>VirtualHost</A
>
<A
HREF="#WTMPLOG"
>WtmpLog</A
></P
></DIV
><H1
><A
NAME="MOD-DELAY"
></A
>
mod_delay</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12704"
></A
><H2
>Name</H2
>mod_tls -- Prevent information leak through timing attacks</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12707"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>mod_delay</B
> </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12710"
></A
><H2
>Description</H2
><P
>When proftpd processes the USER and PASS
FTP commands from a client, it has to perform checks against configured
ACLs, look up user and group information, etc. These checks are not done
if the given username is known to not exist for the server, in order to
not tie up system resources needlessly. However, this does mean that more
work is done when handling "good" users than when handling
"bad" users. This difference can be detected in the time it takes
for proftpd to send a response to the USER and
PASS commands. This means it is possible for an attacker
to look for these statistical timing differences, and determine which
users are "good" and which are "bad". From there,
a determined attacker can focus their attention on the known good usernames.
Note that the timings will vary depending on server load, number of
users in the user base, type of storage of user data (e.g.
LDAP directories, SQL tables, RADIUS servers, flat files, etc).</P
><P
>The mod_delay module attempts to prevent such timing differences
by keeping track of the time taken to process the USER and
PASS commands. It does this for the most recent
USER and PASS commands. The timing data are
stored in the module's DelayTable. If the module detects
that proftpd has not taken enough time to handle one of these
commands, compared to its past response times, a small delay will be added
to the response cycle. The amount of delay is determined by the difference
between the current time spent handling the command and the median time
spent handling the same command in the past.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12714"
></A
><H2
>Installation</H2
><P
>The mod_delay module is distributed with ProFTPD and compiled in by default.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12717"
></A
><H2
>See also</H2
><P
> <A
HREF="#DELAYENGINE"
>DelayEngine</A
>
<A
HREF="#DELAYTABLE"
>DelayTable</A
></P
></DIV
><H1
><A
NAME="MOD-LDAP"
></A
>
mod_ldap</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12727"
></A
><H2
>Name</H2
>mod_ldap -- LDAP authentication support</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12730"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>mod_ldap</B
> </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12733"
></A
><H2
>Description</H2
><P
> mod_ldap provides LDAP authentication support for ProFTPD. It
supports many features useful in "toaster" environments such as
default UID/GID and autocreation/autogeneration of home directories.
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12736"
></A
><H2
>See also</H2
><P
><A
HREF="#LDAPALIASDEREFERENCE"
>LDAPAliasDereference</A
>
<A
HREF="#LDAPATTR"
>LDAPAttr</A
>
<A
HREF="#LDAPAUTHBINDS"
>LDAPAuthBinds</A
>
<A
HREF="#LDAPDEFAULTAUTHSCHEME"
>LDAPDefaultAuthScheme</A
>
<A
HREF="#LDAPDEFAULTGID"
>LDAPDefaultGID</A
>
<A
HREF="#LDAPDEFAULTUID"
>LDAPDefaultUID</A
>
<A
HREF="#LDAPDNINFO"
>LDAPDNInfo</A
>
<A
HREF="#LDAPDOAUTH"
>LDAPDoAuth</A
>
<A
HREF="#LDAPDOGIDLOOKUPS"
>LDAPDoGIDLookups</A
>
<A
HREF="#LDAPDOQUOTALOOKUPS"
>LDAPDoQuotaLookups</A
>
<A
HREF="#LDAPDOUIDLOOKUPS"
>LDAPDoUIDLookups</A
>
<A
HREF="#LDAPFORCEDEFAULTGID"
>LDAPForceDefaultGID</A
>
<A
HREF="#LDAPFORCEDEFAULTUID"
>LDAPForceDefaultUID</A
>
<A
HREF="#LDAPFORCEGENERATEDHOMEDIR"
>LDAPForceGeneratedHomedir</A
>
<A
HREF="#LDAPFORCEHOMEDIRONDEMAND"
>LDAPForceHomedirOnDemand</A
>
<A
HREF="#LDAPGENERATEHOMEDIR"
>LDAPGenerateHomedir</A
>
<A
HREF="#LDAPGENERATEHOMEDIRPREFIX"
>LDAPGenerateHomedirPrefix</A
>
<A
HREF="#LDAPGENERATEHOMEDIRPREFIXNOUSERNAME"
>LDAPGenerateHomedirPrefixNoUsername</A
>
<A
HREF="#LDAPGROUPS"
>LDAPGroups</A
>
<A
HREF="#LDAPHOMEDIRONDEMAND"
>LDAPHomedirOnDemand</A
>
<A
HREF="#LDAPHOMEDIRONDEMANDPREFIX"
>LDAPHomedirOnDemandPrefix</A
>
<A
HREF="#LDAPHOMEDIRONDEMANDPREFIXNOUSERNAME"
>LDAPHomedirOnDemandPrefixNoUsername</A
>
<A
HREF="#LDAPHOMEDIRONDEMANDSUFFIX"
>LDAPHomedirOnDemandSuffix</A
>
<A
HREF="#LDAPNEGATIVECACHE"
>LDAPNegativeCache</A
>
<A
HREF="#LDAPPROTOCOLVERSION"
>LDAPProtocolVersion</A
>
<A
HREF="#LDAPQUERYTIMEOUT"
>LDAPQueryTimeout</A
>
<A
HREF="#LDAPSEARCHSCOPE"
>LDAPSearchScope</A
>
<A
HREF="#LDAPSERVER"
>LDAPServer</A
>
<A
HREF="#LDAPUSERS"
>LDAPUsers</A
>
<A
HREF="#LDAPUSETLS"
>LDAPUseTLS</A
></P
></DIV
><H1
><A
NAME="MOD-LOG"
></A
>
mod_log</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12774"
></A
><H2
>Name</H2
>mod_log -- Logging support</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12777"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>mod_log</B
> </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12780"
></A
><H2
>Description</H2
><P
>Logging support, including enhanced formatting options.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12783"
></A
><H2
>See also</H2
><P
><A
HREF="#ALLOWLOGSYMLINKS"
>AllowLogSymlinks</A
>
<A
HREF="#EXTENDEDLOG"
>ExtendedLog</A
>
<A
HREF="#LOGFORMAT"
>LogFormat</A
>
<A
HREF="#SERVERLOG"
>ServerLog</A
>
<A
HREF="#SYSTEMLOG"
>SystemLog</A
></P
></DIV
><H1
><A
NAME="MOD-LS"
></A
>
mod_ls</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12796"
></A
><H2
>Name</H2
>mod_ls -- file listing functionality</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12799"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>mod_ls</B
> </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12802"
></A
><H2
>Description</H2
><P
>FIXME
FIXME
FIXME</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12805"
></A
><H2
>See also</H2
><P
><A
HREF="#DIRFAKEGROUP"
>DirFakeGroup</A
>
<A
HREF="#DIRFAKEMODE"
>DirFakeMode</A
>
<A
HREF="#DIRFAKEUSER"
>DirFakeUser</A
>
<A
HREF="#LISTOPTIONS"
>ListOptions</A
>
<A
HREF="#SHOWSYMLINKS"
>ShowSymlinks</A
>
<A
HREF="#USEGLOBBING"
>UseGlobbing</A
></P
></DIV
><H1
><A
NAME="MOD-RADIUS"
></A
>
mod_radius</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12819"
></A
><H2
>Name</H2
>mod_radius -- RADIUS based authentication support</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12822"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>mod_radius</B
> </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12825"
></A
><H2
>Description</H2
><P
>This module provides RADIUS authentication and accounting support.</P
><P
>Strong authentication is in demand for Internet services. For many, this means using the RADIUS (Remote Authentication Dial-In User Service) protocol.</P
><P
>However, there are caveats to using RADIUS for authentication. RADIUS packets are sent in the clear, which means that they can easily be sniffed. First, do not have your authenticating RADIUS servers exposed to the Internet; keep them protected within your LAN. Second, it is highly recommended to use separate RADIUS servers for each of your services.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12830"
></A
><H2
>RADIUS Authentication</H2
><P
>The RADIUS protocol can be used for answering the question "Should this user be allowed to login?" However, the "yes/no" answer is not everything that proftpd needs to log a user in; the server also requires the UID and GID to use for the authenticated user, home directory, and shell. This information is usually not available from the RADIUS servers, which means that using RADIUS to provide all the necessary login information can be problematic. The RadiusUserInfo directive is meant to be used to address this issue, to provide the missing information.</P
><P
>In those cases where the RADIUS servers can provide that additional login information, via custom attributes, the RadiusUserInfo directive can also be used obtain that information as well.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12834"
></A
><H2
>RADIUS Accounting</H2
><P
>While RADIUS is primarily used for authentication, the protocol also allows for accounting of user activities. The mod_radius module makes use of this ability, using RADIUS accounting packets to transmit the following data:</P
><P
> * Acct-Authentic: How the user was authenticated (e.g. locally, or via RADIUS)
* Acct-Session-Id: The process ID of the FTP session
* Acct-Session-Time: The duration of the FTP session, in seconds
* Acct-Input-Octets: The number of bytes uploaded (includes appending to files)
* Acct-Output-Octets: The number of bytes downloaded
Merely configuring a RadiusAcctServer enables the module's accounting capabilities.
Common Attributes
The following RADIUS attributes are sent with every RADIUS packet generated by mod_radius:
* User-Name: The name of the logging-in user
* NAS-Identifier: Always "ftp"
* NAS-IP-Address: IP address of FTP server
* NAS-Port: Port of FTP server
* NAS-Port-Type: Always Virtual.
* Calling-Station-Id: IP address of connecting FTP client</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12838"
></A
><H2
>See also</H2
><P
><A
HREF="#RADIUSACCTSERVER"
>RadiusAcctServer</A
>
<A
HREF="#RADIUSAUTHSERVER"
>RadiusAuthServer</A
>
<A
HREF="#RADIUSENGINE"
>RadiusEngine</A
>
<A
HREF="#RADIUSLOG"
>RadiusLog</A
>
<A
HREF="#RADIUSREALM"
>RadiusRealm</A
>
<A
HREF="#RADIUSUSERINFO"
>RadiusUserInfo</A
></P
></DIV
><H1
><A
NAME="MOD-RATIO"
></A
>
mod_ratio</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12852"
></A
><H2
>Name</H2
>mod_ratio -- FIX ME FIX ME</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12855"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>mod_ratio</B
> </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12858"
></A
><H2
>Description</H2
><P
>FIXME
FIXME
FIXME</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12861"
></A
><H2
>See also</H2
><P
><A
HREF="#ANONRATIO"
>AnonRatio</A
>
<A
HREF="#BYTERATIOERRMSG"
>ByteRatioErrMsg</A
>
<A
HREF="#CWDRATIOMSG"
>CwdRatioMsg</A
>
<A
HREF="#FILERATIOERRMSG"
>FileRatioErrMsg</A
>
<A
HREF="#GROUPRATIO"
>GroupRatio</A
>
<A
HREF="#HOSTRATIO"
>HostRatio</A
>
<A
HREF="#LEECHRATIOMSG"
>LeechRatioMsg</A
>
<A
HREF="#RATIOFILE"
>RatioFile</A
>
<A
HREF="#RATIOS"
>Ratios</A
>
<A
HREF="#RATIOTEMPFILE"
>RatioTempFile</A
>
<A
HREF="#SAVERATIOS"
>SaveRatios</A
>
<A
HREF="#USERRATIO"
>UserRatio</A
></P
></DIV
><H1
><A
NAME="MOD-README"
></A
>
mod_readme</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12881"
></A
><H2
>Name</H2
>mod_readme -- "README" file support</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12884"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>mod_readme</B
> </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12887"
></A
><H2
>Description</H2
><P
>FIXME
FIXME
FIXME</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12890"
></A
><H2
>See also</H2
><P
><A
HREF="#DISPLAYREADME"
>DisplayReadme</A
></P
></DIV
><H1
><A
NAME="MOD-SQL"
></A
>
mod_sql</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12899"
></A
><H2
>Name</H2
>mod_sql -- SQL support module</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12902"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>mod_sql</B
> </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12905"
></A
><H2
>Description</H2
><P
>This module provides the necessary support for SQL based authentication, logging and other features as required.
It replaces the SQL modules which were shipped with 1.2.0rc2 and earlier.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12908"
></A
><H2
>See also</H2
><P
><A
HREF="#SQLAUTHENTICATE"
>SQLAuthenticate</A
>
<A
HREF="#SQLAUTHTYPES"
>SQLAuthTypes</A
>
<A
HREF="#SQLBACKEND"
>SQLBackend</A
>
<A
HREF="#SQLCONNECTINFO"
>SQLConnectInfo</A
>
<A
HREF="#SQLDEFAULTGID"
>SQLDefaultGID</A
>
<A
HREF="#SQLDEFAULTHOMEDIR"
>SQLDefaultHomedir</A
>
<A
HREF="#SQLDEFAULTUID"
>SQLDefaultUID</A
>
<A
HREF="#SQLENGINE"
>SQLEngine</A
>
<A
HREF="#SQLGROUPINFO"
>SQLGroupInfo</A
>
<A
HREF="#SQLGROUPWHERECLAUSE"
>SQLGroupWhereClause</A
>
<A
HREF="#SQLLOG"
>SQLLog</A
>
<A
HREF="#SQLLOGFILE"
>SQLLogFile</A
>
<A
HREF="#SQLMINID"
>SQLMinID</A
>
<A
HREF="#SQLMINUSERGID"
>SQLMinUserGID</A
>
<A
HREF="#SQLMINUSERUID"
>SQLMinUserUID</A
>
<A
HREF="#SQLNAMEDQUERY"
>SQLNamedQuery</A
>
<A
HREF="#SQLNEGATIVECACHE"
>SQLNegativeCache</A
>
<A
HREF="#SQLRATIOS"
>SQLRatios</A
>
<A
HREF="#SQLRATIOSTATS"
>SQLRatioStats</A
>
<A
HREF="#SQLSHOWINFO"
>SQLShowInfo</A
>
<A
HREF="#SQLUSERINFO"
>SQLUserInfo</A
>
<A
HREF="#SQLUSERWHERECLAUSE"
>SQLUserWhereClause</A
></P
></DIV
><H1
><A
NAME="MOD-TLS"
></A
>
mod_tls</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12938"
></A
><H2
>Name</H2
>mod_tls -- TLS/SSL support module</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12941"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>mod_tls</B
> </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12944"
></A
><H2
>Description</H2
><P
>This module provides the necessary support for encrypting you ftp sessions.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12947"
></A
><H2
>Installation</H2
><P
>The mod_tls module is distributed with ProFTPD. Simply follow the normal steps
for using third-party modules in proftpd:
./configure --with-modules=mod_tls
make
make install
You may need to specify the location of the OpenSSL header and library files
in your configure command, e.g.:
./configure --with-modules=mod_tls \
--with-includes=/usr/local/openssl/include \
--with-libraries=/usr/local/openssl </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12950"
></A
><H2
>See also</H2
><P
> <A
HREF="#TLSCACERTIFICATEFILE"
>TLSCACertificateFile</A
>
<A
HREF="#TLSCACERTIFICATEPATH"
>TLSCACertificatePath</A
>
<A
HREF="#TLSCAREVOCATIONFILE"
>TLSCARevocationFile</A
>
<A
HREF="#TLSCAREVOCATIONPATH"
>TLSCARevocationPath</A
>
<A
HREF="#TLSCERTIFICATECHAINFILE"
>TLSCertificateChainFile</A
>
<A
HREF="#TLSCIPHERSUITE"
>TLSCipherSuite</A
>
<A
HREF="#TLSDHPARAMFILE"
>TLSDHParamFile</A
>
<A
HREF="#TLSDSACERTIFICATEFILE"
>TLSDSACertificateFile</A
>
<A
HREF="#TLSDSACERTIFICATEKEYFILE"
>TLSDSACertificateKeyFile</A
>
<A
HREF="#TLSENGINE"
>TLSEngine</A
>
<A
HREF="#TLSLOG"
>TLSLog</A
>
<A
HREF="#TLSOPTIONS"
>TLSOptions</A
>
<A
HREF="#TLSPASSPHRASEPROVIDER"
>TLSPassPhraseProvider</A
>
<A
HREF="#TLSPROTOCOL"
>TLSProtocol</A
>
<A
HREF="#TLSRANDOMSEED"
>TLSRandomSeed</A
>
<A
HREF="#TLSRENEGOTIATE"
>TLSRenegotiate</A
>
<A
HREF="#TLSREQUIRED"
>TLSRequired</A
>
<A
HREF="#TLSRSACERTIFICATEFILE"
>TLSRSACertificateFile</A
>
<A
HREF="#TLSRSACERTIFICATEKEYFILE"
>TLSRSACertificateKeyFile</A
>
<A
HREF="#TLSVERIFYCLIENT"
>TLSVerifyClient</A
>
<A
HREF="#TLSVERIFYDEPTH"
>TLSVerifyDepth</A
></P
></DIV
><H1
><A
NAME="MOD-WRAP"
></A
>
mod_wrap</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN12979"
></A
><H2
>Name</H2
>mod_wrap -- Interface to libwrap</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN12982"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>mod_wrap</B
> </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12985"
></A
><H2
>Description</H2
><P
> It enables the daemon to use the common tcpwrappers access control
library while in standalone mode, and in a very configurable manner.
It is not compiled by default. </P
><P
>If not installed on your system, the TCP wrappers library,
required by this module, can be found here, on Wietse Venema's
site. Once installed, it highly recommended that the hosts_access(3)
and hosts_access(5) man pages be read and understood.</P
><P
>Many programs will automatically add entries in the common
allow/deny files, and use of this module will allow a ProFTPD daemon
running in standalone mode to adapt as these entries are added. The
portsentry program does this, for example: when illegal access is
attempted, it will add hosts to the /etc/hosts.deny file.</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN12990"
></A
><H2
>See also</H2
><P
><A
HREF="#TCPACCESSFILES"
>TCPAccessFiles</A
>
<A
HREF="#TCPACCESSSYSLOGLEVELS"
>TCPAccessSyslogLevels</A
>
<A
HREF="#TCPGROUPACCESSFILES"
>TCPGroupAccessFiles</A
>
<A
HREF="#TCPSERVICENAME"
>TCPServiceName</A
>
<A
HREF="#TCPUSERACCESSFILES"
>TCPUserAccessFiles</A
></P
></DIV
><H1
><A
NAME="MOD-XFER"
></A
>
mod_xfer</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN13003"
></A
><H2
>Name</H2
>mod_xfer -- FIX ME FIX ME</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN13006"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>mod_xfer</B
> </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN13009"
></A
><H2
>Description</H2
><P
>FIXME
FIXME
FIXME</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN13012"
></A
><H2
>See also</H2
><P
><A
HREF="#ALLOWOVERWRITE"
>AllowOverwrite</A
>
<A
HREF="#DELETEABORTEDSTORES"
>DeleteAbortedStores</A
>
<A
HREF="#DISPLAYFILETRANSFER"
>DisplayFileTransfer</A
>
<A
HREF="#HIDDENSTORES"
>HiddenStores</A
>
<A
HREF="#MAXRETRIEVEFILESIZE"
>MaxRetrieveFileSize</A
>
<A
HREF="#MAXSTOREFILESIZE"
>MaxStoreFileSize</A
>
<A
HREF="#STOREUNIQUEPREFIX"
>StoreUniquePrefix</A
>
<A
HREF="#TIMEOUTNOTRANSFER"
>TimeoutNoTransfer</A
>
<A
HREF="#TIMEOUTSTALLED"
>TimeoutStalled</A
>
<A
HREF="#TRANSFERRATE"
>TransferRate</A
>
<A
HREF="#USESENDFILE"
>UseSendfile</A
> </P
></DIV
></DIV
><DIV
CLASS="CHAPTER"
><HR><H1
><A
NAME="AEN13026"
></A
>Chapter 3. List of configuration contexts</H1
><H1
><A
NAME="CONTEXT-SERVERCONFIG"
></A
>
server config</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN13033"
></A
><H2
>Name</H2
>server config -- server config</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN13036"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>server config</B
> </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN13039"
></A
><H2
>Description</H2
><P
>FIXME
FIXME
FIXME</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN13042"
></A
><H2
>See also</H2
><P
></P
></DIV
><H1
><A
NAME="CONTEXT-GLOBAL"
></A
>
Global</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN13050"
></A
><H2
>Name</H2
>Global -- Global</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN13053"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>Global</B
> </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN13056"
></A
><H2
>Description</H2
><P
>FIXME
FIXME
FIXME</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN13059"
></A
><H2
>See also</H2
><P
></P
></DIV
><H1
><A
NAME="CONTEXT-VIRTUALHOST"
></A
>
VirtualHost</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN13067"
></A
><H2
>Name</H2
>VirtualHost -- VirtualHost</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN13070"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>VirtualHost</B
> </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN13073"
></A
><H2
>Description</H2
><P
>FIXME
FIXME
FIXME</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN13076"
></A
><H2
>See also</H2
><P
></P
></DIV
><H1
><A
NAME="CONTEXT-ANONYMOUS"
></A
>
Anonymous</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN13084"
></A
><H2
>Name</H2
>Anonymous -- Anonymous</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN13087"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>Anonymous</B
> </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN13090"
></A
><H2
>Description</H2
><P
>FIXME
FIXME
FIXME</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN13093"
></A
><H2
>See also</H2
><P
></P
></DIV
><H1
><A
NAME="CONTEXT-LIMIT"
></A
>
Limit</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN13101"
></A
><H2
>Name</H2
>Limit -- Limit</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN13104"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>Limit</B
> </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN13107"
></A
><H2
>Description</H2
><P
>FIXME
FIXME
FIXME</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN13110"
></A
><H2
>See also</H2
><P
></P
></DIV
><H1
><A
NAME="CONTEXT-FTPACCESS"
></A
>
.ftpaccess</H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN13118"
></A
><H2
>Name</H2
>.ftpaccess -- .ftpaccess</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN13121"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>.ftpaccess</B
> </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN13124"
></A
><H2
>Description</H2
><P
>FIXME
FIXME
FIXME</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN13127"
></A
><H2
>See also</H2
><P
></P
></DIV
></DIV
></DIV
><H3
CLASS="FOOTNOTES"
>Notes</H3
><TABLE
BORDER="0"
CLASS="FOOTNOTES"
WIDTH="100%"
><TR
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="5%"
><A
NAME="FTN.AEN10612"
HREF="#AEN10612"
><SPAN
CLASS="footnote"
>[1]</SPAN
></A
></TD
><TD
ALIGN="LEFT"
VALIGN="TOP"
WIDTH="95%"
><P
CLASS="LITERALLAYOUT"
></P
></TD
></TR
></TABLE
></BODY
></HTML
>