What is ProFTPD
ProFTPD is a high-performance, extremely configurable, and most of all a secure FTP server, featuring Apache-like configuration and blazing performance.
-- From http://www.proftpd.org
This integration leverages authentik's LDAP for the identity provider to achieve an SSO experience. See ldap provider generic setup for setting up the LDAP provider.
The following placeholders will be used:
authentik.companyis the FQDN of the authentik install.
Step 1 - Service account
Create a new user account (or re-use an existing one) for ProFTPD to use for LDAP bind under Directory -> Users -> Create and give the account a name, such as
On default provider settings, the DN of this user will be
This user must be part of a group which allows LDAP search queries. If you don't have a group for that yet, create one (e.g.
LDAPServiceUsers) and add the user
ldapservice to that group. You can specify that group during the provider creation below.
If you are unfamiliar with LDAP: A bind account is used for authentication against the LDAP server itself - similar to an API key in modern applications.
Step 2 - LDAP Provider
In authentik, create a LDAP provider (under Applications/Providers). This is an example for the settings:
- Name :
provider-ldap- or choose any
- Bind DN :
- Search group :
- Certificate :
authentik Self-signed Certificate
Step 3 - Application
In authentik, create an application (under Resources/Applications) with these settings :
FTP- or choose any
- Provider: Choose the provider you created in Step 2
Step 4 - Outpost
If not done yet, create an outpost (under Applications/Outposts) of type
LDAP that includes the LDAP Application you created in Step 3. You can also use an existing outpost, just make sure to edit it and to also include the just created application in the respective field.
Step 5 - Create a group for restricting access
Optionally, create a new group like
ftpusers to scope access to the ftp server.
Ensure that the ProFTPD LDAP plugin is installed, which may be included in the distribution package
LoadModule mod_ldap.c is not commented out in
Edit your ProFTPD configuration, usually located under
/etc/proftpd.conf. You can use the following LDAP configuration as a starting point.
# Replace this with the server-url:port of your LDAP outpost
# The LDAP Bind account must be specified here
LDAPBindDN cn=ldapservice,ou=users,dc=ldap,dc=goauthentik,dc=io PASSWORDOFLDAPSERVICE
# The second parameter is optional
# In this case I am restricting access to the group ftpusers
# Instead you could also create bind policies in your created authentik application
LDAPUsers ou=users,dc=ldap,dc=goauthentik,dc=io (&(objectClass=user)(cn=%u)(memberOf=cn=ftpusers,ou=groups,dc=ldap,dc=goauthentik,dc=io))
# In this example, I am forcing the permission of all files to the system user/group 1000
# This way I am making a shared folder, which all ftp users share
LDAPAttr uid cn
In this example, every user shares a single folder. If you want to have separate folders for each user, you can adapt the
Additionally, note that each file will have Linux user and group ID
1000. Beforehand, make sure that the respective Linux user exists (usually the first Linux user created receives ID
/etc/passwd and create a user if necessary.
If you do not set
uidNumber field will be used. If you do not set
homeDirectory field will be used (
/home/$username). For more information about default attributes provided by Authentik, refer to the LDAP Provider documentation.
Make sure to read ProFTPD's available LDAP options.
Finally, after adding the configuration, restart ProFTPD.
If login fails, make sure to check the logs of the LDAP plugin:
tail -f /var/log/mod_ldap.log.