sftpgo-ldap-http-server v0.9

Added in support for a remote SFTP server to be included in the output object configuration.

The #USERNAME# placeholder will be replaced in the endpoint and username parts of the configuration in addition to the prefix area (which is the main one needed if you want per-user folders on the remote SFTP server) along with the additional_data field.

You can also optionally use #PASSWORD# for the payload area and if it's detected it will automatically replace the placeholder with the same password the user is logging in with, rather than using a hardcoded value from the configuration.php file. I'm not really sure how common that use case would be (where someone needs their own username and password info to be used when connecting to the remote SFTP server) but I figured it might be useful to someone so I included it.

Below is an example connection-specific output object that has most everything in place you would need to get started with a remote SFTP proxy setup in your configuration.php file.

$connection_output_objects['example'] = [
    'status' => 1,
    'username' => '',
    'expiration_date' => 0,
    'home_dir' => '',
    'uid' => 0,
    'gid' => 0,
    'max_sessions' => 0,
    'quota_size' => 0,
    'quota_files' => 100000,
    'permissions' => [
        "/" => ["*"],
    ],
    'upload_bandwidth' => 0,
    'download_bandwidth' => 0,
    'filters' => [
        'allowed_ip' => [],
        'denied_ip' => [],
    ],
    'public_keys' => [],
    'filesystem' => [
        'provider' => 5,
		'sftpconfig' => [
			'endpoint' => 'remote-sftp.example.com:22',
			'username' => 'remote_username',
			'password' => [
				'status' => 'Plain',
				'payload' => 'remote_password',
				'key' => '',
				'additional_data' => '#USERNAME#'
			],
			'private_key' => null,
			'fingerprints' => [
				'SHA256:<LONG_FINGERPRINT_VALUE_HERE>',
			],
			'prefix' => '/remote/path/home/example/#USERNAME#'
		]
    ],
];

sftpgo-ldap-http-server v0.8

Added in a new allowed group prefixes configuration item (you can specify one or more allowed group prefixes in an array).

This allows you to enable auto mode for groups, but limit creation to just those groups with a matching prefix (e.g. this helps prevent someone with a lot of groups from automatically having them get all created in SFTPGo, but you can start to use a common prefix such as "sftpgo-" for new groups, and then only those will be targeted for automatic creation within SFTPGo...as a convenience feature, any prefix matches will be removed automatically from the group name, so "sftpgo-example" would end up simply being listed as "example" within the /groups virtual path used in the default virtual folder template example).

sftpgo-ldap-http-server v0.7

Primarily added support for Active Directory groups to be added as virtual folders.

• There is an $auto_groups_mode option which is set to false by default.
• If set to true, then the $auto_groups_mode_virtual_folder_template will be used for all groups a user has, and folders will be automatically created for them.
• You can leave the automatic mode off, and instead use $allowed_groups .
• In that case, you will need to define entries for each group you want to allow (you must use a normalized version of the group name as well, so this would mainly mean using all lowercase letters, converting spaces to hyphens, etc. otherwise the group name won't match up correctly).

Just like the $virtual_folders entries, you must use a nested array in these cases since you can technically define more than one virtual folder for each group if you wish.

sftpgo-ldap-http-server v0.6

Skipping the 0.5 release (was going to post it as an update yesterday but didn't).

The 0.6 release incorporates:

• A new conversion to lowercase for usernames option (this helps to ensure consistency with generated folder names primarily so they are all lowercased when created)
• Added a minimum length option for the username (this helps filter out short usernames from having an authentication attempt)
• Added a username blacklist where specific usernames can be provided (these will automatically be denied so no authentication attempt will occur for the listed usernames in the blacklist).

sftpgo-ldap-http-server v0.4

Added a bugfix to switch to using the LdapRecord library's reconnect() and disconnect() methods, which I believe should help make the new HTTP server option more reliable.

These adjustments were added after observing that after about 30 minutes or so, logins would appear to stop working properly, and I believe this was due to the LDAP connections being opened after the first login attempt, and then being left open after that. This probably helped a bit to make subsequent logins faster, however there seemed to be a timeout issue and after that point a connection attempt was no longer successful, so it would start causing all logins after that point to fail.

I'm currently observing to make sure the fixes here actually solve this issue (if not, there might be another release related to this problem after this one), but I do believe these adjustments will fix the problem.

sftpgo-ldap-http-server v0.3

Small update over the v0.2 release from earlier today.

• Primarily added in the ability to strip email domains from the provided username automatically (so if a user accidentally used [email protected] and you have example.com listed as a domain to automatically strip out, it would then become username which could be helpful for some folks that might accidentally attempt to use their full email address, rather than just their username).

sftpgo-ldap-http-server v0.2

This is a related project to the sftpgo-ldap one (that project can be used for regular web server scenarios, or alternatively via the PHP CLI).

This project actually integrates in the amphp/http-server allowing it to function as a very simple HTTP server, that way you can run it locally on an SFTPGo server, and tie it to the external_auth_hook parameter (e.g. by default this project will run on Port 9001 and will be accessible via http://localhost:9001/.

Furthermore, the PHP runtime, along with the LDAP and Sockets extensions have been embedded into an EXE file generated by the ExeOutput for PHP product, making things a bit more portable).

This allows you to take the ZIP below and bring it onto your SFTPGo server pretty easily. Just unzip the file into a directory on your SFTPGo server and open up a command prompt in that same directory you extracted the files into, and you can run sftpgo-ldap-http-server.exe directly to start up an HTTP server (make sure that you have copied configuration.example.php first so that you have a configuration.php file present in the Data folder included in the ZIP.

(There is also an OpenLDAP folder present in the ZIP file...you may move it to your C:\ root folder to help avoid TLS-related issues mentioned in the README...if you've already done this then you can safely delete/ignore that directory after unzipping).