WebDAV Setup: Difference between revisions

From Research
Jump to navigation Jump to search
 
(19 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Reference Setup==
=Goals=
We want to provide SSL access for users, to their home-directories, using WebDAV.  Why WebDAV?  Because it is well supported under Windows, OS-X, and Linux, and lowers the barriers to productivity for less-technically-inclined users:  setup is minimal, and usage is drag-and-drop familiar.
=Constraints=
If we have user-home-dirs with restrictive permissions (0700 - no-one else can do anything), then Apache cannot traverse and serve these directories :-(  One solution is to run Apache as root:root, which then permits access.
=Implementation Overview=
We will use two instances of Apache:
*one public-facing instance which runs safely as apache:apache on ports 80 and 443.  Use ProxyPass and ProxyPassReverse to talk to the second instance of Apache
**this instance of apache will run chrooted in a vserver-guest environment, as a matter of security and convenience.  However it could just as easily run on a "regular" non-chrooted / non-virtualized server.
*a second, private instance of Apache, which runs chrooted (in a Gentoo verserver-guest) as root:root, and communicates with port 8080 internally, to the public-facing instance of Apache.  This instance of apache must be handled with care, because of the potential for serious havoc as root!
**autofs doesn't (yet?) work with verserver-guests, so all user-home-dirs are NFS-mounted, all the time, via /etc/fstab entries
 
==Reference Basic DAV and LDAP Setup==
===Environment===
===Environment===
*Gentoo Linux, kernel 2.6.20-hardened-r2
*Gentoo Linux Vserver guest, with the host running kernel 2.6.22-vs2.2.0.6-gentoo
*Apache 2.2.4 working, already serving general web-content (incl. PHP5 scripts)
*Apache 2.2.8 for both the public-facing  and private instances of Apache.
*LDAP auth known-working, on a separate box (in use for some time, to control user-logins)
*LDAP auth working, for authenticating WebDAV users.  The public-facing instance of Apache is responsible for authenticating, and any authenticated LDAP user is then permitted to access their WebDAV share (authorization = valid user).
**LDAP can run on a remote machine; in our reference example, OpenLDAP happens to run in yet another vserver-guest environment.
*Testing was performed using WebDAV-capable clients:
*Testing was performed using WebDAV-capable clients:
**Konqueror web-browser under Linux, with syntax:  '''webdav://''<your_server>/<DAV_share>'''''
**Konqueror web-browser under Linux, with syntax:  '''webdavs://''<your_server>/<DAV_share>'''''
**Cadaver Linux command-line DAV client
**Cadaver Linux command-line DAV client
**Nautilus under Linux, through the '''Connect to Server''' dialogue either found in Nautilus, or accessed from the '''Gnome > Places''' menu
**Nautilus under Linux, through the '''Connect to Server''' dialogue either found in Nautilus, or accessed from the '''Gnome > Places''' menu
**Mac OS-X:  '''Finder > Go > Connect to Server''' with syntax '''http://''<your_server>/<DAV_share>'''''
**Mac OS-X:  '''Finder > Go > Connect to Server''' with syntax '''https://''<your_server>/<DAV_share>'''''
**Windows XP: use the '''Add Network Place Wizard''' with syntax '''http://''<your_server>/<DAV_share>'''''
**Windows XP: use the '''Add Network Place Wizard''' with syntax '''https://''<your_server>/<DAV_share>'''''
<br>
<br>
This reference applies to Apache 2.2.4, to DAV-enable a server, with LDAP authentication / authourization to access the DAV share.  This was all placed in the file '''/etc/apache2/modules.d/45_mod_dav.conf'''.
===Implementation Details===
====Private Apache Running as Root====
Apache won't run as root, normally (and, to be sure, this is a GOOD thing :-) ).  In order to convince Apache to run as root, you must recompile it with a new CFLAG -DBIG_SECURITY_HOLE; set this in Gentoo's '''/etc/make.conf''' like this:
CFLAGS="-march=nocona -O2 -pipe -DBIG_SECURITY_HOLE"


[<font color=lime>ebuild</font>  <font color=gold>R</font>  ] <font color=lime>www-servers/apache-2.2.8</font>  USE="<font color=red>ldap ssl</font> <font color=blue>-debug -doc </font>(<font colour-blue>-selinux</font>) <font color=blue>-sni -static -suexec -threads</font>" APACHE2_MODULES="<font color=red>actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex  cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif speling status unique_id userdir usertrack vhost_alias</font> <font color=blue>-asis -authn_alias -cern_meta -charset_lite -dumpio -log_forensic -proxy_ftp -version</font>" APACHE2_MPMS="<font color=blue>-event -itk -peruser -prefork -worker</font>" 0 kB
====Private Apache Startup and Configuration Directives====
Place in '''/etc/conf.d/apache2''' for Gentoo:
APACHE2_OPTS="-D DEFAULT_VHOST -D LANGUAGE -D DAV -D DAV_FS -D USERDIR"
Changes needed in /etc/apache/httpd.conf:
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
User root
Group root
Representative entries in '''/etc/apache2/modules.d/45_mod_dav.conf
  <IfDefine DAV>
  <IfDefine DAV>
   
   
Line 18: Line 45:
  <IfModule dav_fs_module>
  <IfModule dav_fs_module>
  <IfModule alias_module>
  <IfModule alias_module>
<IfModule authn_file_module>
   
   
#
# Distributed authoring and versioning (WebDAV)
#
  DavLockDB "/var/lib/dav/lockdb"
  DavLockDB "/var/lib/dav/lockdb"
   
   
  Alias /inferno /var/dav
  UserDir /home/*
   
   
<IfModule authnz_ldap_module>
  <Directory /home/>
  <Directory /var/dav>
     Dav On
     Dav On
     DAVMinTimeout 600
     DAVMinTimeout 600
   
   
  #  so we can ~see~ PHP (and others?), rather than interpret/execute
  #  so we can ~see~ PHP, rather than interpret/execute
     ForceType text/plain
     ForceType text/plain
     DavDepthInfinity On
     DavDepthInfinity On
     Options Indexes FollowSymLinks MultiViews
     Options Indexes FollowSymLinks MultiViews
   
   
  #  don't give a directory-specific .htaccess any any cred :-)
  #  don't give an .htaccess any any cred :-)
     AllowOverride None
     AllowOverride None
     Order allow,deny
     Order allow,deny
     Allow from all
     Allow from all
      <Limit GET PUT POST DELETE PROPFIND PROPPATCH PROPFETCH MKCOL COPY MOVE LOCK UNLOCK>
          AuthType Basic
          AuthName "Dav - Restricted Access"
          AuthBasicProvider ldap
          AuthLDAPURL ldap://192.168.0.192:389/ou=users,dc=whiterock?uid?one
          AuthLDAPBindDN "cn=Reader,dc=whiterock"
          AuthLDAPBindPassword ''ultra_secret''
# Use only one of the following possible sections.
#        Explicitly list the permitted users, ~after~ authentication has succeeded.
#        Effectively a 2nd gate, at the authourization phase.
#        require ldap-user gordonp
#        There will be times when it's sufficient for an authenticated-user to be
#        authourized and granted access; it they're good in LDAP, they're OK by me.
#        authourization will now pass to mod_authz_user
          AuthzLDAPAuthoritative  off
          require valid-user
      </Limit>
   
   
  </Directory>
  </Directory>
</IfModule>
   
   
</IfModule>
  </IfModule>
  </IfModule>
  </IfModule>
  </IfModule>
  </IfModule>
  </IfModule>
   
   
  #
  #
Line 83: Line 83:
  BrowserMatch "MS FrontPage" redirect-carefully
  BrowserMatch "MS FrontPage" redirect-carefully
  BrowserMatch "^WebDrive" redirect-carefully
  BrowserMatch "^WebDrive" redirect-carefully
  BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
  BrowserMatch "^WebDAVFS/1.[012345]" redirect-carefully
  BrowserMatch "^gnome-vfs/1.0" redirect-carefully
  BrowserMatch "^gnome-vfs/1.0" redirect-carefully
  BrowserMatch "^XML Spy" redirect-carefully
  BrowserMatch "^XML Spy" redirect-carefully
Line 89: Line 89:
  </IfModule>
  </IfModule>
   
   
</IfDefine>
Representative entries in '''/etc/apache2/vhosts.d/00_default_vhost.conf
# Virtual Hosts
#
# If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs/2.2/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
<IfDefine DEFAULT_VHOST>
# see bug #178966 why this is in here
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 8080
# Use name-based virtual hosting.
NameVirtualHost *:8080
# When virtual hosts are enabled, the main host defined in the default
# httpd.conf configuration will go away. We redefine it here so that it is
# still available.
#
# If you disable this vhost by removing -D DEFAULT_VHOST from
# /etc/conf.d/apache2, the first defined virtual host elsewhere will be
# the default.
<VirtualHost *:8080>
ServerName localhost
Include /etc/apache2/vhosts.d/default_vhost.include
<IfModule mpm_peruser_module>
ServerEnvironment root root
</IfModule>
</VirtualHost>
  </IfDefine>
  </IfDefine>


<br>
====Private Apache NFS Configuration====
Entry in '''/etc/fstab'''
192.168.0.191:/home /home nfs rw,soft,intr 0 0


===Differences with Apache 2.0.x===
====Public-Facing Apache====
*get rid of mod_auth_ldap; it isn't needed with Apache 2.2.x, but '''was''' necessary with earlier versions.
Compile with some set of Gentoo USE-flags resembling this:
*I couldn't get <Location> containers to work in 2.2.x, where they certainly did with prior versions.  Hence the use of <Directory> above.
*under Apache 2.2.4, the file '''46_mod_ldap.conf''' remained untouched
<br>


===Startup Directives===
====Public-Facing Apache Startup Directives====
These go in '''/etc/conf.d/apache2''' for Gentoo:
These go in '''/etc/conf.d/apache2''' for Gentoo:
  APACHE2_OPTS="-D DAV -D DEFAULT_VHOST -D INFO -D LANGUAGE -D PHP5 -D LDAP -D AUTH_LDAP"
  APACHE2_OPTS="-D DEFAULT_VHOST -D STATUS -D MANUAL -D LANGUAGE -D PHP5 -D LDAP -D AUTH_LDAP -D PROXY -D SSL -D SSL_DEFAULT_VHOST"
Define a virtual host, in the directory '''/etc/apache2/vhosts.d/''' that resembles this example:
<VirtualHost *:443>
ServerName pritchard.dyndns.org:443
  ProxyPass / http://192.168.0.130:8080/
  ProxyPassReverse / http://192.168.0.130:8080/
<Proxy *>
<IfModule authnz_ldap_module>
#
#  don't give an .htaccess any any cred :-)
    AllowOverride None
    Order allow,deny
    Allow from all
#        Do basic password authentication in the clear
          AuthType Basic
#        LDAP Authentication & Authorization is final; do not check other databases
          AuthzLDAPAuthoritative on
#        Name which will appear in the browser's user/pass dialogue (realm)
          AuthName "Webdav - Restricted Access"
          AuthBasicProvider ldap
          AuthLDAPURL ldap://192.168.0.110:389/ou=users,dc=whiterock?uid?one
          AuthLDAPBindDN "cn=Reader,dc=whiterock"
          AuthLDAPBindPassword <super_secret>
# Use only one of the following possible sections.
#        Explicitly list the permitted users, ~after~ authentication has succeeded.
#        Effectively a 2nd gate, at the authourization phase.
#        Add as many as desired.
          require ldap-user <your_permitted_user_list>
#        There will be times when it's sufficient for an authenticated-user to be
#        authourized and granted access; it they're good in LDAP, they're OK by me.
#        In this case, any LDAP valid user is fine; apache won't restrict further.
#        require valid-user
</IfModule>
</Proxy>
</VirtualHost>
<br>


<br>
===Testing===
===Testing===
*Check that DAV-root is OK, and that DAV is actually serving with DAVfs, by turning off all authentication / authourization
*Check that DAV-root is OK, and that DAV is actually serving with DAVfs, by turning off all authentication / authourization
**change the <LIMIT> </LIMIT> containers above, to <LIMITExcept> </LIMITExcept>
**change the <Limit> </Limit> containers above, to <LimitExcept> </LimitExcept>
**anyone, anywhere can now browse your DAV share!!  Don't put valuable stuff in your DAV-root, just test-files
**anyone, anywhere can now browse your DAV share!!  Don't put valuable stuff in your DAV-root, just test-files
*Before adding in the complexity of authentication, check that the server-box is able to contact the LDAP-box; this should produce a lot of (LDIF) output:
*Before adding in the complexity of authentication, check that the server-box is able to contact the LDAP-box; this should produce a lot of (LDIF) output:
  <font color=red>hostname</font> <font color=blue>~ #</font> '''ldapsearch -h 192.168.0.192 -D 'cn=Reader,dc=whiterock' -b "dc=whiterock" -x -s one -W'''
  <font color=red>hostname</font> <font color=blue>~ #</font> '''ldapsearch -h 192.168.0.192 -D 'cn=Reader,dc=whiterock' -b "dc=whiterock" -x -s one -W'''
  Enter LDAP Password: '''''ultra_secret'''''
  Enter LDAP Password: '''''ultra_secret'''''
*in a dedicated console-window, you can watch what Apache thinks of your connection-attempts:
*in a dedicated console-window, you can watch what Apache thinks of your DAV and http connection-attempts:
  <font color=red>hostname</font> <font color=blue>~ #</font> '''tail -f /var/log/apache2/error_log'''
  <font color=red>hostname</font> <font color=blue>~ #</font> '''tail -f /var/log/apache2/error_log'''
*to test-connect:
<font color=red>hostname</font> <font color=blue>~ #</font> '''cadaver http://localhost/''<your_DAV_share>'''''
*Connection-attempt results:
*Connection-attempt results:
**Apache status code 200 or 207 is a what you're after:  things are good
**Apache status code 200 or 207 is what you're after:  things are good
**Apache status 405 (Method not Allowed) probably means you don't really have a DAV filesystem serving
**Apache status 405 (Method not Allowed) probably means you don't really have a DAV filesystem serving
***check compile options
***check compile options
Line 123: Line 213:
<br>
<br>


===Next===
<br>
Two things bother me about this reference setup, and both can be summed up in a single word: encryption!
<br>
*we'd like to use SSL to encrypt and secure the connection to our LDAP server
==Reference DAV, LDAP and AutoFS==
*we'd like to use SSL to encrypt and secure the data flowing between DAV-server and the user
To make WebDAV really useful, we want to have our user authenticate, get authourized, then access their home-directory.
 
<s>===Setup Automounting===
Walk before running (with scissors :-) ) - get AutoFS (automounting) working first, independently of any other complexity:
 
<font color=red>hostname</font> <font color=blue>~ #</font> '''emerge -pv nfs-utils autofs'''
Edit the master autofs file to look like:
<font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /etc/autofs/auto.master'''
'''/home  /etc/autofs/auto.home'''
 
Now that we've referred autofs to use the auto.home file, we'd better create it; just one line:
<font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /etc/autofs/auto.home'''
'''*       -rw,soft,intr  192.168.0.192:/home/&'''
 
Now, fire up the services, and then check that portmap and automount are running (with '''ps aux''' for example)
<font color=red>hostname</font> <font color=blue>~ #</font> '''/etc/init.d/nfsmount start'''
<font color=red>hostname</font> <font color=blue>~ #</font> '''/etc/init.d/autofs start'''
 
Verify that you can automount something - typically by changing to a directory such as '''/home/gordonp''' and performing an '''ls'''.  You should see all the stuff you'd normally see in that home-dir.
 
Make these seervices stick between reboots:
<font color=red>hostname</font> <font color=blue>~ #</font> '''rc-update add nfsmount default'''
<font color=red>hostname</font> <font color=blue>~ #</font> '''rc-update add autofs default'''
</s>

Latest revision as of 17:03, 27 May 2008

Goals

We want to provide SSL access for users, to their home-directories, using WebDAV. Why WebDAV? Because it is well supported under Windows, OS-X, and Linux, and lowers the barriers to productivity for less-technically-inclined users: setup is minimal, and usage is drag-and-drop familiar.

Constraints

If we have user-home-dirs with restrictive permissions (0700 - no-one else can do anything), then Apache cannot traverse and serve these directories :-( One solution is to run Apache as root:root, which then permits access.

Implementation Overview

We will use two instances of Apache:

  • one public-facing instance which runs safely as apache:apache on ports 80 and 443. Use ProxyPass and ProxyPassReverse to talk to the second instance of Apache
    • this instance of apache will run chrooted in a vserver-guest environment, as a matter of security and convenience. However it could just as easily run on a "regular" non-chrooted / non-virtualized server.
  • a second, private instance of Apache, which runs chrooted (in a Gentoo verserver-guest) as root:root, and communicates with port 8080 internally, to the public-facing instance of Apache. This instance of apache must be handled with care, because of the potential for serious havoc as root!
    • autofs doesn't (yet?) work with verserver-guests, so all user-home-dirs are NFS-mounted, all the time, via /etc/fstab entries

Reference Basic DAV and LDAP Setup

Environment

  • Gentoo Linux Vserver guest, with the host running kernel 2.6.22-vs2.2.0.6-gentoo
  • Apache 2.2.8 for both the public-facing and private instances of Apache.
  • LDAP auth working, for authenticating WebDAV users. The public-facing instance of Apache is responsible for authenticating, and any authenticated LDAP user is then permitted to access their WebDAV share (authorization = valid user).
    • LDAP can run on a remote machine; in our reference example, OpenLDAP happens to run in yet another vserver-guest environment.
  • Testing was performed using WebDAV-capable clients:
    • Konqueror web-browser under Linux, with syntax: webdavs://<your_server>/<DAV_share>
    • Cadaver Linux command-line DAV client
    • Nautilus under Linux, through the Connect to Server dialogue either found in Nautilus, or accessed from the Gnome > Places menu
    • Mac OS-X: Finder > Go > Connect to Server with syntax https://<your_server>/<DAV_share>
    • Windows XP: use the Add Network Place Wizard with syntax https://<your_server>/<DAV_share>


Implementation Details

Private Apache Running as Root

Apache won't run as root, normally (and, to be sure, this is a GOOD thing :-) ). In order to convince Apache to run as root, you must recompile it with a new CFLAG -DBIG_SECURITY_HOLE; set this in Gentoo's /etc/make.conf like this:

CFLAGS="-march=nocona -O2 -pipe -DBIG_SECURITY_HOLE"
[ebuild   R   ] www-servers/apache-2.2.8  USE="ldap ssl -debug -doc (-selinux) -sni -static -suexec -threads" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex  cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif speling status unique_id userdir usertrack vhost_alias -asis -authn_alias -cern_meta -charset_lite -dumpio -log_forensic -proxy_ftp -version" APACHE2_MPMS="-event -itk -peruser -prefork -worker" 0 kB

Private Apache Startup and Configuration Directives

Place in /etc/conf.d/apache2 for Gentoo:

APACHE2_OPTS="-D DEFAULT_VHOST -D LANGUAGE -D DAV -D DAV_FS -D USERDIR"

Changes needed in /etc/apache/httpd.conf:

# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
User root
Group root

Representative entries in /etc/apache2/modules.d/45_mod_dav.conf

<IfDefine DAV>

<IfModule dav_module>
<IfModule dav_fs_module>
<IfModule alias_module>

#
# Distributed authoring and versioning (WebDAV)
#
DavLockDB "/var/lib/dav/lockdb"

UserDir /home/*

<Directory /home/>
    Dav On
    DAVMinTimeout 600

#   so we can ~see~ PHP, rather than interpret/execute
    ForceType text/plain
    DavDepthInfinity On
    Options Indexes FollowSymLinks MultiViews

#   don't give an .htaccess any any cred :-)
    AllowOverride None
    Order allow,deny
    Allow from all

</Directory>

</IfModule>
</IfModule>
</IfModule>

#
# The following directives disable redirects on non-GET requests for
# a directory that does not include the trailing slash.  This fixes a 
# problem with several clients that do not appropriately handle 
# redirects for folders with DAV methods.
#
<IfModule setenvif_module>
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012345]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
</IfModule>

</IfDefine>

Representative entries in /etc/apache2/vhosts.d/00_default_vhost.conf

# Virtual Hosts
#
# If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs/2.2/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.

<IfDefine DEFAULT_VHOST>
# see bug #178966 why this is in here

# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 8080

# Use name-based virtual hosting.
NameVirtualHost *:8080

# When virtual hosts are enabled, the main host defined in the default
# httpd.conf configuration will go away. We redefine it here so that it is
# still available.
#
# If you disable this vhost by removing -D DEFAULT_VHOST from
# /etc/conf.d/apache2, the first defined virtual host elsewhere will be
# the default.
<VirtualHost *:8080>
	ServerName localhost
	Include /etc/apache2/vhosts.d/default_vhost.include

	<IfModule mpm_peruser_module>
		ServerEnvironment root root
	</IfModule>
</VirtualHost>
</IfDefine>

Private Apache NFS Configuration

Entry in /etc/fstab

192.168.0.191:/home	 /home	nfs	rw,soft,intr	0 0

Public-Facing Apache

Compile with some set of Gentoo USE-flags resembling this:

Public-Facing Apache Startup Directives

These go in /etc/conf.d/apache2 for Gentoo:

APACHE2_OPTS="-D DEFAULT_VHOST -D STATUS -D MANUAL -D LANGUAGE -D PHP5 -D LDAP -D AUTH_LDAP -D PROXY -D SSL -D SSL_DEFAULT_VHOST"

Define a virtual host, in the directory /etc/apache2/vhosts.d/ that resembles this example:

<VirtualHost *:443>
ServerName pritchard.dyndns.org:443
	   ProxyPass / http://192.168.0.130:8080/
	   ProxyPassReverse / http://192.168.0.130:8080/

<Proxy *>

<IfModule authnz_ldap_module>
#
#   don't give an .htaccess any any cred :-)
    AllowOverride None
    Order allow,deny
    Allow from all

#        Do basic password authentication in the clear
         AuthType Basic
#        LDAP Authentication & Authorization is final; do not check other databases
         AuthzLDAPAuthoritative on
#        Name which will appear in the browser's user/pass dialogue (realm)
         AuthName "Webdav - Restricted Access"
         AuthBasicProvider ldap
         AuthLDAPURL ldap://192.168.0.110:389/ou=users,dc=whiterock?uid?one
         AuthLDAPBindDN "cn=Reader,dc=whiterock"
         AuthLDAPBindPassword <super_secret>

# Use only one of the following possible sections.

#        Explicitly list the permitted users, ~after~ authentication has succeeded.
#        Effectively a 2nd gate, at the authourization phase.
#        Add as many as desired.
         require ldap-user <your_permitted_user_list>

#        There will be times when it's sufficient for an authenticated-user to be
#        authourized and granted access; it they're good in LDAP, they're OK by me.
#        In this case, any LDAP valid user is fine; apache won't restrict further.
#         require valid-user

</IfModule>

</Proxy>
</VirtualHost>


Testing

  • Check that DAV-root is OK, and that DAV is actually serving with DAVfs, by turning off all authentication / authourization
    • change the <Limit> </Limit> containers above, to <LimitExcept> </LimitExcept>
    • anyone, anywhere can now browse your DAV share!! Don't put valuable stuff in your DAV-root, just test-files
  • Before adding in the complexity of authentication, check that the server-box is able to contact the LDAP-box; this should produce a lot of (LDIF) output:
hostname ~ # ldapsearch -h 192.168.0.192 -D 'cn=Reader,dc=whiterock' -b "dc=whiterock" -x -s one -W
Enter LDAP Password: ultra_secret
  • in a dedicated console-window, you can watch what Apache thinks of your DAV and http connection-attempts:
hostname ~ # tail -f /var/log/apache2/error_log
  • to test-connect:
hostname ~ # cadaver http://localhost/<your_DAV_share>
  • Connection-attempt results:
    • Apache status code 200 or 207 is what you're after: things are good
    • Apache status 405 (Method not Allowed) probably means you don't really have a DAV filesystem serving
      • check compile options
      • check apache startup directives
      • check /etc/apache2/modules.d/45_mod_dav.conf
      • take authentication / authourization out of the picture (disable) until you can clear this fundamental DAV protocol issue
    • Apache status codes 401 and 403 are common with authentication/authourization problems




Reference DAV, LDAP and AutoFS

To make WebDAV really useful, we want to have our user authenticate, get authourized, then access their home-directory.

===Setup Automounting=== Walk before running (with scissors :-) ) - get AutoFS (automounting) working first, independently of any other complexity:

hostname ~ # emerge -pv nfs-utils autofs

Edit the master autofs file to look like:

hostname ~ # emacs -nw /etc/autofs/auto.master

/home  /etc/autofs/auto.home

Now that we've referred autofs to use the auto.home file, we'd better create it; just one line:

hostname ~ # emacs -nw /etc/autofs/auto.home

*       -rw,soft,intr   192.168.0.192:/home/&

Now, fire up the services, and then check that portmap and automount are running (with ps aux for example)

hostname ~ # /etc/init.d/nfsmount start
hostname ~ # /etc/init.d/autofs start

Verify that you can automount something - typically by changing to a directory such as /home/gordonp and performing an ls. You should see all the stuff you'd normally see in that home-dir.

Make these seervices stick between reboots:

hostname ~ # rc-update add nfsmount default
hostname ~ # rc-update add autofs default