WebDAV Setup: Difference between revisions
Jump to navigation
Jump to search
| Line 95: | Line 95: | ||
===Differences with Apache 2.0.x=== | ===Differences with Apache 2.0.x=== | ||
*get rid of mod_auth_ldap; it isn't needed with Apache 2.2.x, but '''was''' necessary with earlier versions. | *get rid of mod_auth_ldap; it isn't needed with Apache 2.2.x, but '''was''' necessary with earlier versions. | ||
<font color=red>hostname</font> <font color=blue>~ #</font> '''emerge --unmerge mod_auth_ldap''' | |||
*I couldn't get <Location> containers to work in 2.2.x, where they certainly did with prior versions. Hence the use of <Directory> above. | *I couldn't get <Location> containers to work in 2.2.x, where they certainly did with prior versions. Hence the use of <Directory> above. | ||
*under Apache 2.2.4, the file '''46_mod_ldap.conf''' remained untouched | *under Apache 2.2.4, the file '''46_mod_ldap.conf''' remained untouched | ||
Revision as of 15:59, 16 May 2007
Reference Setup
Environment
- Gentoo Linux, kernel 2.6.20-hardened-r2
- Apache 2.2.4 working, already serving general web-content (incl. PHP5 scripts)
- LDAP auth known-working, on a separate box (in use for some time, to control user-logins)
- Testing was performed using WebDAV-capable clients:
- Konqueror web-browser under Linux, with syntax: webdav://<your_server>/<DAV_share>
- Cadaver Linux command-line DAV client
- Nautilus under Linux, through the Connect to Server dialogue either found in Nautilus, or accessed from the Gnome > Places menu
- Mac OS-X: Finder > Go > Connect to Server with syntax http://<your_server>/<DAV_share>
- Windows XP: use the Add Network Place Wizard with syntax http://<your_server>/<DAV_share>
This reference applies to Apache 2.2.4, to DAV-enable a server, with LDAP authentication / authourization to access the DAV share. This was all placed in the file /etc/apache2/modules.d/45_mod_dav.conf.
<IfDefine DAV>
<IfModule dav_module>
<IfModule dav_fs_module>
<IfModule alias_module>
<IfModule authn_file_module>
DavLockDB "/var/lib/dav/lockdb"
Alias /inferno /var/dav
<IfModule authnz_ldap_module>
<Directory /var/dav>
Dav On
DAVMinTimeout 600
# so we can ~see~ PHP (and others?), rather than interpret/execute
ForceType text/plain
DavDepthInfinity On
Options Indexes FollowSymLinks MultiViews
# don't give a directory-specific .htaccess any any cred :-)
AllowOverride None
Order allow,deny
Allow from all
<Limit GET PUT POST DELETE PROPFIND PROPPATCH PROPFETCH MKCOL COPY MOVE LOCK UNLOCK>
AuthType Basic
AuthName "Dav - Restricted Access"
AuthBasicProvider ldap
AuthLDAPURL ldap://192.168.0.192:389/ou=users,dc=whiterock?uid?one
AuthLDAPBindDN "cn=Reader,dc=whiterock"
AuthLDAPBindPassword ultra_secret
# Use only one of the following possible sections.
# Explicitly list the permitted users, ~after~ authentication has succeeded.
# Effectively a 2nd gate, at the authourization phase.
# require ldap-user gordonp
# There will be times when it's sufficient for an authenticated-user to be
# authourized and granted access; it they're good in LDAP, they're OK by me.
# authourization will now pass to mod_authz_user
AuthzLDAPAuthoritative off
require valid-user
</Limit>
</Directory>
</IfModule>
</IfModule>
</IfModule>
</IfModule>
</IfModule>
#
# The following directives disable redirects on non-GET requests for
# a directory that does not include the trailing slash. This fixes a
# problem with several clients that do not appropriately handle
# redirects for folders with DAV methods.
#
<IfModule setenvif_module>
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
</IfModule>
</IfDefine>
Differences with Apache 2.0.x
- get rid of mod_auth_ldap; it isn't needed with Apache 2.2.x, but was necessary with earlier versions.
hostname ~ # emerge --unmerge mod_auth_ldap
- I couldn't get <Location> containers to work in 2.2.x, where they certainly did with prior versions. Hence the use of <Directory> above.
- under Apache 2.2.4, the file 46_mod_ldap.conf remained untouched
Startup Directives
These go in /etc/conf.d/apache2 for Gentoo:
APACHE2_OPTS="-D DAV -D DEFAULT_VHOST -D INFO -D LANGUAGE -D PHP5 -D LDAP -D AUTH_LDAP"
Testing
- Check that DAV-root is OK, and that DAV is actually serving with DAVfs, by turning off all authentication / authourization
- change the <LIMIT> </LIMIT> containers above, to <LIMITExcept> </LIMITExcept>
- anyone, anywhere can now browse your DAV share!! Don't put valuable stuff in your DAV-root, just test-files
- Before adding in the complexity of authentication, check that the server-box is able to contact the LDAP-box; this should produce a lot of (LDIF) output:
hostname ~ # ldapsearch -h 192.168.0.192 -D 'cn=Reader,dc=whiterock' -b "dc=whiterock" -x -s one -W Enter LDAP Password: ultra_secret
- in a dedicated console-window, you can watch what Apache thinks of your connection-attempts:
hostname ~ # tail -f /var/log/apache2/error_log
- Connection-attempt results:
- Apache status code 200 or 207 is a what you're after: things are good
- Apache status 405 (Method not Allowed) probably means you don't really have a DAV filesystem serving
- check compile options
- check apache startup directives
- check /etc/apache2/modules.d/45_mod_dav.conf
- take authentication / authourization out of the picture (disable) until you can clear this fundamental DAV protocol issue
- Apache status codes 401 and 403 are common with authentication/authourization problems
Next
Two things bother me about this reference setup, and both can be summed up in a single word: encryption!
- we'd like to use SSL to encrypt and secure the connection to our LDAP server
- we'd like to use SSL to encrypt and secure the data flowing between DAV-server and the user