WebDAV Setup: Difference between revisions

From Research
Jump to navigation Jump to search
No edit summary
Line 54: Line 54:
   
   
  #        There will be times when it's sufficient for an authenticated-user to be
  #        There will be times when it's sufficient for an authenticated-user to be
  #        authourized and granted access; it they're good in LDAP, they're OK by me.
  #        authourized and granted access; if they're good in LDAP, they're OK by me.
   
   
  #        authourization will now pass to mod_authz_user
  #        authourization will now pass to mod_authz_user

Revision as of 13:32, 2 June 2007

Reference Basic DAV and LDAP Setup

Environment

  • Gentoo Linux, kernel 2.6.20-hardened-r2
  • Apache 2.2.4 working, already serving general web-content (incl. PHP5 scripts)
  • LDAP auth known-working, on a separate box (in use for some time, to control user-logins)
  • Testing was performed using WebDAV-capable clients:
    • Konqueror web-browser under Linux, with syntax: webdav://<your_server>/<DAV_share>
    • Cadaver Linux command-line DAV client
    • Nautilus under Linux, through the Connect to Server dialogue either found in Nautilus, or accessed from the Gnome > Places menu
    • Mac OS-X: Finder > Go > Connect to Server with syntax http://<your_server>/<DAV_share>
    • Windows XP: use the Add Network Place Wizard with syntax http://<your_server>/<DAV_share>


This reference applies to Apache 2.2.4, to DAV-enable a server, with LDAP authentication / authourization to access the DAV share. This was all placed in the file /etc/apache2/modules.d/45_mod_dav.conf.

<IfDefine DAV>

<IfModule dav_module>
<IfModule dav_fs_module>
<IfModule alias_module>
<IfModule authn_file_module>

DavLockDB "/var/lib/dav/lockdb"

Alias /inferno /var/dav

<IfModule authnz_ldap_module>
<Directory /var/dav>
    Dav On
    DAVMinTimeout 600

#   so we can ~see~ PHP (and others?), rather than interpret/execute
    ForceType text/plain
    DavDepthInfinity On
    Options Indexes FollowSymLinks MultiViews

#   don't give a directory-specific .htaccess any any cred :-)
    AllowOverride None
    Order allow,deny
    Allow from all

     <Limit GET PUT POST DELETE PROPFIND PROPPATCH PROPFETCH MKCOL COPY MOVE LOCK UNLOCK>
         AuthType Basic
         AuthName "Dav - Restricted Access"
         AuthBasicProvider ldap
         AuthLDAPURL ldap://192.168.0.192:389/ou=users,dc=whiterock?uid?one
         AuthLDAPBindDN "cn=Reader,dc=whiterock"
         AuthLDAPBindPassword ultra_secret

# Use only one of the following possible sections.

#        Explicitly list the permitted users, ~after~ authentication has succeeded.
#        Effectively a 2nd gate, at the authourization phase.
#         require ldap-user gordonp

#        There will be times when it's sufficient for an authenticated-user to be
#        authourized and granted access; if they're good in LDAP, they're OK by me.

#        authourization will now pass to mod_authz_user
         AuthzLDAPAuthoritative  off
         require valid-user


     </Limit>

</Directory>
</IfModule>


</IfModule>
</IfModule>
</IfModule>
</IfModule>


#
# The following directives disable redirects on non-GET requests for
# a directory that does not include the trailing slash.  This fixes a 
# problem with several clients that do not appropriately handle 
# redirects for folders with DAV methods.
#
<IfModule setenvif_module>
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
</IfModule>

</IfDefine>


Differences with Apache 2.0.x

  • get rid of mod_auth_ldap; it isn't needed with Apache 2.2.x, but was necessary with earlier versions.
hostname ~ # emerge --unmerge mod_auth_ldap
  • I couldn't get <Location> containers to work in 2.2.x, where they certainly did with prior versions. Hence the use of <Directory> above.
  • under Apache 2.2.4, the file 46_mod_ldap.conf remained untouched


Startup Directives

These go in /etc/conf.d/apache2 for Gentoo:

APACHE2_OPTS="-D DAV -D DEFAULT_VHOST -D INFO -D LANGUAGE -D PHP5 -D LDAP -D AUTH_LDAP"


Testing

  • Check that DAV-root is OK, and that DAV is actually serving with DAVfs, by turning off all authentication / authourization
    • change the <Limit> </Limit> containers above, to <LimitExcept> </LimitExcept>
    • anyone, anywhere can now browse your DAV share!! Don't put valuable stuff in your DAV-root, just test-files
  • Before adding in the complexity of authentication, check that the server-box is able to contact the LDAP-box; this should produce a lot of (LDIF) output:
hostname ~ # ldapsearch -h 192.168.0.192 -D 'cn=Reader,dc=whiterock' -b "dc=whiterock" -x -s one -W
Enter LDAP Password: ultra_secret
  • in a dedicated console-window, you can watch what Apache thinks of your DAV and http connection-attempts:
hostname ~ # tail -f /var/log/apache2/error_log
  • Connection-attempt results:
    • Apache status code 200 or 207 is a what you're after: things are good
    • Apache status 405 (Method not Allowed) probably means you don't really have a DAV filesystem serving
      • check compile options
      • check apache startup directives
      • check /etc/apache2/modules.d/45_mod_dav.conf
      • take authentication / authourization out of the picture (disable) until you can clear this fundamental DAV protocol issue
    • Apache status codes 401 and 403 are common with authentication/authourization problems


Annoyances

Two things bother me about this reference setup, and both can be summed up in a single word: encryption!

  • we'd like to use SSL to encrypt and secure the connection to our LDAP server
  • we'd like to use SSL to encrypt and secure the data flowing between DAV-server and the user



Reference DAV, LDAP and AutoFS

To make WebDAV really useful, we want to have our user authenticate, get authourized, then access their home-directory. First, we'll get AutoFS going, then add that into our apache2 configuration.

Setup Automounting

Walk before running (with scissors :-) ) - get AutoFS (automounting) working first, independently of any other complexity:

hostname ~ # emerge -pv nfs-utils autofs

Edit the master autofs file to look like:

hostname ~ # emacs -nw /etc/autofs/auto.master

/home  /etc/autofs/auto.home

Now that we've referred autofs to use the auto.home file, we'd better create it; just one line:

hostname ~ # emacs -nw /etc/autofs/auto.home

*       -rw,soft,intr   192.168.0.192:/home/&

Now, fire up the services, and then check that portmap and automount are running (with ps aux for example)

hostname ~ # /etc/init.d/nfsmount start
hostname ~ # /etc/init.d/autofs start

Verify that you can automount something - typically by changing to a directory such as home/gordonp and performing an ls. You should see all the stuff you'd normally see in that home-dir.

Make the settings stick between reboots:

hostname ~ # rc-update add nfsmount default
hostname ~ # rc-update add autofs default

Integrating with Apache 2.2.4

haven't got here, yet.