Goals

We want to provide SSL access for users, to their home-directories, using WebDAV. Why WebDAV? Because it is well supported under Windows, OS-X, and Linux, and lowers the barriers to productivity for less-technically-inclined users: setup is minimal, and usage is drag-and-drop familiar.

Constraints

If we have user-home-dirs with restrictive permissions (0700 - no-one else can do anything), then Apache cannot traverse and serve these directories :-( One solution is to run Apache as root:root, which then permits access.

Implementation Overview

We will use two instances of Apache:

• one public-facing instance which runs safely as apache:apache on ports 80 and 443. Use ProxyPass and ProxyPassReverse to talk to the second instance of Apache
  • this instance of apache will run chrooted in a vserver-guest environment, as a matter of security and convenience. However it could just as easily run on a "regular" non-chrooted / non-virtualized server.
• a second, private instance of Apache, which runs chrooted (in a Gentoo verserver-guest) as root:root, and communicates with port 8080 internally, to the public-facing instance of Apache. This instance of apache must be handled with care, because of the potential for serious havoc as root!
  • autofs doesn't (yet?) work with verserver-guests, so all user-home-dirs are NFS-mounted, all the time, via /etc/fstab entries

Reference Basic DAV and LDAP Setup

Environment

• Gentoo Linux Vserver guest, with the host running kernel 2.6.22-vs2.2.0.6-gentoo
• Apache 2.2.8 for both the public-facing and private instances of Apache.
• LDAP auth working, for authenticating WebDAV users. The public-facing instance of Apache is responsible for authenticating, and any authenticated LDAP user is then permitted to access their WebDAV share (authorization = valid user).
  • LDAP can run on a remote machine; in our reference example, OpenLDAP happens to run in yet another vserver-guest environment.
• Testing was performed using WebDAV-capable clients:
  • Konqueror web-browser under Linux, with syntax: webdavs://<your_server>/<DAV_share>
  • Cadaver Linux command-line DAV client
  • Nautilus under Linux, through the Connect to Server dialogue either found in Nautilus, or accessed from the Gnome > Places menu
  • Mac OS-X: Finder > Go > Connect to Server with syntax https://<your_server>/<DAV_share>
  • Windows XP: use the Add Network Place Wizard with syntax https://<your_server>/<DAV_share>

Implementation Details

Private Apache Running as Root

Apache won't run as root, normally (and, to be sure, this is a GOOD thing :-) ). In order to convince Apache to run as root, you must recompile it with a new CFLAG -DBIG_SECURITY_HOLE; set this in Gentoo's /etc/make.conf like this:

CFLAGS="-march=nocona -O2 -pipe -DBIG_SECURITY_HOLE"

[ebuild   R   ] www-servers/apache-2.2.8  USE="ldap ssl -debug -doc (-selinux) -sni -static -suexec -threads" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex  cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif speling status unique_id userdir usertrack vhost_alias -asis -authn_alias -cern_meta -charset_lite -dumpio -log_forensic -proxy_ftp -version" APACHE2_MPMS="-event -itk -peruser -prefork -worker" 0 kB 

Private Apache Startup Directives

Place in /etc/conf.d/apache2 for Gentoo:

APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D LANGUAGE -D PHP5 -D DAV -D DAV_FS -D USERDIR"

Some of these startup directives are not necessary, and can be pruned (edit later).
Changes needed in /etc/apache/httpd.conf:

# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
User root
Group root

Public-Facing Apache

Compile with some set of Gentoo USE-flags resembling this:

Public-Facing Apache Startup Directives

These go in /etc/conf.d/apache2 for Gentoo:

APACHE2_OPTS="-D DEFAULT_VHOST -D STATUS -D MANUAL -D LANGUAGE -D PHP5 -D LDAP -D AUTH_LDAP -D PROXY -D SSL -D SSL_DEFAULT_VHOST"

Define a virtual host, in the directory /etc/apache2/vhosts.d/ that resembles this example:

<VirtualHost *:443>
ServerName pritchard.dyndns.org:443
	   ProxyPass / http://192.168.0.130:8080/
	   ProxyPassReverse / http://192.168.0.130:8080/

<Proxy *>

<IfModule authnz_ldap_module>
#
#   don't give an .htaccess any any cred :-)
    AllowOverride None
    Order allow,deny
    Allow from all

#        Do basic password authentication in the clear
         AuthType Basic
#        LDAP Authentication & Authorization is final; do not check other databases
         AuthzLDAPAuthoritative on
#        Name which will appear in the browser's user/pass dialogue (realm)
         AuthName "Webdav - Restricted Access"
         AuthBasicProvider ldap
         AuthLDAPURL ldap://192.168.0.110:389/ou=users,dc=whiterock?uid?one
         AuthLDAPBindDN "cn=Reader,dc=whiterock"
         AuthLDAPBindPassword <super_secret>

# Use only one of the following possible sections.

#        Explicitly list the permitted users, ~after~ authentication has succeeded.
#        Effectively a 2nd gate, at the authourization phase.
#        Add as many as desired.
         require ldap-user <your_permitted_user_list>

#        There will be times when it's sufficient for an authenticated-user to be
#        authourized and granted access; it they're good in LDAP, they're OK by me.
#        In this case, any LDAP valid user is fine; apache won't restrict further.
#         require valid-user

</IfModule>

</Proxy>
</VirtualHost>

Testing

• Check that DAV-root is OK, and that DAV is actually serving with DAVfs, by turning off all authentication / authourization
  • change the <Limit> </Limit> containers above, to <LimitExcept> </LimitExcept>
  • anyone, anywhere can now browse your DAV share!! Don't put valuable stuff in your DAV-root, just test-files
• Before adding in the complexity of authentication, check that the server-box is able to contact the LDAP-box; this should produce a lot of (LDIF) output:

hostname ~ # ldapsearch -h 192.168.0.192 -D 'cn=Reader,dc=whiterock' -b "dc=whiterock" -x -s one -W
Enter LDAP Password: ultra_secret

• in a dedicated console-window, you can watch what Apache thinks of your DAV and http connection-attempts:

hostname ~ # tail -f /var/log/apache2/error_log

• to test-connect:

hostname ~ # cadaver http://localhost/<your_DAV_share>

• Connection-attempt results:
  • Apache status code 200 or 207 is what you're after: things are good
  • Apache status 405 (Method not Allowed) probably means you don't really have a DAV filesystem serving
    • check compile options
    • check apache startup directives
    • check /etc/apache2/modules.d/45_mod_dav.conf
    • take authentication / authourization out of the picture (disable) until you can clear this fundamental DAV protocol issue
  • Apache status codes 401 and 403 are common with authentication/authourization problems

Reference DAV, LDAP and AutoFS

To make WebDAV really useful, we want to have our user authenticate, get authourized, then access their home-directory.

===Setup Automounting=== Walk before running (with scissors :-) ) - get AutoFS (automounting) working first, independently of any other complexity:

hostname ~ # emerge -pv nfs-utils autofs

hostname ~ # emacs -nw /etc/autofs/auto.master

/home  /etc/autofs/auto.home

hostname ~ # emacs -nw /etc/autofs/auto.home

*       -rw,soft,intr   192.168.0.192:/home/&

hostname ~ # /etc/init.d/nfsmount start
hostname ~ # /etc/init.d/autofs start

hostname ~ # rc-update add nfsmount default
hostname ~ # rc-update add autofs default