WebDAV Setup: Difference between revisions

From Research
Jump to navigation Jump to search
No edit summary
 
(41 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Reference Setup==
=Goals=
For Apache 2.2.4, here is a reference-setup, for DAV-enabling a server.  This was all placed in the file '''/etc/apache2/modules.d/45_mod_dav.conf'''.
We want to provide SSL access for users, to their home-directories, using WebDAV.  Why WebDAV?  Because it is well supported under Windows, OS-X, and Linux, and lowers the barriers to productivity for less-technically-inclined users:  setup is minimal, and usage is drag-and-drop familiar.
=Constraints=
If we have user-home-dirs with restrictive permissions (0700 - no-one else can do anything), then Apache cannot traverse and serve these directories :-(  One solution is to run Apache as root:root, which then permits access.
=Implementation Overview=
We will use two instances of Apache:
*one public-facing instance which runs safely as apache:apache on ports 80 and 443.  Use ProxyPass and ProxyPassReverse to talk to the second instance of Apache
**this instance of apache will run chrooted in a vserver-guest environment, as a matter of security and convenience. However it could just as easily run on a "regular" non-chrooted / non-virtualized server.
*a second, private instance of Apache, which runs chrooted (in a Gentoo verserver-guest) as root:root, and communicates with port 8080 internally, to the public-facing instance of Apache.  This instance of apache must be handled with care, because of the potential for serious havoc as root!
**autofs doesn't (yet?) work with verserver-guests, so all user-home-dirs are NFS-mounted, all the time, via /etc/fstab entries


==Reference Basic DAV and LDAP Setup==
===Environment===
*Gentoo Linux Vserver guest, with the host running kernel 2.6.22-vs2.2.0.6-gentoo
*Apache 2.2.8 for both the public-facing  and private instances of Apache.
*LDAP auth working, for authenticating WebDAV users.  The public-facing instance of Apache is responsible for authenticating, and any authenticated LDAP user is then permitted to access their WebDAV share (authorization = valid user).
**LDAP can run on a remote machine; in our reference example, OpenLDAP happens to run in yet another vserver-guest environment.
*Testing was performed using WebDAV-capable clients:
**Konqueror web-browser under Linux, with syntax:  '''webdavs://''<your_server>/<DAV_share>'''''
**Cadaver Linux command-line DAV client
**Nautilus under Linux, through the '''Connect to Server''' dialogue either found in Nautilus, or accessed from the '''Gnome > Places''' menu
**Mac OS-X:  '''Finder > Go > Connect to Server''' with syntax '''https://''<your_server>/<DAV_share>'''''
**Windows XP: use the '''Add Network Place Wizard''' with syntax '''https://''<your_server>/<DAV_share>'''''
<br>
===Implementation Details===
====Private Apache Running as Root====
Apache won't run as root, normally (and, to be sure, this is a GOOD thing :-) ).  In order to convince Apache to run as root, you must recompile it with a new CFLAG -DBIG_SECURITY_HOLE; set this in Gentoo's '''/etc/make.conf''' like this:
CFLAGS="-march=nocona -O2 -pipe -DBIG_SECURITY_HOLE"
[<font color=lime>ebuild</font>  <font color=gold>R</font>  ] <font color=lime>www-servers/apache-2.2.8</font>  USE="<font color=red>ldap ssl</font> <font color=blue>-debug -doc </font>(<font colour-blue>-selinux</font>) <font color=blue>-sni -static -suexec -threads</font>" APACHE2_MODULES="<font color=red>actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex  cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif speling status unique_id userdir usertrack vhost_alias</font> <font color=blue>-asis -authn_alias -cern_meta -charset_lite -dumpio -log_forensic -proxy_ftp -version</font>" APACHE2_MPMS="<font color=blue>-event -itk -peruser -prefork -worker</font>" 0 kB
====Private Apache Startup and Configuration Directives====
Place in '''/etc/conf.d/apache2''' for Gentoo:
APACHE2_OPTS="-D DEFAULT_VHOST -D LANGUAGE -D DAV -D DAV_FS -D USERDIR"
Changes needed in /etc/apache/httpd.conf:
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
User root
Group root
Representative entries in '''/etc/apache2/modules.d/45_mod_dav.conf
  <IfDefine DAV>
  <IfDefine DAV>
   
   
Line 7: Line 45:
  <IfModule dav_fs_module>
  <IfModule dav_fs_module>
  <IfModule alias_module>
  <IfModule alias_module>
<IfModule authn_file_module>
   
   
#
# Distributed authoring and versioning (WebDAV)
#
  DavLockDB "/var/lib/dav/lockdb"
  DavLockDB "/var/lib/dav/lockdb"
   
   
  Alias /inferno /var/dav
  UserDir /home/*
   
   
<IfModule authnz_ldap_module>
  <Directory /home/>
  <Directory /var/dav>
     Dav On
     Dav On
     DAVMinTimeout 600
     DAVMinTimeout 600
Line 27: Line 66:
     Order allow,deny
     Order allow,deny
     Allow from all
     Allow from all
      <Limit GET PUT POST DELETE PROPFIND PROPPATCH PROPFETCH MKCOL COPY MOVE LOCK UNLOCK>
          AuthType Basic
          AuthName "Dav - Restricted Access"
          AuthBasicProvider ldap
          AuthLDAPURL ldap://192.168.0.192:389/ou=users,dc=whiterock?uid?one
          AuthLDAPBindDN "cn=Reader,dc=whiterock"
          AuthLDAPBindPassword ''ultra_secret''
# Use only one of the following possible sections.
#        Explicitly list the permitted users, ~after~ authentication has succeeded.
#        Effectively a 2nd gate, at the authourization phase.
#        require ldap-user gordonp
#        There will be times when it's sufficient for an authenticated-user to be
#        authourized and granted access; it they're good in LDAP, they're OK by me.
#        authourization will now pass to mod_authz_user
          AuthzLDAPAuthoritative  off
          require valid-user
      </Limit>
   
   
  </Directory>
  </Directory>
</IfModule>
   
   
</IfModule>
  </IfModule>
  </IfModule>
  </IfModule>
  </IfModule>
  </IfModule>
  </IfModule>
   
   
  #
  #
Line 72: Line 83:
  BrowserMatch "MS FrontPage" redirect-carefully
  BrowserMatch "MS FrontPage" redirect-carefully
  BrowserMatch "^WebDrive" redirect-carefully
  BrowserMatch "^WebDrive" redirect-carefully
  BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
  BrowserMatch "^WebDAVFS/1.[012345]" redirect-carefully
  BrowserMatch "^gnome-vfs/1.0" redirect-carefully
  BrowserMatch "^gnome-vfs/1.0" redirect-carefully
  BrowserMatch "^XML Spy" redirect-carefully
  BrowserMatch "^XML Spy" redirect-carefully
Line 78: Line 89:
  </IfModule>
  </IfModule>
   
   
</IfDefine>
Representative entries in '''/etc/apache2/vhosts.d/00_default_vhost.conf
# Virtual Hosts
#
# If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs/2.2/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
<IfDefine DEFAULT_VHOST>
# see bug #178966 why this is in here
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 8080
# Use name-based virtual hosting.
NameVirtualHost *:8080
# When virtual hosts are enabled, the main host defined in the default
# httpd.conf configuration will go away. We redefine it here so that it is
# still available.
#
# If you disable this vhost by removing -D DEFAULT_VHOST from
# /etc/conf.d/apache2, the first defined virtual host elsewhere will be
# the default.
<VirtualHost *:8080>
ServerName localhost
Include /etc/apache2/vhosts.d/default_vhost.include
<IfModule mpm_peruser_module>
ServerEnvironment root root
</IfModule>
</VirtualHost>
  </IfDefine>
  </IfDefine>


<br>
====Private Apache NFS Configuration====
===Differences with Apache 2.0.x===
Entry in '''/etc/fstab'''
*get rid of mod_auth_ldap; it isn't needed with Apache 2.2.x, but '''was''' necessary with earlier versions.
192.168.0.191:/home /home nfs rw,soft,intr 0 0
*I couldn't get <Location> containers to work in 2.2.x, where they certainly did with prior versions.  Hence the use of <Directory> above.
 
<br>
====Public-Facing Apache====
Compile with some set of Gentoo USE-flags resembling this:


===Startup Directives===
====Public-Facing Apache Startup Directives====
These go in '''/etc/conf.d/apache2''' for Gentoo:
These go in '''/etc/conf.d/apache2''' for Gentoo:
  APACHE2_OPTS="-D DAV -D DEFAULT_VHOST -D INFO -D LANGUAGE -D PHP5 -D LDAP -D AUTH_LDAP"
  APACHE2_OPTS="-D DEFAULT_VHOST -D STATUS -D MANUAL -D LANGUAGE -D PHP5 -D LDAP -D AUTH_LDAP -D PROXY -D SSL -D SSL_DEFAULT_VHOST"
Define a virtual host, in the directory '''/etc/apache2/vhosts.d/''' that resembles this example:
<VirtualHost *:443>
ServerName pritchard.dyndns.org:443
  ProxyPass / http://192.168.0.130:8080/
  ProxyPassReverse / http://192.168.0.130:8080/
<Proxy *>
<IfModule authnz_ldap_module>
#
#  don't give an .htaccess any any cred :-)
    AllowOverride None
    Order allow,deny
    Allow from all
#        Do basic password authentication in the clear
          AuthType Basic
#        LDAP Authentication & Authorization is final; do not check other databases
          AuthzLDAPAuthoritative on
#        Name which will appear in the browser's user/pass dialogue (realm)
          AuthName "Webdav - Restricted Access"
          AuthBasicProvider ldap
          AuthLDAPURL ldap://192.168.0.110:389/ou=users,dc=whiterock?uid?one
          AuthLDAPBindDN "cn=Reader,dc=whiterock"
          AuthLDAPBindPassword <super_secret>
# Use only one of the following possible sections.
#        Explicitly list the permitted users, ~after~ authentication has succeeded.
#        Effectively a 2nd gate, at the authourization phase.
#        Add as many as desired.
          require ldap-user <your_permitted_user_list>
#        There will be times when it's sufficient for an authenticated-user to be
#        authourized and granted access; it they're good in LDAP, they're OK by me.
#        In this case, any LDAP valid user is fine; apache won't restrict further.
#        require valid-user
</IfModule>
</Proxy>
</VirtualHost>
<br>


<br>
===Testing===
===Testing===
*Check that DAV-root is OK, and that DAV is actually serving with DAVfs, by turning off all authentication / authourization
*Check that DAV-root is OK, and that DAV is actually serving with DAVfs, by turning off all authentication / authourization
**change the <LIMIT> </LIMIT> containers above, to <LIMITExcept> </LIMITExcept>
**change the <Limit> </Limit> containers above, to <LimitExcept> </LimitExcept>
**anyone, anywhere can now browse your DAV share!!  Don't put valuable stuff here, just test-files
**anyone, anywhere can now browse your DAV share!!  Don't put valuable stuff in your DAV-root, just test-files
*Before adding in the complexity of authentication, check that the server-box is able to contact the LDAP-box; this should produce a lot of LDIF output:
*Before adding in the complexity of authentication, check that the server-box is able to contact the LDAP-box; this should produce a lot of (LDIF) output:
  <font color=red>hostname</font> <font color=blue>~ #</font> '''ldapsearch -h 192.168.0.192 -D 'cn=Reader,dc=whiterock' -b "dc=whiterock" -x -s one -W'''
  <font color=red>hostname</font> <font color=blue>~ #</font> '''ldapsearch -h 192.168.0.192 -D 'cn=Reader,dc=whiterock' -b "dc=whiterock" -x -s one -W'''
  Enter LDAP Password: '''''ultra_secret'''''
  Enter LDAP Password: '''''ultra_secret'''''
*in a dedicated console-window, you can watch what Apache thinks of your DAV and http connection-attempts:
<font color=red>hostname</font> <font color=blue>~ #</font> '''tail -f /var/log/apache2/error_log'''
*to test-connect:
<font color=red>hostname</font> <font color=blue>~ #</font> '''cadaver http://localhost/''<your_DAV_share>'''''
*Connection-attempt results:
**Apache status code 200 or 207 is what you're after:  things are good
**Apache status 405 (Method not Allowed) probably means you don't really have a DAV filesystem serving
***check compile options
***check apache startup directives
***check /etc/apache2/modules.d/45_mod_dav.conf
***take authentication / authourization out of the picture (disable) until you can clear this fundamental DAV protocol issue
**Apache status codes 401 and 403 are common with authentication/authourization problems
<br>


<br>
<br>
===Next===
<br>
Two things bother me about this, and both can be summed up in a single word: encryption!
==Reference DAV, LDAP and AutoFS==
*we'd like to use SSL to encrypt and secure the connection to our LDAP server
To make WebDAV really useful, we want to have our user authenticate, get authourized, then access their home-directory.
*we'd like to use SSL to encrypt and secure the data flowing between DAV-server and the user
 
<s>===Setup Automounting===
Walk before running (with scissors :-) ) - get AutoFS (automounting) working first, independently of any other complexity:
 
<font color=red>hostname</font> <font color=blue>~ #</font> '''emerge -pv nfs-utils autofs'''
Edit the master autofs file to look like:
<font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /etc/autofs/auto.master'''
'''/home  /etc/autofs/auto.home'''
 
Now that we've referred autofs to use the auto.home file, we'd better create it; just one line:
<font color=red>hostname</font> <font color=blue>~ #</font> '''emacs -nw /etc/autofs/auto.home'''
'''*       -rw,soft,intr  192.168.0.192:/home/&'''
 
Now, fire up the services, and then check that portmap and automount are running (with '''ps aux''' for example)
<font color=red>hostname</font> <font color=blue>~ #</font> '''/etc/init.d/nfsmount start'''
<font color=red>hostname</font> <font color=blue>~ #</font> '''/etc/init.d/autofs start'''
 
Verify that you can automount something - typically by changing to a directory such as '''/home/gordonp''' and performing an '''ls'''.  You should see all the stuff you'd normally see in that home-dir.
 
Make these seervices stick between reboots:
<font color=red>hostname</font> <font color=blue>~ #</font> '''rc-update add nfsmount default'''
<font color=red>hostname</font> <font color=blue>~ #</font> '''rc-update add autofs default'''
</s>

Latest revision as of 17:03, 27 May 2008

Goals

We want to provide SSL access for users, to their home-directories, using WebDAV. Why WebDAV? Because it is well supported under Windows, OS-X, and Linux, and lowers the barriers to productivity for less-technically-inclined users: setup is minimal, and usage is drag-and-drop familiar.

Constraints

If we have user-home-dirs with restrictive permissions (0700 - no-one else can do anything), then Apache cannot traverse and serve these directories :-( One solution is to run Apache as root:root, which then permits access.

Implementation Overview

We will use two instances of Apache:

  • one public-facing instance which runs safely as apache:apache on ports 80 and 443. Use ProxyPass and ProxyPassReverse to talk to the second instance of Apache
    • this instance of apache will run chrooted in a vserver-guest environment, as a matter of security and convenience. However it could just as easily run on a "regular" non-chrooted / non-virtualized server.
  • a second, private instance of Apache, which runs chrooted (in a Gentoo verserver-guest) as root:root, and communicates with port 8080 internally, to the public-facing instance of Apache. This instance of apache must be handled with care, because of the potential for serious havoc as root!
    • autofs doesn't (yet?) work with verserver-guests, so all user-home-dirs are NFS-mounted, all the time, via /etc/fstab entries

Reference Basic DAV and LDAP Setup

Environment

  • Gentoo Linux Vserver guest, with the host running kernel 2.6.22-vs2.2.0.6-gentoo
  • Apache 2.2.8 for both the public-facing and private instances of Apache.
  • LDAP auth working, for authenticating WebDAV users. The public-facing instance of Apache is responsible for authenticating, and any authenticated LDAP user is then permitted to access their WebDAV share (authorization = valid user).
    • LDAP can run on a remote machine; in our reference example, OpenLDAP happens to run in yet another vserver-guest environment.
  • Testing was performed using WebDAV-capable clients:
    • Konqueror web-browser under Linux, with syntax: webdavs://<your_server>/<DAV_share>
    • Cadaver Linux command-line DAV client
    • Nautilus under Linux, through the Connect to Server dialogue either found in Nautilus, or accessed from the Gnome > Places menu
    • Mac OS-X: Finder > Go > Connect to Server with syntax https://<your_server>/<DAV_share>
    • Windows XP: use the Add Network Place Wizard with syntax https://<your_server>/<DAV_share>


Implementation Details

Private Apache Running as Root

Apache won't run as root, normally (and, to be sure, this is a GOOD thing :-) ). In order to convince Apache to run as root, you must recompile it with a new CFLAG -DBIG_SECURITY_HOLE; set this in Gentoo's /etc/make.conf like this:

CFLAGS="-march=nocona -O2 -pipe -DBIG_SECURITY_HOLE"
[ebuild   R   ] www-servers/apache-2.2.8  USE="ldap ssl -debug -doc (-selinux) -sni -static -suexec -threads" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex  cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif speling status unique_id userdir usertrack vhost_alias -asis -authn_alias -cern_meta -charset_lite -dumpio -log_forensic -proxy_ftp -version" APACHE2_MPMS="-event -itk -peruser -prefork -worker" 0 kB

Private Apache Startup and Configuration Directives

Place in /etc/conf.d/apache2 for Gentoo:

APACHE2_OPTS="-D DEFAULT_VHOST -D LANGUAGE -D DAV -D DAV_FS -D USERDIR"

Changes needed in /etc/apache/httpd.conf:

# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
User root
Group root

Representative entries in /etc/apache2/modules.d/45_mod_dav.conf

<IfDefine DAV>

<IfModule dav_module>
<IfModule dav_fs_module>
<IfModule alias_module>

#
# Distributed authoring and versioning (WebDAV)
#
DavLockDB "/var/lib/dav/lockdb"

UserDir /home/*

<Directory /home/>
    Dav On
    DAVMinTimeout 600

#   so we can ~see~ PHP, rather than interpret/execute
    ForceType text/plain
    DavDepthInfinity On
    Options Indexes FollowSymLinks MultiViews

#   don't give an .htaccess any any cred :-)
    AllowOverride None
    Order allow,deny
    Allow from all

</Directory>

</IfModule>
</IfModule>
</IfModule>

#
# The following directives disable redirects on non-GET requests for
# a directory that does not include the trailing slash.  This fixes a 
# problem with several clients that do not appropriately handle 
# redirects for folders with DAV methods.
#
<IfModule setenvif_module>
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012345]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
</IfModule>

</IfDefine>

Representative entries in /etc/apache2/vhosts.d/00_default_vhost.conf

# Virtual Hosts
#
# If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs/2.2/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.

<IfDefine DEFAULT_VHOST>
# see bug #178966 why this is in here

# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 8080

# Use name-based virtual hosting.
NameVirtualHost *:8080

# When virtual hosts are enabled, the main host defined in the default
# httpd.conf configuration will go away. We redefine it here so that it is
# still available.
#
# If you disable this vhost by removing -D DEFAULT_VHOST from
# /etc/conf.d/apache2, the first defined virtual host elsewhere will be
# the default.
<VirtualHost *:8080>
	ServerName localhost
	Include /etc/apache2/vhosts.d/default_vhost.include

	<IfModule mpm_peruser_module>
		ServerEnvironment root root
	</IfModule>
</VirtualHost>
</IfDefine>

Private Apache NFS Configuration

Entry in /etc/fstab

192.168.0.191:/home	 /home	nfs	rw,soft,intr	0 0

Public-Facing Apache

Compile with some set of Gentoo USE-flags resembling this:

Public-Facing Apache Startup Directives

These go in /etc/conf.d/apache2 for Gentoo:

APACHE2_OPTS="-D DEFAULT_VHOST -D STATUS -D MANUAL -D LANGUAGE -D PHP5 -D LDAP -D AUTH_LDAP -D PROXY -D SSL -D SSL_DEFAULT_VHOST"

Define a virtual host, in the directory /etc/apache2/vhosts.d/ that resembles this example:

<VirtualHost *:443>
ServerName pritchard.dyndns.org:443
	   ProxyPass / http://192.168.0.130:8080/
	   ProxyPassReverse / http://192.168.0.130:8080/

<Proxy *>

<IfModule authnz_ldap_module>
#
#   don't give an .htaccess any any cred :-)
    AllowOverride None
    Order allow,deny
    Allow from all

#        Do basic password authentication in the clear
         AuthType Basic
#        LDAP Authentication & Authorization is final; do not check other databases
         AuthzLDAPAuthoritative on
#        Name which will appear in the browser's user/pass dialogue (realm)
         AuthName "Webdav - Restricted Access"
         AuthBasicProvider ldap
         AuthLDAPURL ldap://192.168.0.110:389/ou=users,dc=whiterock?uid?one
         AuthLDAPBindDN "cn=Reader,dc=whiterock"
         AuthLDAPBindPassword <super_secret>

# Use only one of the following possible sections.

#        Explicitly list the permitted users, ~after~ authentication has succeeded.
#        Effectively a 2nd gate, at the authourization phase.
#        Add as many as desired.
         require ldap-user <your_permitted_user_list>

#        There will be times when it's sufficient for an authenticated-user to be
#        authourized and granted access; it they're good in LDAP, they're OK by me.
#        In this case, any LDAP valid user is fine; apache won't restrict further.
#         require valid-user

</IfModule>

</Proxy>
</VirtualHost>


Testing

  • Check that DAV-root is OK, and that DAV is actually serving with DAVfs, by turning off all authentication / authourization
    • change the <Limit> </Limit> containers above, to <LimitExcept> </LimitExcept>
    • anyone, anywhere can now browse your DAV share!! Don't put valuable stuff in your DAV-root, just test-files
  • Before adding in the complexity of authentication, check that the server-box is able to contact the LDAP-box; this should produce a lot of (LDIF) output:
hostname ~ # ldapsearch -h 192.168.0.192 -D 'cn=Reader,dc=whiterock' -b "dc=whiterock" -x -s one -W
Enter LDAP Password: ultra_secret
  • in a dedicated console-window, you can watch what Apache thinks of your DAV and http connection-attempts:
hostname ~ # tail -f /var/log/apache2/error_log
  • to test-connect:
hostname ~ # cadaver http://localhost/<your_DAV_share>
  • Connection-attempt results:
    • Apache status code 200 or 207 is what you're after: things are good
    • Apache status 405 (Method not Allowed) probably means you don't really have a DAV filesystem serving
      • check compile options
      • check apache startup directives
      • check /etc/apache2/modules.d/45_mod_dav.conf
      • take authentication / authourization out of the picture (disable) until you can clear this fundamental DAV protocol issue
    • Apache status codes 401 and 403 are common with authentication/authourization problems




Reference DAV, LDAP and AutoFS

To make WebDAV really useful, we want to have our user authenticate, get authourized, then access their home-directory.

===Setup Automounting=== Walk before running (with scissors :-) ) - get AutoFS (automounting) working first, independently of any other complexity:

hostname ~ # emerge -pv nfs-utils autofs

Edit the master autofs file to look like:

hostname ~ # emacs -nw /etc/autofs/auto.master

/home  /etc/autofs/auto.home

Now that we've referred autofs to use the auto.home file, we'd better create it; just one line:

hostname ~ # emacs -nw /etc/autofs/auto.home

*       -rw,soft,intr   192.168.0.192:/home/&

Now, fire up the services, and then check that portmap and automount are running (with ps aux for example)

hostname ~ # /etc/init.d/nfsmount start
hostname ~ # /etc/init.d/autofs start

Verify that you can automount something - typically by changing to a directory such as /home/gordonp and performing an ls. You should see all the stuff you'd normally see in that home-dir.

Make these seervices stick between reboots:

hostname ~ # rc-update add nfsmount default
hostname ~ # rc-update add autofs default