SUSE Conversations


How to WebDAV over SSL using LDAP Authentication with Apache Web Server



By: susethailand

December 8, 2009 12:07 pm

Reads:5344

Comments:0

Rating:0

WebDAV

(Web-based Distributed Authoring and Versioning) is a web-base that allows users to edit files or manage their own files to the computer with Remote WebDAV.

Why WebDAV Web Folders?

  • Access files anywhere. And easy access permissions.
  • Web access to files, web browser now.
  • Users can not edit files within the same time.
  • Security configuration because it can use SSL Encryption to work through.
  • Support access to files from Windows, Linux, Mac OS X, etc..
  1. Create a directory for the webdav database.
    $ mkdir -p /var/lib/apache2/dav
    $ chown wwwrun.www /var/lib/apache2/dav

    Create a user:

    $ htpasswd2 /etc/apache2/dav_users <your username>
    $ chmod 755 /etc/apache2/dav_users

    Create the web directory:

    $ mkdir /srv/www/webdav
    $ chown wwwrun.www /srv/www/webdav
  2. Enable DAV module
    $ vi /etc/sysconfig/apache2

    - add dav and dav_fs to APACHE_MODULES variable.

    Create dav file config:

    $ /etc/apache2/conf.d/dav.conf
    <IfModule mod_dav_fs.c>
    # Location of the WebDAV lock database.
    DavLockDB /var/lib/apache2/dav/lockdb
    </IfModule>
    
    <IfModule mod_dav.c>
    # XML request bodies are loaded into memory;
    # limit to 128K by default
    LimitXMLRequestBody 131072
    
    # Location of the WebDav Repository.
    Alias /webdav "/srv/www/webdav"
    
    <Directory /srv/www/webdav>
    # enable webdav for this directory
    Dav On
    Options +Indexes
    IndexOptions FancyIndexing
    AllowOverride All
    AddDefaultCharset UTF-8
    AuthType Basic
    AuthName "WebDAV Server"
    
    $ htpasswd2 -c /etc/apache2/dav_users.db <username>
    AuthUserFile /etc/apache2/dav_user
    Require
    Options None
    AllowOverride All
    Order allow,deny
    Allow from all
    </Directory>
    </IfModule>
    
    #Example dav conf: /usr/share/doc/packages/apache2/original/extra/httpd-dav.conf

    Reload Apache:

    $ rcapache2 reload
  3. TestAccess from a browser:http://IP Address/webdav

    - Now you can access the webdav directory.

    Access from the command line:

    - Install package “cadaver” (webdav client) from YaST.

    $ cadaver http://192.168.1.100/webdav

    Authentication required for WebDAV Server on server `192.168.1.100′:

    Username: sontaya
    Password:
    dav:/webdav/>

  4. Create a Webdav Server CertificateGenerate an encrypted key:4.1) If you want to enter the key at boot time (When starting your webserver)
    $ openssl genrsa -des3 -out server.key 1024
    Generating RSA private key, 1024 bit long modulus
    ............................++++++
    ...++++++
    e is 65537 (0x10001)
    Enter pass phrase for server.key:
    Verifying - Enter pass phrase for server.key:

    4.2) Don’t want to enter the key at boot time

    $ openssl rsa -in server.key -out server.key.unsecure
  5. Create Certificate
    $ openssl req -nodes -new -keyout server.key -out webdav-server.csr

    Request Server Certificate from Cacert.org:
    Login:

    http://www.cacert.org

    No account, Register:

    https://www.cacert.org/index.php?id=1

    verify your account from email.

    $ cat webdav-server.csr

    - copy the contents

    After login, Select Server Certificates Menu > New > “paste the contents of webdav-server.csr” > Submit

    You’ll receive a certificate by mail (verify your domain).

    $ cp server.crt /etc/apache2/ssl.key/
    $ cp server.crt /etc/apache2/ssl.crt/
  6. Import CertificateImported CAcert´s root certificate: (details will receive by mail)
    $ wget http://www.cacert.org/certs/class3.crt
    $ wget http://www.cacert.org/certs/root.crt
    
    $ mv class3.crt ca.crt
    $ cp class3.crt root.crt /etc/apache2/ssl.crt/
    
    $ vi server.ca
    "Save"

    Replace: server.key ?? / etc/apache2/ssl.key/
    and server.crt ?? / etc/apache2/ssl.crt/
    and then server.key.unsecure and server.crt (your cert).

    $ cp server.key /etc/apache2/ssl.key/
    $ cp server.crt /etc/apache2/ssl.crt/
    $ cp server.key.unsecure /etc/apache2/ssl.crt/
  7. Apache SSL config
    $ cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/vhost-ssl.conf
    $ vi /etc/apache2/vhosts.d/vhost-ssl.conf
    uncomment the  SSLCertificateChainFile  and  SSLCACertificatePath  lines.
    
    $ vi /etc/sysconfig/apache2
    APACHE_SERVER_FLAGS="-DSSL"

    Restart apache2:

    $ rcapache2 restart
  8. Test access from Browser (konqueror)- Open program Konqueror (support webdavs protocol)webdavs://IP Address/webdav
  9. Configuration ApacheAuthentication LDAP:Enable mode ssl, authnz_ldap and rewrite:
    $ a2enmod ssl
    $ a2enmod authnz_ldap

    Or edit file “/etc/sysconfig/apache2″

    - add ssl and authnz_ldap to APACHE_MODULES variable.

    Edit dav file config:

    $ vi /etc/apache2/conf.d/dav.conf
    ##Start##
    <IfModule mod_dav_fs.c>
    # Location of the WebDAV lock database.
    DavLockDB /var/lib/apache2/dav/lockdb
    </IfModule>
    
    <IfModule mod_dav.c>
    # XML request bodies are loaded into memory;
    # limit to 128K by default
    LimitXMLRequestBody 131072
    
    # Location of the WebDav Repository.
    Alias /webdav "/srv/www/webdav"
    <Directory /srv/www/webdav>
    # Enable webdav for this directory
    Dav On
    # Require SSL connection for password protection.
    SSLRequireSSL
    AuthBasicProvider ldap
    # Do basic password authentication in the clear
    AuthType Basic
    # The name of the protected area or "realm"
    AuthName "WebDAV LDAP Authorization"
    AuthLDAPURL ldap://192.168.1.11:389/dc=company?uid??(objectclass=*)
    # The LDAP query URL
    # Format: scheme://host:port/basedn?attribute?scope?filter
    # The URL below will search for all objects recursively below the basedn
    # and validate against the sAMAccountName attribute
    
    # LDAP Authentication & Authorization is final; do not check other databases
    AuthzLDAPAuthoritative on
    # Active Directory requires an authenticating DN to access records
    # This is the DN used to bind to the directory service
    # This is an Active Directory user account
    AuthLDAPBindDN cn=Administrator,dc=company
    # This is the password for the AuthLDAPBindDN user in Active Directory
    AuthLDAPBindPassword 5760urs
    # Require authentication for this Location
    Require valid-user
    Require ldap-group cn=grp_branches,ou=group,dc=company
    Options Indexes FollowSymLinks MultiViews
    AllowOverride All
    Order deny,allow
    Allow from all
    </Directory>
    </IfModule>
    ##End##

    Test:

    $ cadaver https://IP Address/webdav
  10. Setting Share Directory- Create a group name grp_branches ldap and then add users into groups grp_branches.Create directory:
    $ mkdir /srv/www/webdav/branches
    $ mkdir /srv/www/webdav/branches/pattaya

    Set permissions

    $ chmod 770 /srv/www/webdav
    $ chmod 755 /srv/www/webdav/branches -R

    Create .htaccess

    $ vi /srv/www/webdav/branches/pattaya/.htaccess
    Satisfy all
    Order deny,allow
    Deny from all
    Allow from all
    AuthType Basic
    AuthName "WebDAV LDAP Authorization"
    AuthBasicProvider ldap
    AuthLDAPURL ldap://192.168.1.11:389/dc=company?uid??(objectclass=*)
    AuthzLDAPAuthoritative on
    AuthLDAPBindDN cn=Administrator,dc=company
    AuthLDAPBindPassword 5760urs
    Require ldap-user sontaya.photibut

    Description: Allows the user name distort analytical application. sontaya.photibut. Four accessible der pattaya has. Other users can not see the Four Elder pattaya can be only Four der branches.

  11. Test Connect the test build GNOME.
    Open File Browser> File> Connect to Server.

Tips:

-Device Clients connecting to the WebDAV Proxy Web Browser Set to the No proxy for: IP Address WebDAV Server.

If your system does not Authen Squid is not Set as the Set No proxy for that because WebDAV through ports 80 and 443 contacts.

If not, which runs through Proxy Authen MA will provide the Squid (Proxy) and followed by another WebDAV.

Troubleshooting:

- Logfile

$ tail -f /var/log/apache2/error_log
  1. Error: Could not access /webdav/ (not WebDAV-enabled?):Solution: Change permission
    $ chmod 755 /etc/apache2/dav_users
  2. Error: Client denied by server configuration:Solution: Change the default permissions to be less restrictive with this instead.
    <Directory />
    AllowOverride None
    Order Deny,Allow
    </Directory>
  3. Error: Directory index forbidden by Options directive:Solution: Eenabled module AutoIndexOptions Indexes FollowSymLinks MultiViews
  4. Error: Permission denied: .htaccess pcfg_openfile: unable to check htaccess file, ensure it is readableSolution: Check permission directory
  5. Error: [error] Failed to change_hat to ‘HANDLING_UNTRUSTED_INPUT’Solution: Disable AppArmor from YaST.

Links of Reference:

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Tags: , , , ,
Categories: Enterprise Linux, SUSE Linux Enterprise Server, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

Comment

RSS