August 20, 2010

567 words 3 mins read

Apache + WebDav + LDAP = Pure Bliss

As I discussed previously, I got fed up with Samba file sharing (when trying to use LDAP) and went to the joy that was WebDAV. As it turned out, it is extremely easy to get LDAP authentication on Apache and combine that with WebDAV; today I’ll show you how.

Components used:

  • Ubuntu 10.04
  • Apache 2.2
  • OpenDS 2.2 (LDAP)
  • mod_authnz_ldap, mod_dav, mod_dav_fs, mod_dav_lock & mod_rewrite

The process is very easy, provided you’ve got OpenDS & Apache 2 already up and running. If you need the basics of that, I’ve covered that in another post. I’m also assuming that LDAP is already setup with users & groups.  In the following example, you’ll have 3 groups: “All” which contains a list of all users, “One” which only gets access to the ‘share’ folder of ‘one’, and “Two” which is the same concept as “One”. Note: I used OpenDS Static Groups, I have no idea if Dynamic Groups or Virtual Static Groups will work.

  • mkdir /home/webdav; mkdir /home/webdav/one; mkdir /home/webdav/two; mkdir /home/webdav/public
  • chown -R www-data.www-data /home/webdav
  • chmod -R 755 /home/webdav
  • chmod a-w /home/webdav
  • a2enmod authnz_ldap dav dav_fs dav_lock rewrite
  • nano /etc/apache2/sites-enabled/000-default
  • Add the following to the bottom of the file before
Alias /webdav/ "/home/webdav/"

<Directory /home/webdav>
 Options Indexes FollowSymLinks MultiViews
 AllowOverride AuthConfig
 Order allow,deny
 allow from all
</Directory>
DavLockDB /tmp/DavLock

RewriteEngine On
RewriteRule ^/webdav$ /webdav/ [R=301]

<Location /webdav>
 Dav On
 AuthName DAV
 AuthType Basic
 AuthBasicProvider ldap
 AuthzLDAPAuthoritative on
 AuthLDAPURL "ldap://127.0.0.1:389/ou=People,dc=DOMAIN,dc=TLD?uid?sub?(objectClass=*)" NONE
 AuthLDAPGroupAttributeIsDN on
 AuthLDAPBindDN cn=USERNAMEHERE
 AuthLDAPBindPassword PASSWORDHERE
 Require ldap-group cn=All,ou=Groups,dc=DOMAIN,dc=TLD
</Location>

<Location /webdav/one>
 AuthName DAV
 AuthType Basic
 AuthBasicProvider ldap
 AuthzLDAPAuthoritative on
 AuthLDAPURL "ldap://127.0.0.1:389/ou=People,dc=DOMAIN,dc=TLD?uid?sub?(objectClass=*)" NONE
 AuthLDAPGroupAttributeIsDN on
 AuthLDAPBindDN cn=USERNAMEHERE
 AuthLDAPBindPassword PASSWORDHERE
 Require ldap-group cn=One,ou=Groups,dc=DOMAIN,dc=TLD
</Location>

<Location /webdav/two>
 AuthName DAV
 AuthType Basic
 AuthBasicProvider ldap
 AuthzLDAPAuthoritative on
 AuthLDAPURL "ldap://127.0.0.1:389/ou=People,dc=DOMAIN,dc=TLD?uid?sub?(objectClass=*)" NONE
 AuthLDAPGroupAttributeIsDN on
 AuthLDAPBindDN cn=USERNAMEHERE
 AuthLDAPBindPassword PASSWORDHERE
 Require ldap-group cn=Two,ou=Groups,dc=DOMAIN,dc=TLD
</Location>
  • /etc/init.d/apache2 restart

At this point (provided you changed DOMAIN, TLD, USERNAMEHERE, and PASSWORDHERE in the above example), you should be able to point a browser to http://yourserver/webdav and it will prompt you for your username and password.  To Apache /webdav and /webdav/ are different, but most users won’t know that, hence the redirect.  After you authenticate, provided you are in groups “One” and “Two” you should be able to see 3 folders (one, two, and public).  If you are not in all the groups, you will not see nor be able to access the folders (except public, which all authenticated users would be able to see and access).

If you’re using a Mac, you can use Finder > Go > Connect To Server with the same URL.  You should be able to simply drag and drop files on and off (like you would any other type of share).  All directories, that you’re a group member of, except the base (/webdav/ — That was the ‘chmod a-w’ line) should be writable.  You can pop open files and edit them directly from the webdav share too.

Piece of cake, eh? Without clear and concise instructions (such as above) it took me less than two hours to research, figure out, and implement.  If you can follow the instructions and have some idea what you are doing, you should be able to get WebDAV shares up and running in less than 30mn (and that’s on the outside).

NOTE: You cannot use digest authentication, you MUST use basic authentication.  This sends passwords in clear text.  If this is internet accessible — I highly recommend you SSL your WebDAV share.