Apache + WebDav + LDAP = Pure Bliss

You may also like...

14 Responses

  1. Alex Leach says:

    I’ve configured 2 Windows 7 client machines (32bit Pro & 64bit Ultimate) to authenticate with my Apache webdav server under Digest authentication. It’s really smooth when it works right, but the rewrite rules ruined me for ages; I thought it was M$’s fault too until I got it working…
    I’ve now got it so that any login request gets automatically redirected through SSL, and it uses digest authentication too. I haven’t had the time to configure LDAP authentication yet, but will do when I get the chance, with this tutorial :)
    Here’s the apache settings I’ve got for my dav location now, although I have these scattered across a few files and not all settings are essential:-

    ProxyRequests Off

    SSLProxyEngine on
    ServerName example.com
    RewriteEngine On
    UseCanonicalName on
    ProxyVia on
    RewriteRule ^/webdav/?(.*)$ https://%{SERVER_NAME}:443/webdav/$1 [R=301,NC,L]

    DavLockDB “/path/to/DavLock” # Needs to be owned by webserver user.
    RewriteLog /var/log/apache2/dav.rewrites.log
    RewriteLogLevel 6 # Favourite level for debugging rewrite rules.
    Alias /webdav /path/to/davshare

    Order allow,deny
    Allow from all
    AllowOverride None
    Options +Indexes +FollowSymLinks +Includes +MultiViews
    IndexOptions +FancyIndexing ## These IndexOptions aren’t necessary, but are useful if this is a DavSVN share with a custom xsl.
    IndexOptions +XHTML
    IndexOptions +TrackModified
    IndexOptions +SuppressHTMLPreamble
    IndexOptions +FoldersFirst
    IndexOptions +IgnoreCase
    IndexIgnore .DAV*
    IndexIgnore ._*
    IndexOptions Type=text/html
    HeaderName /styles/svn.xsl # Only works with DavSVN. URI

    Dav on

    # SUBVERSION STUFF. Needs an SVN client though (TortoiseSVN is good). Dav on it’s own can be mapped as a network drive, which works through VPN.
    #Dav svn
    #SVNPath /path/to/svnrepos/webdav
    #SVNListParentPath On
    #SVNAutoversioning On
    #AuthzSVNAccessFile /path/to/SVN/authz
    #SVNIndexXSLT /styles/repos.xsl

    # AUTHENTICATION
    AuthType Digest
    AuthName “My authentication realm” # Needs to be identical to the realm in AuthUserFile.
    AuthDigestDomain /webdav https://example.com/webdav https://example.com/svnrepos
    AuthDigestProvider file
    AuthUserFile “/Library/WebServer/.digestpassword”

    # SSL ENFORCEMENT
    SSLOptions FakeBasicAuth StrictRequire
    SSLRequireSSL
    SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128

    Allow from all
    Satisfy Any

    # DAV PERMISSIONS

    Require valid-user

    • Robert Hofer says:

      i have configured Webdav on my Apache2 Server and it works fine.
      But… Mac Users keep generating .Files. And some ms-office versions leave other unwanted temporary files.
      So i try to hide this files by adding an option lke IndexIgnore .htaccess .* *~ ~*

      Result: when i access the webdavfolder by any webbrowser, the unwanted files do not show up.
      But when i access trhour windows7 explorer (mapped drvie), all files show up.

      Is this a bug? or a misconfiguration.
      is there a workaround?

  2. dwarf says:

    Hmmm… Digest Authentication not allowed.

    The problem is that Windows Vista and 7 will only talk to webDAV with Digest authentication.

    This means that currently Apache + LDAP + WebDAV is not usable with Windows clients except for a registry hack.

    http://www.webdavsystem.com/server/documentation/authentication/basic_auth_vista

  3. Nuriddin says:

    Thank you for your very useful post. If you don’t mind I have related questions on this topic to which I haven’t been finding any solutions.

    How can I redirect a specific user to its onw user directory after authentication? For example:
    from 127.0.0.1/webdav, after user1’s authentification it goes only to its user directory, 127.0.0.1/webdav/user1

    Is it possible to do it in LDAP server side?

    Thank you.

    • Jon says:

      Theoretically it is possible to do in Apache, and actually quite a fascinating little exercise. I toyed around with it for a little bit this evening, but haven’t quite gotten down yet (Has to do with the order in which Apache does things). When I figure it out, I’ll let you know.

    • Jon says:

      Ok. From my testing, you cannot flatly redirect a WebDAV request like you can a normal request. I tried:
      RewriteRule ^/webdav/home/$ /webdav/home/%{LA-U:REMOTE_USER}/ [R=302]

      It does work in a web browser, but not in say Ubuntu’s “Connect to server”. RFC 4437 is all about WebDAV redirects, and the short version is that it isn’t the standard way. As of yet, I don’t know how to make Apache’s mod_rewrite do WebDAV compatible redirects.

      You can, however, repoint /webdav/home/ on a per user basis using:
      RewriteRule ^/webdav/home/(.*) /webdav/share/home/%{LA-U:REMOTE_USER}/$1

      When you bring that up in any system, it will show you ONLY the contents of /webdav/share/home/Jon/ (If my username was “Jon”). If you loggin as a different user, it will only show that users files. Nifty trick, you just need to make sure the folders exist in advance.

      • Nuriddin says:

        Thank you for your reply. Indead, it is not working with “Connect to server”, as well as other WebDAV clients (I have one, called CADAVER).
        But, yes, it works well in a web browser.

        Anyway, thank you for your suggestions. It gave me new approach and I will try other options with this.

  1. 2010-08-20

    […] This post was mentioned on Twitter by Jon, John. John said: RT @ShakataGaNai: [Blog] Apache + WebDav + LDAP = Pure Bliss http://bit.ly/dvay0C […]

  2. 2010-08-25

    […] getting LDAP, Apache & WebDAV working together in perfect harmony, I needed to get clients accessing the “shares” I was setting up.  […]

  3. 2010-08-26

    […] I’ve already got Linux & OSX talking to my LDAP/WebDAV enabled Apache, I needed to finish my trifecta… Windows. Specifically, Windows 7. I had heard that it is […]

Leave your thoughts

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: