August 20, 2010

567 words 3 mins read

Apache + WebDav + LDAP = Pure Bliss

As I discussed previously, I got fed up with Samba file sharing (when trying to use LDAP) and went to the joy that was WebDAV. As it turned out, it is extremely easy to get LDAP authentication on Apache and combine that with WebDAV; today I’ll show you how.

Components used:

  • Ubuntu 10.04
  • Apache 2.2
  • OpenDS 2.2 (LDAP)
  • mod_authnz_ldap, mod_dav, mod_dav_fs, mod_dav_lock & mod_rewrite

The process is very easy, provided you’ve got OpenDS & Apache 2 already up and running. If you need the basics of that, I’ve covered that in another post. I’m also assuming that LDAP is already setup with users & groups.  In the following example, you’ll have 3 groups: “All” which contains a list of all users, “One” which only gets access to the ‘share’ folder of ‘one’, and “Two” which is the same concept as “One”. Note: I used OpenDS Static Groups, I have no idea if Dynamic Groups or Virtual Static Groups will work.

  • mkdir /home/webdav; mkdir /home/webdav/one; mkdir /home/webdav/two; mkdir /home/webdav/public
  • chown -R www-data.www-data /home/webdav
  • chmod -R 755 /home/webdav
  • chmod a-w /home/webdav
  • a2enmod authnz_ldap dav dav_fs dav_lock rewrite
  • nano /etc/apache2/sites-enabled/000-default
  • Add the following to the bottom of the file before 
Alias /webdav/ "/home/webdav/"

<Directory /home/webdav>
 Options Indexes FollowSymLinks MultiViews
 AllowOverride AuthConfig
 Order allow,deny
 allow from all
</Directory>
DavLockDB /tmp/DavLock

RewriteEngine On
RewriteRule ^/webdav$ /webdav/ [R=301]

<Location /webdav>
 Dav On
 AuthName DAV
 AuthType Basic
 AuthBasicProvider ldap
 AuthzLDAPAuthoritative on
 AuthLDAPURL "ldap://127.0.0.1:389/ou=People,dc=DOMAIN,dc=TLD?uid?sub?(objectClass=*)" NONE
 AuthLDAPGroupAttributeIsDN on
 AuthLDAPBindDN cn=USERNAMEHERE
 AuthLDAPBindPassword PASSWORDHERE
 Require ldap-group cn=All,ou=Groups,dc=DOMAIN,dc=TLD
</Location>

<Location /webdav/one>
 AuthName DAV
 AuthType Basic
 AuthBasicProvider ldap
 AuthzLDAPAuthoritative on
 AuthLDAPURL "ldap://127.0.0.1:389/ou=People,dc=DOMAIN,dc=TLD?uid?sub?(objectClass=*)" NONE
 AuthLDAPGroupAttributeIsDN on
 AuthLDAPBindDN cn=USERNAMEHERE
 AuthLDAPBindPassword PASSWORDHERE
 Require ldap-group cn=One,ou=Groups,dc=DOMAIN,dc=TLD
</Location>

<Location /webdav/two>
 AuthName DAV
 AuthType Basic
 AuthBasicProvider ldap
 AuthzLDAPAuthoritative on
 AuthLDAPURL "ldap://127.0.0.1:389/ou=People,dc=DOMAIN,dc=TLD?uid?sub?(objectClass=*)" NONE
 AuthLDAPGroupAttributeIsDN on
 AuthLDAPBindDN cn=USERNAMEHERE
 AuthLDAPBindPassword PASSWORDHERE
 Require ldap-group cn=Two,ou=Groups,dc=DOMAIN,dc=TLD
</Location>
  • /etc/init.d/apache2 restart

At this point (provided you changed DOMAIN, TLD, USERNAMEHERE, and PASSWORDHERE in the above example), you should be able to point a browser to http://yourserver/webdav and it will prompt you for your username and password.  To Apache /webdav and /webdav/ are different, but most users won’t know that, hence the redirect.  After you authenticate, provided you are in groups “One” and “Two” you should be able to see 3 folders (one, two, and public).  If you are not in all the groups, you will not see nor be able to access the folders (except public, which all authenticated users would be able to see and access).

If you’re using a Mac, you can use Finder > Go > Connect To Server with the same URL.  You should be able to simply drag and drop files on and off (like you would any other type of share).  All directories, that you’re a group member of, except the base (/webdav/ — That was the ‘chmod a-w’ line) should be writable.  You can pop open files and edit them directly from the webdav share too.

Piece of cake, eh? Without clear and concise instructions (such as above) it took me less than two hours to research, figure out, and implement.  If you can follow the instructions and have some idea what you are doing, you should be able to get WebDAV shares up and running in less than 30mn (and that’s on the outside).

NOTE: You cannot use digest authentication, you MUST use basic authentication.  This sends passwords in clear text.  If this is internet accessible — I highly recommend you SSL your WebDAV share.

apache Apache 2.2 LDAP mod_authnz_ldap mod_dav mod_dav_fs mod_dav_lock mod_rewrite OpenDS Ubuntu Ubuntu 10.04

Samba and LDAP DO NOT MIX

August 18, 2010

Recently I was tasked with helping a company implement a centralized authentication system, and they wanted to go all open source. This isn&rsquo;t unreasonable in my book, though it is a little unusual. Of course the words &ldquo;Open Source Authentication&rdquo; directly translates to LDAP, the only question is which LDAP software you&rsquo;re going to use. There are a number of options including OpenLDAP (slapd), Fedora Directory Server (389), OpenDS, Apache Directory Server, and a handful of smaller projects. On top of the LDAP directory they wanted me to add a number of services including email and file sharing. This is the story of how Samba sucks&hellip;

Installing & Configuring OpenDS 2.2 on Ubuntu 10.04

August 19, 2010

Recently, I&rsquo;ve needed to setup an open source centralized authentication server. After research and testing some of the options, I settled on OpenDS, and while I&rsquo;m leery of anything running Java, I&rsquo;ll admit&hellip; OpenDS is really nice. Most importantly, getting it up and running is a piece of cake.

WordPress: Enabling SSH/SFTP Updates

June 29, 2010

The first time I dealt with WordPress was when I first started doing IT administration for FanHistory. At that point in time I knew nothing about it and it was breaking horribly. Luckily I managed to fix the issues (which turned out to be Varnish proxy related) and get it standing mostly on its own two feet. One of &ldquo;minor annoyances&rdquo; I ran into then and absolutely had to figure out during my migration, was the lack of SSH or SFTP based updates. By default when you go into add or update the plugins (or the software itself) you have only two options FTP and FTPS (SSL). I run neither of these, FTP is majorly old and very insecure. FTPS is just not common. I thought I was stuck doing things manually, until I found out&hellip;. You can enable SSH2 based updates in WordPress. Better yet, it is SUPER easy.