Apache + WebDav + LDAP = Pure Bliss
As I discussed previously, I got fed up with Samba file sharing (when trying to use LDAP) and went to the joy that was WebDAV. As it turned out, it is extremely easy to get LDAP authentication on Apache and combine that with WebDAV; today I’ll show you how.
Components used:
- Ubuntu 10.04
- Apache 2.2
- OpenDS 2.2 (LDAP)
- mod_authnz_ldap, mod_dav, mod_dav_fs, mod_dav_lock & mod_rewrite
The process is very easy, provided you’ve got OpenDS & Apache 2 already up and running. If you need the basics of that, I’ve covered that in another post. I’m also assuming that LDAP is already setup with users & groups. In the following example, you’ll have 3 groups: “All” which contains a list of all users, “One” which only gets access to the ‘share’ folder of ‘one’, and “Two” which is the same concept as “One”. Note: I used OpenDS Static Groups, I have no idea if Dynamic Groups or Virtual Static Groups will work.
- mkdir /home/webdav; mkdir /home/webdav/one; mkdir /home/webdav/two; mkdir /home/webdav/public
- chown -R www-data.www-data /home/webdav
- chmod -R 755 /home/webdav
- chmod a-w /home/webdav
- a2enmod authnz_ldap dav dav_fs dav_lock rewrite
- nano /etc/apache2/sites-enabled/000-default
- Add the following to the bottom of the file before </VirtualHosts>
Alias /webdav/ "/home/webdav/" <Directory /home/webdav> Options Indexes FollowSymLinks MultiViews AllowOverride AuthConfig Order allow,deny allow from all </Directory> DavLockDB /tmp/DavLock RewriteEngine On RewriteRule ^/webdav$ /webdav/ [R=301] <Location /webdav> Dav On AuthName DAV AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPURL "ldap://127.0.0.1:389/ou=People,dc=DOMAIN,dc=TLD?uid?sub?(objectClass=*)" NONE AuthLDAPGroupAttributeIsDN on AuthLDAPBindDN cn=USERNAMEHERE AuthLDAPBindPassword PASSWORDHERE Require ldap-group cn=All,ou=Groups,dc=DOMAIN,dc=TLD </Location> <Location /webdav/one> AuthName DAV AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPURL "ldap://127.0.0.1:389/ou=People,dc=DOMAIN,dc=TLD?uid?sub?(objectClass=*)" NONE AuthLDAPGroupAttributeIsDN on AuthLDAPBindDN cn=USERNAMEHERE AuthLDAPBindPassword PASSWORDHERE Require ldap-group cn=One,ou=Groups,dc=DOMAIN,dc=TLD </Location> <Location /webdav/two> AuthName DAV AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPURL "ldap://127.0.0.1:389/ou=People,dc=DOMAIN,dc=TLD?uid?sub?(objectClass=*)" NONE AuthLDAPGroupAttributeIsDN on AuthLDAPBindDN cn=USERNAMEHERE AuthLDAPBindPassword PASSWORDHERE Require ldap-group cn=Two,ou=Groups,dc=DOMAIN,dc=TLD </Location>
- /etc/init.d/apache2 restart
At this point (provided you changed DOMAIN, TLD, USERNAMEHERE, and PASSWORDHERE in the above example), you should be able to point a browser to http://yourserver/webdav and it will prompt you for your username and password. To Apache /webdav and /webdav/ are different, but most users won’t know that, hence the redirect. After you authenticate, provided you are in groups “One” and “Two” you should be able to see 3 folders (one, two, and public). If you are not in all the groups, you will not see nor be able to access the folders (except public, which all authenticated users would be able to see and access).
If you’re using a Mac, you can use Finder > Go > Connect To Server with the same URL. You should be able to simply drag and drop files on and off (like you would any other type of share). All directories, that you’re a group member of, except the base (/webdav/ – That was the ‘chmod a-w’ line) should be writable. You can pop open files and edit them directly from the webdav share too.
Piece of cake, eh? Without clear and concise instructions (such as above) it took me less than two hours to research, figure out, and implement. If you can follow the instructions and have some idea what you are doing, you should be able to get WebDAV shares up and running in less than 30mn (and that’s on the outside).
NOTE: You cannot use digest authentication, you MUST use basic authentication. This sends passwords in clear text. If this is internet accessible – I highly recommend you SSL your WebDAV share.
I’ve configured 2 Windows 7 client machines (32bit Pro & 64bit Ultimate) to authenticate with my Apache webdav server under Digest authentication. It’s really smooth when it works right, but the rewrite rules ruined me for ages; I thought it was M$’s fault too until I got it working…
I’ve now got it so that any login request gets automatically redirected through SSL, and it uses digest authentication too. I haven’t had the time to configure LDAP authentication yet, but will do when I get the chance, with this tutorial :)
Here’s the apache settings I’ve got for my dav location now, although I have these scattered across a few files and not all settings are essential:-
ProxyRequests Off
SSLProxyEngine on
ServerName example.com
RewriteEngine On
UseCanonicalName on
ProxyVia on
RewriteRule ^/webdav/?(.*)$ https://%{SERVER_NAME}:443/webdav/$1 [R=301,NC,L]
DavLockDB “/path/to/DavLock” # Needs to be owned by webserver user.
RewriteLog /var/log/apache2/dav.rewrites.log
RewriteLogLevel 6 # Favourite level for debugging rewrite rules.
Alias /webdav /path/to/davshare
Order allow,deny
Allow from all
AllowOverride None
Options +Indexes +FollowSymLinks +Includes +MultiViews
IndexOptions +FancyIndexing ## These IndexOptions aren’t necessary, but are useful if this is a DavSVN share with a custom xsl.
IndexOptions +XHTML
IndexOptions +TrackModified
IndexOptions +SuppressHTMLPreamble
IndexOptions +FoldersFirst
IndexOptions +IgnoreCase
IndexIgnore .DAV*
IndexIgnore ._*
IndexOptions Type=text/html
HeaderName /styles/svn.xsl # Only works with DavSVN. URI
Dav on
# SUBVERSION STUFF. Needs an SVN client though (TortoiseSVN is good). Dav on it’s own can be mapped as a network drive, which works through VPN.
#Dav svn
#SVNPath /path/to/svnrepos/webdav
#SVNListParentPath On
#SVNAutoversioning On
#AuthzSVNAccessFile /path/to/SVN/authz
#SVNIndexXSLT /styles/repos.xsl
# AUTHENTICATION
AuthType Digest
AuthName “My authentication realm” # Needs to be identical to the realm in AuthUserFile.
AuthDigestDomain /webdav https://example.com/webdav https://example.com/svnrepos
AuthDigestProvider file
AuthUserFile “/Library/WebServer/.digestpassword”
# SSL ENFORCEMENT
SSLOptions FakeBasicAuth StrictRequire
SSLRequireSSL
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
Allow from all
Satisfy Any
# DAV PERMISSIONS
Require valid-user
i have configured Webdav on my Apache2 Server and it works fine.
But… Mac Users keep generating .Files. And some ms-office versions leave other unwanted temporary files.
So i try to hide this files by adding an option lke IndexIgnore .htaccess .* *~ ~*
Result: when i access the webdavfolder by any webbrowser, the unwanted files do not show up.
But when i access trhour windows7 explorer (mapped drvie), all files show up.
Is this a bug? or a misconfiguration.
is there a workaround?
Hmmm… Digest Authentication not allowed.
The problem is that Windows Vista and 7 will only talk to webDAV with Digest authentication.
This means that currently Apache + LDAP + WebDAV is not usable with Windows clients except for a registry hack.
http://www.webdavsystem.com/server/documentation/authentication/basic_auth_vista
Yea, I tried Win 7 and covered that in: http://snowulf.com/2010/08/26/webdav-client-windows-7/
From my experiments the Registry hack no longer works in Win7. If someone has different experiences, I’d love to hear it.
I can confirm that the registry hack which some say works – it doesn’t for me. Even with Basic over SSL Win 7 isn’t working.
So until MS gets a patch to change that I have to use a 3rd party webdav client.
My Vista and XP machines work a charm however.
Awesome, not just me. I had a friend link me ( http://www.webdavsystem.com/server/documentation/authentication/basic_auth_vista ) an article about it, says it works for 7, but I’ve not gotten around to trying it. I think it is the same instructions anyways.
Yeah those look like the same instructions that have been making the rounds. It probably works for Vista – but I have that change and on Win7 it doesn’t appear to work.
Unless its in a different place in Win7?
But this does not appear on the MS website so can only gather that there is no cure for Win7.
Thank you for your very useful post. If you don’t mind I have related questions on this topic to which I haven’t been finding any solutions.
How can I redirect a specific user to its onw user directory after authentication? For example:
from 127.0.0.1/webdav, after user1’s authentification it goes only to its user directory, 127.0.0.1/webdav/user1
Is it possible to do it in LDAP server side?
Thank you.
Theoretically it is possible to do in Apache, and actually quite a fascinating little exercise. I toyed around with it for a little bit this evening, but haven’t quite gotten down yet (Has to do with the order in which Apache does things). When I figure it out, I’ll let you know.
Ok. From my testing, you cannot flatly redirect a WebDAV request like you can a normal request. I tried:
RewriteRule ^/webdav/home/$ /webdav/home/%{LA-U:REMOTE_USER}/ [R=302]
It does work in a web browser, but not in say Ubuntu’s “Connect to server”. RFC 4437 is all about WebDAV redirects, and the short version is that it isn’t the standard way. As of yet, I don’t know how to make Apache’s mod_rewrite do WebDAV compatible redirects.
You can, however, repoint /webdav/home/ on a per user basis using:
RewriteRule ^/webdav/home/(.*) /webdav/share/home/%{LA-U:REMOTE_USER}/$1
When you bring that up in any system, it will show you ONLY the contents of /webdav/share/home/Jon/ (If my username was “Jon”). If you loggin as a different user, it will only show that users files. Nifty trick, you just need to make sure the folders exist in advance.
Thank you for your reply. Indead, it is not working with “Connect to server”, as well as other WebDAV clients (I have one, called CADAVER).
But, yes, it works well in a web browser.
Anyway, thank you for your suggestions. It gave me new approach and I will try other options with this.