This is an article of mine, originally published on Wazi
Apache is the world’s most popular web server and its normal use is to provide websites on the Web, but sometimes you can use it also to provide other services.
In this tutorial we’ll see how to set up an Apache with DAV and LDAP to create a file server, which according to the user profile on Ldap will give them permission to read, write, or none.
How you can use it?
A file server like this can be used easily from Windows, Mac or Linux; files can be accessed both from the web with any browser or with programs that support the DAV protocol. As an example you could keep your group calendar there and update it with Lighting (a Thunderbird extension for calendaring), and so every member of the group will have his calendar in sync with this method; or you can use it as a basic documentation system where to put your doc, PDF, or any document and share them in your company (or outside if you want).
Another common use is utilizing this repository as a control version system with SVN, Git or Mercurial.
This guide is based on Debian 6, so all packages used and tested are those present today in that distribution. If you use other distributions you’ll probably have small differences in versions or location of configuration files, but the configuration itself and all the principles can be used on any GNU/Linux distribution.
I’m using openLdap as the Ldap server, but any Ldap server that supports the standard protocol (even Microsoft Active Directory) should work, the setup of an Ldap server is not the scope of this guide so I assume that you have the server and your user ready. I’ll show you how I’ve classified my users into groups, to give them different permissions.
Conventions:
Line in pre-formatted text starting with # are commands given as root on the Debian server.
Line in pre-formatted text without the starting # are the output given to commands or configurations.
Set up of the file system for our documents
We’ll put our documents in a particular directory on the server and give permission to Apache to write in it:
# mkdir /documents # chown www-data. /documents |
OpenLDAP Structure
The openLdap used in this guide has a structure like this one:
c=it | o=mycompany | ou=Users | cn=User1 cn=User2 ... ou=Groups | cn=doc-admins cn=doc-users
All the user are mapped into the subtree: ou=users,o=mycompany,c=it, I use the Objectclass InetOrgPerson to map their attributes.
The groups are mapped into the subtree: ou=groups,o=mycompany,c=it, users that belong to the group doc-admins will be able to read and write documents, while users that are into the group doc-users will be able only to read the documents. For the groups I use the ObjectClass: groupOfNames
Also in the LDAP you need a special user with read only permissions on all the tree, for me this is identified by:
dn:cn=doc-reader,o=mycompany,c=it password: SECUREPASS
Set up of Apache
If it’s not present on the server, install apache 2 with the command:
# apt-get install apache2
This will install apache 2.2.16-6 and all modules that we need for this project.
Now we need to enable the dav modules of apache:
# a2enmod dav_fs Considering dependency dav for dav_fs: Enabling module dav. Enabling module dav_fs.
And enable also the LDAP modules of apache:
# a2enmod authnz_ldap Considering dependency ldap for authnz_ldap: Enabling module ldap. Enabling module authnz_ldap.
Authentication provider
Set up of the authentication provider for LDAP, create a new file called /etc/apache2/conf.d/ldapprov.conf and put a configuration like this one:
<AuthnProviderAlias ldap ldap-people-alias> AuthLDAPURL ldaps://myldapurl.com:636/ou=users,o=mycompany,c=it?uid?sub?(objectClass=*) TLS AuthLDAPBindDN cn=doc-reader,o=mycompany,c=it AuthLDAPBindPassword SECUREPASS </AuthnProviderAlias>
This configuration will be used later in the Virtualhost, to tell Apache where to look for users.
If you have multiple branches in your LDAP or multiple LDAPs that you want to use you can have multiple blocks, for example you could have also a second LDAP with these coordinate:
<AuthnProviderAlias ldap ldap2-people-alias> AuthLDAPURL ldaps://myldap2url.com:636/ou=administration,ou=departments,o=mycompany,c=it?uid?sub?(objectClass=*) TLS AuthLDAPBindDN cn=doc-reader,o=mycompany,c=it AuthLDAPBindPassword SECUREPASS </AuthnProviderAlias>
You can put your entire authentication provider in the same file.
Check http://httpd.apache.org/docs/2.2/mod/mod_authn_alias.html for more info on how to use AuthnProviderAlias
Virtual Host
Now we set up the file for your new site, create the file in /etc/apache2/sites-available/mydoc.com, this will be the main configuration file.
<VirtualHost mydoc.com:80> ServerName mydoc.com ServerAdmin [email protected] HostnameLookups Off UseCanonicalName Off ServerSignature Off DocumentRoot /var/www/mydoc ErrorLog "/var/log/apache2/mydoc-error.log" CustomLog "/var/log/apache2/mydoc-access.log" common TransferLog "/var/log/apache2/mydoc-transfer.log"
Configurations to support WebDAV with Windows:
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "Microsoft-WebDAV-MiniRedir/5.1.2600" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS" redirect-carefully
<IfModule mod_headers.c>
Header add MS-Author-Via "DAV"
</IfModule>
<IfModule mod_encoding.c>
EncodingEngine on
NormalizeUsername on
</IfModule>
End of directives to support Dav with Windows.
DavMinTimeout 600
Alias /mydoc /documents
<Location /mydoc>
Options +Indexes
IndexIgnore ..
IndexOptions -IconsAreLinks NameWidth=* FancyIndexing SuppressLastModified FoldersFirst
IndexOrderDefault Ascending Name
Dav On
AuthName "WEBDAV: insert your username and password"
AuthType Basic
AuthBasicAuthoritative off
AuthBasicProvider ldap-people-alias
AuthzLDAPAuthoritative on
AuthLDAPGroupAttributeIsDN on
AuthLDAPGroupAttribute member
AuthLDAPURL ldaps://myldapurl.com:636/ou=groups,o=mycompany,c=it TLS
AuthLDAPBindDN cn=doc-reader,o=mycompany,c=it
AuthLDAPBindPassword SECUREPASS
#Readwrite access
<limitexcept GET HEAD OPTIONS PROPFIND>
Require ldap-group cn=doc-admins, ou=groups,o=mycompany,c=it
</limitexcept>
#Read-only access
<limit GET PROPFIND OPTIONS HEAD>
Require ldap-group cn=doc-users, ou=groups,o=mycompany,c=it
</limit>
</Location>
</VirtualHost>
Explanations of the configurations:
With this configuration Apache uses the defined authentication provider to check the authentication of the users. To do this, use the user with DN:cn=doc-reader,o=mycompany,c=it that has read access to all our LDAP, after that there is an interesting part, the limitexcept and limit directives, these are used to differentiate the authorization type that users have depending on their group.
The directive AuthLDAPGroupAttributeIsDN says to use the distinguished name of the client username when checking for group membership. Otherwise, the username will be used. For example, assume that the client sent the username bjenson, which corresponds to the LDAP DN:cn=Babs Jenson, o=Airius. If this directive is set, mod_authnz_ldap will check if the group has cn=Babs Jenson, o=Airius as a member. If this directive is not set, then mod_authnz_ldap will check if the group has bjenson as a member.
The directive AuthLDAPGroupAttribute specifies which LDAP attributes are used to check for group membership.
Test of the configuration
We have configured everything so now we could just start the apache and test our Dav repository
# /etc/init.d/apache2 start (or restart if it's already running)
Now you can use a Dav client and go to the location http://mydoc.com/mydoc, and start testing your read/write and readonly users.
On Linux a command line tool to test WebDAV is cadaver. If you prefer GUIs, for example, konqueror can open WebDAV URLs as “webdav://…” or “webdavs://…” or under Gnome nautilus can do the same.
If you’re into Windows, from XP onwards Internet Explorer supports WebDAV. For this, do Internet Explorer → Open Location → http://mydoc.com/mydoc [x] Open as webfolder → login .
Debug
If you have problems the first thing to check is the error log of apache: /var/log/apache2/mydoc-error.log, here you should find indications of what’s wrong.
If you have problems with the authentication or authorization phase, you can enable this location in your virtualhost, going there you’ll get more information on what’s going on between Apache and your LDAP:
<Location /cache-info> sethandler ldap-status Order deny,allow Allow from localhost </Location>
Note that this location has access limited to localhost so you’ll need to have a local browser (if it’s a server use the textual browser w3m), or if you cannot do it put your IP instead of localhost.
Conclusions
With WebDav and a method of authentication you can easily set up a good, flexible, and resilient web solution to hold and share your files with Apache. In this guide I’ve used LDAP for the authentication but this could have also been done with Mysql or Oracle; or if you don’t have any suitable user base you can go for 2 flat files, one for users and one for the groups.
At the moment I’m enjoying this solution for calendar sharing and document sharing and this make both Linux and Windows users happy.
References:
Apache Auth_ldap http://httpd.apache.org/docs/2.2/mod/mod_auth_ldap.html#authldapgroupattributeisdn
Apache Mod_Dav http://httpd.apache.org/docs/2.2/mod/mod_dav.html
Popular Posts:
- None Found
