Aug 042011
 

apache
This is an article of mine, originally published on Wazi

Apache is the world’s most popular web server and its normal use is to provide websites on the Web, but sometimes you can use it also to provide other services.

In this tutorial we’ll see how to set up an Apache with DAV and LDAP to create a file server, which according to the user profile on Ldap will give them permission to read, write, or none.

How you can use it?

A file server like this can be used easily from Windows, Mac or Linux; files can be accessed both from the web with any browser or with programs that support the DAV protocol. As an example you could keep your group calendar there and update it with Lighting (a Thunderbird extension for calendaring), and so every member of the group will have his calendar in sync with this method; or you can use it as a basic documentation system where to put your doc, PDF, or any document and share them in your company (or outside if you want).



Another common use is utilizing this repository as a control version system with SVN, Git or Mercurial.

This guide is based on Debian 6, so all packages used and tested are those present today in that distribution. If you use other distributions you’ll probably have small differences in versions or location of configuration files, but the configuration itself and all the principles can be used on any GNU/Linux distribution.

I’m using openLdap as the Ldap server, but any Ldap server that supports the standard protocol (even Microsoft Active Directory) should work, the setup of an Ldap server is not the scope of this guide so I assume that you have the server and your user ready. I’ll show you how I’ve classified my users into groups, to give them different permissions.

Conventions:

Line in pre-formatted text starting with # are commands given as root on the Debian server.

Line in pre-formatted text without the starting # are the output given to commands or configurations.

Set up of the file system for our documents

We’ll put our documents in a particular directory on the server and give permission to Apache to write in it:

# mkdir /documents
# chown www-data. /documents

OpenLDAP Structure

The openLdap used in this guide has a structure like this one:

	c=it
 		|
	o=mycompany
			|	
		ou=Users
				|
				cn=User1
				cn=User2
				...
		ou=Groups
				|
				cn=doc-admins
				cn=doc-users

All the user are mapped into the subtree: ou=users,o=mycompany,c=it, I use the Objectclass InetOrgPerson to map their attributes.

The groups are mapped into the subtree: ou=groups,o=mycompany,c=it, users that belong to the group doc-admins will be able to read and write documents, while users that are into the group doc-users will be able only to read the documents. For the groups I use the ObjectClass: groupOfNames

Also in the LDAP you need a special user with read only permissions on all the tree, for me this is identified by:

dn:cn=doc-reader,o=mycompany,c=it
password: SECUREPASS

Set up of Apache

If it’s not present on the server, install apache 2 with the command:

# apt-get install apache2

This will install apache 2.2.16-6 and all modules that we need for this project.

Now we need to enable the dav modules of apache:

# a2enmod dav_fs
Considering dependency dav for dav_fs:
Enabling module dav.
Enabling module dav_fs.

And enable also the LDAP modules of apache:

# a2enmod authnz_ldap
Considering dependency ldap for authnz_ldap:
Enabling module ldap.
Enabling module authnz_ldap.

Authentication provider

Set up of the authentication provider for LDAP, create a new file called /etc/apache2/conf.d/ldapprov.conf and put a configuration like this one:

<AuthnProviderAlias ldap ldap-people-alias>
  AuthLDAPURL ldaps://myldapurl.com:636/ou=users,o=mycompany,c=it?uid?sub?(objectClass=*) TLS
  AuthLDAPBindDN cn=doc-reader,o=mycompany,c=it
  AuthLDAPBindPassword SECUREPASS
</AuthnProviderAlias>

This configuration will be used later in the Virtualhost, to tell Apache where to look for users.

If you have multiple branches in your LDAP or multiple LDAPs that you want to use you can have multiple blocks, for example you could have also a second LDAP with these coordinate:

<AuthnProviderAlias ldap ldap2-people-alias>
  AuthLDAPURL ldaps://myldap2url.com:636/ou=administration,ou=departments,o=mycompany,c=it?uid?sub?(objectClass=*) TLS
  AuthLDAPBindDN cn=doc-reader,o=mycompany,c=it
  AuthLDAPBindPassword SECUREPASS
</AuthnProviderAlias>

You can put your entire authentication provider in the same file.

Check http://httpd.apache.org/docs/2.2/mod/mod_authn_alias.html for more info on how to use AuthnProviderAlias

Virtual Host

Now we set up the file for your new site, create the file in /etc/apache2/sites-available/mydoc.com, this will be the main configuration file.

<VirtualHost mydoc.com:80>

   ServerName mydoc.com 
   ServerAdmin [email protected]
   HostnameLookups Off
   UseCanonicalName Off
   ServerSignature Off
   DocumentRoot /var/www/mydoc

   ErrorLog "/var/log/apache2/mydoc-error.log"
   CustomLog "/var/log/apache2/mydoc-access.log" common
   TransferLog "/var/log/apache2/mydoc-transfer.log"

Configurations to support WebDAV with Windows:

   BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
   BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
   BrowserMatch "Microsoft-WebDAV-MiniRedir/5.1.2600" redirect-carefully
   BrowserMatch "^WebDrive" redirect-carefully
   BrowserMatch "^WebDAVFS" redirect-carefully

   <IfModule mod_headers.c>
    Header add MS-Author-Via "DAV"
   </IfModule>

   <IfModule mod_encoding.c>
           EncodingEngine on
           NormalizeUsername on
   </IfModule>

End of directives to support Dav with Windows.

   DavMinTimeout 600

   Alias /mydoc /documents
   <Location /mydoc>
      Options +Indexes
      IndexIgnore ..
      IndexOptions -IconsAreLinks NameWidth=* FancyIndexing SuppressLastModified FoldersFirst
      IndexOrderDefault Ascending Name
      Dav On
      AuthName "WEBDAV: insert your username and password"
      AuthType Basic
      AuthBasicAuthoritative off
      AuthBasicProvider ldap-people-alias
      AuthzLDAPAuthoritative on
      AuthLDAPGroupAttributeIsDN on
      AuthLDAPGroupAttribute member
      AuthLDAPURL ldaps://myldapurl.com:636/ou=groups,o=mycompany,c=it TLS
      AuthLDAPBindDN cn=doc-reader,o=mycompany,c=it
      AuthLDAPBindPassword SECUREPASS

      #Readwrite access
      <limitexcept GET HEAD OPTIONS PROPFIND>
          Require ldap-group cn=doc-admins, ou=groups,o=mycompany,c=it
      </limitexcept>

      #Read-only access
      <limit GET PROPFIND OPTIONS HEAD>
          Require ldap-group cn=doc-users, ou=groups,o=mycompany,c=it
      </limit>
   </Location>
</VirtualHost>

Explanations of the configurations:

With this configuration Apache uses the defined authentication provider to check the authentication of the users. To do this, use the user with DN:cn=doc-reader,o=mycompany,c=it that has read access to all our LDAP, after that there is an interesting part, the limitexcept and limit directives, these are used to differentiate the authorization type that users have depending on their group.

The directive AuthLDAPGroupAttributeIsDN says to use the distinguished name of the client username when checking for group membership. Otherwise, the username will be used. For example, assume that the client sent the username bjenson, which corresponds to the LDAP DN:cn=Babs Jenson, o=Airius. If this directive is set, mod_authnz_ldap will check if the group has cn=Babs Jenson, o=Airius as a member. If this directive is not set, then mod_authnz_ldap will check if the group has bjenson as a member.

The directive AuthLDAPGroupAttribute specifies which LDAP attributes are used to check for group membership.

Test of the configuration

We have configured everything so now we could just start the apache and test our Dav repository

# /etc/init.d/apache2 start (or restart if it's already running)

Now you can use a Dav client and go to the location http://mydoc.com/mydoc, and start testing your read/write and readonly users.

On Linux a command line tool to test WebDAV is cadaver. If you prefer GUIs, for example, konqueror can open WebDAV URLs as “webdav://…” or “webdavs://…” or under Gnome nautilus can do the same.

If you’re into Windows, from XP onwards Internet Explorer supports WebDAV. For this, do Internet Explorer → Open Location → http://mydoc.com/mydoc [x] Open as webfolder → login .

Debug

If you have problems the first thing to check is the error log of apache: /var/log/apache2/mydoc-error.log, here you should find indications of what’s wrong.

If you have problems with the authentication or authorization phase, you can enable this location in your virtualhost, going there you’ll get more information on what’s going on between Apache and your LDAP:

<Location /cache-info>
sethandler ldap-status
Order deny,allow
Allow from localhost
</Location>

Note that this location has access limited to localhost so you’ll need to have a local browser (if it’s a server use the textual browser w3m), or if you cannot do it put your IP instead of localhost.

Conclusions

With WebDav and a method of authentication you can easily set up a good, flexible, and resilient web solution to hold and share your files with Apache. In this guide I’ve used LDAP for the authentication but this could have also been done with Mysql or Oracle; or if you don’t have any suitable user base you can go for 2 flat files, one for users and one for the groups.

At the moment I’m enjoying this solution for calendar sharing and document sharing and this make both Linux and Windows users happy.

References:

Apache Auth_ldap http://httpd.apache.org/docs/2.2/mod/mod_auth_ldap.html#authldapgroupattributeisdn

Apache Mod_Dav http://httpd.apache.org/docs/2.2/mod/mod_dav.html

Popular Posts:

Flattr this!

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

*