Current Articles | RSS Feed
If your organization hosts websites, chances are you're using Apache, the world's most popular web server. Apache has many advanced capabilities that administrators can implement. Here's how you can integrate Apache with DAV (Distrubuted Authoring and Versioning) to create a file server, along with LDAP (Lightweight Directory Access Protocol) to check your users' profiles for permission to read or write files.
This sort of Apache file server can run on top of Windows, Mac OS X, or Linux. Users can access files natively through the operating system, or from the Web with any browser, or by using programs that support the DAV protocol. You can use this technique for something like a basic documentation system, where you share your documents with both internal and external users. You could also use this kind of repository as a control version system with Subversion, Git, or Mercurial.In this example I'm installing all the applications under Debian 6. If you use other distributions you'll probably have small differences in versions or in the location of configuration files, but the configuration itself and all the principles can be used on any GNU/Linux distribution. I'm using OpenLDAP as the LDAP server, but any LDAP server that supports the standard protocol (even Microsoft Active Directory) should work. I'll assume you already have your LDAP server set up.In the example code below, lines starting with # are commands given as root on the Debian server, while lines without the starting # are the output of commands or configuration lines.To begin, we'll create a document directory on the server and give permission to Apache to write in it:
# mkdir /documents# chown www-data. /documents
c=it | o=mycompany | ou=Users | cn=User1 cn=User2 ... ou=Groups | cn=doc-admins cn=doc-users
All the users are mapped into the subtree ou=users,o=mycompany,c=it using the ObjectClass InetOrgPerson to map their attributes. The groups are mapped into the subtree ou=groups,o=mycompany,c=it. Users that belong to the group doc-admins will be able to read and write documents, while users in the group doc-users will be able only to read the documents. For the groups I use the ObjectClass groupOfNames.
ou=users,o=mycompany,c=it
ou=groups,o=mycompany,c=it
Also in LDAP you need a special user with read-only permissions on the whole tree:
dn:cn=doc-reader,o=mycompany,c=itpassword: SECUREPASS
If it's not already set up on your server, you can install Apache 2 with the command:
# apt-get install apache2
Then enable Apache's DAV and LDAP modules:
# a2enmod dav_fsConsidering dependency dav for dav_fs:Enabling module dav.Enabling module dav_fs.# a2enmod authnz_ldapConsidering dependency ldap for authnz_ldap:Enabling module ldap.Enabling module authnz_ldap.
To set up the authentication provider for LDAP, create a new file called /etc/apache2/conf.d/ldapprov.conf and enter a configuration like this one (hover over the box below to expand):
<AuthnProviderAlias ldap ldap-people-alias> AuthLDAPURL ldaps://myldapurl.com:636/ou=users,o=mycompany,c=it?uid?sub?(objectClass=*) TLS AuthLDAPBindDN cn=doc-reader,o=mycompany,c=it AuthLDAPBindPassword SECUREPASS</AuthnProviderAlias>
We'll reference this configuration to tell Apache where to look for users.
If you have multiple branches in your LDAP configuration or multiple LDAP structures that you want to use, you can have multiple blocks in your configuration file. For example, you could refer to a second LDAP this way (hover over the box below to expand):
<AuthnProviderAlias ldap ldap2-people-alias> AuthLDAPURL ldaps://myldap2url.com:636/ou=administration,ou=departments,o=mycompany,c=it?uid?sub?(objectClass=*) TLS AuthLDAPBindDN cn=doc-reader,o=mycompany,c=it AuthLDAPBindPassword SECUREPASS</AuthnProviderAlias>
You can put all of your authentication providers in the same file. Check the Apache documentation for more info on how to use AuthnProviderAlias.
With LDAP set up on the back end, we can set up the Apache host configuration file for the new site mydoc.com in /etc/apache2/sites-available/mydoc.com:
<VirtualHost mydoc.com:80> ServerName mydoc.com ServerAdmin admin@mydoc.com HostnameLookups Off UseCanonicalName Off ServerSignature Off DocumentRoot /var/www/mydoc ErrorLog "/var/log/apache2/mydoc-error.log" CustomLog "/var/log/apache2/mydoc-access.log" common TransferLog "/var/log/apache2/mydoc-transfer.log"
The next block configures Apache to support WebDAV with Windows (hover over the boxes below to expand):
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully BrowserMatch "Microsoft-WebDAV-MiniRedir/5.1.2600" redirect-carefully BrowserMatch "^WebDrive" redirect-carefully BrowserMatch "^WebDAVFS" redirect-carefully <IfModule mod_headers.c> Header add MS-Author-Via "DAV" </IfModule> <IfModule mod_encoding.c> EncodingEngine on NormalizeUsername on </IfModule>
DavMinTimeout 600 Alias /mydoc /documents <Location /mydoc> Options +Indexes IndexIgnore .. IndexOptions -IconsAreLinks NameWidth=* FancyIndexing SuppressLastModified FoldersFirst IndexOrderDefault Ascending Name Dav On AuthName "WEBDAV: insert your username and password" AuthType Basic AuthBasicAuthoritative off AuthBasicProvider ldap-people-alias AuthzLDAPAuthoritative on AuthLDAPGroupAttributeIsDN on AuthLDAPGroupAttribute member AuthLDAPURL ldaps://myldapurl.com:636/ou=groups,o=mycompany,c=it TLS AuthLDAPBindDN cn=doc-reader,o=mycompany,c=it AuthLDAPBindPassword SECUREPASS #Readwrite access <limitexcept GET HEAD OPTIONS PROPFIND> Require ldap-group cn=doc-admins, ou=groups,o=mycompany,c=it </limitexcept> #Read-only access <limit GET PROPFIND OPTIONS HEAD> Require ldap-group cn=doc-users, ou=groups,o=mycompany,c=it </limit> </Location></VirtualHost>
In the configuration file, the directive AuthLDAPGroupAttributeIsDN says to use the distinguished name of the client username when checking for group membership. Otherwise, the username would be used. For example, assume that the client sent the username bjenson, which corresponds to the LDAP DN:cn=Babs Jenson, o=Airius. If this directive is set, mod_authnz_ldap will check whether the group has cn=Babs Jenson, o=Airius as a member. If this directive is not set, then mod_authnz_ldap will check whether the group has bjenson as a member.
AuthLDAPGroupAttributeIsDN
bjenson
cn=Babs Jenson, o=Airius
The directive AuthLDAPGroupAttribute specifies which LDAP attributes are used to check for group membership.
AuthLDAPGroupAttribute
That's all we need to do to configure Apache to use LDAP authentication and DAV. Start Apache with the command # /etc/init.d/apache2 start (or restart it if it's already running). Use a DAV client and go to http://mydoc.com/mydoc and start testing your read/write and readonly users. If you like the command line, you might use the cadaver client. If you prefer GUIs, KDE's Konqueror and GNOME's Nautilus can open WebDAV URLs via webdav://... or webdavs://... If you use Internet Explorer under Windows, choose Open Location and specify http://mydoc.com/mydoc. Choose Open as webfolder and log in.
# /etc/init.d/apache2 start
webdav://...
webdavs://...
If you run into any problems, you can easily debug your configuration. First, check Apache's error log at /var/log/apache2/mydoc-error.log. If you have problems with the authentication or authorization phase, you can add the code below to your virtualhost file. Then restart Apache, try again, and go to the specified directory to get more information on what's going on between Apache and your LDAP service:
<Location /cache-info>sethandler ldap-statusOrder deny,allowAllow from localhost</Location>
Note that this location has access limited to localhost, so you'll need to use a local browser (if you're on a server use the textual browser w3m) or use your IP address instead of localhost.
With WebDAV and a method of authentication you can easily set up a good, flexible, and resilient web solution to hold and share your files with Apache. I used LDAP here, but you could also use MySQL or Oracle, or if you don't have any suitable directory service you could use two flat files, one for users and one for the groups. With Apache, LDAP, and DAV, you can share data and documents across platforms and across the Web, making all your users happy.
Allowed tags: <a> link, <b> bold, <i> italics