Koozali.org: home of the SME Server

WebDAV - mod_dav with SME user authentication

Offline mmccarn

  • *
  • 2,626
  • +10/-0
WebDAV - mod_dav with SME user authentication
« on: May 18, 2006, 07:35:03 PM »
Objectives:
    Create a webdav share on a SME 6.0.1 box
    Control access to the webdav share using the SME user accounts database
    Allow normal browser access (after authentication) for file download

Procedure:

1. Install and configure mod_dav using How to install mod_dav written by Laurent Dinclaux.

2. Check the version of Apache on your system and upgrade if necessary
[root@sme root]# httpd -v
Server version: Apache/1.3.35 ( [NORLUG Edition] Red Hat Linux )
Server built:   May  8 2006 08:16:16

If your Apache version is 1.3.31 you should update (In the example above the version is 1.3.35).

You can update by running the entire smeplus.sh script from SME6.0.1Contribs (except that 6.0.1 doesn't see much development any more, so this script may be out of date!)  or you can update Apache using the commands listed below (note that this is simply the Apache update section of smeplus.sh modified to use the current versions of the Apache RPMS...)

mkdir -p /root/plus/apache
cd /root/plus/apache
wget -nc -nd -S 'http://mirror.datapipe.net/norlug/redhat-7.3/RPMS/db4-4.0.14-4.norlug.i386.rpm' -a /root/plus/plus.log
wget -nc -nd -S 'http://mirror.datapipe.net/norlug/redhat-7.3/RPMS/python2.3-2.3.5-1.norlug.i386.rpm' -a /root/plus/plus.log
wget -nc -nd -S 'http://mirror.datapipe.net/norlug/redhat-7.3/RPMS/mod_ssl-2.8.26-1.norlug.i386.rpm' -a /root/plus/plus.log
wget -nc -nd -S 'http://mirror.datapipe.net/norlug/redhat-7.3/RPMS/apache-1.3.35-1.norlug.i386.rpm' -a /root/plus/plus.log
wget -nc -nd -S 'http://mirror.datapipe.net/norlug/redhat-7.3/RPMS/apache-devel-1.3.35-1.norlug.i386.rpm' -a /root/plus/plus.log
wget -nc -nd -S 'http://mirror.datapipe.net/norlug/redhat-7.3/RPMS/apache-manual-1.3.35-1.norlug.i386.rpm' -a /root/plus/plus.log
wget -nc -nd -S 'http://download.fedoralegacy.org/redhat/7.3/os/i386/compat-glibc-6.2-2.1.3.2.i386.rpm' -a /root/plus/plus.log
echo -n "."

cd /root/plus/apache
rpm -Uvh *.rpm


3. Create a custom template to control webdav directory access rights

pico /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/96AddSecureIbayFolder


Note: In the following example, I have used Laurent Dinclaux's procedure, and have created a webdav Ibay named "webshare".  Replace "webshare" below the the name you have chosen for your webdav ibay.


Add the following content to 96AddSecureIbayFolder:
<Directory /home/e-smith/files/ibays/Primary/html>
        AuthName "anything-you-like"
        Require valid-user
</Directory>

<Directory /home/e-smith/files/ibays/webshare/html/ >
        Options +Indexes
        IndexOptions FancyIndexing IconsAreLinks
        AuthType Basic
        AuthExternal pwauth
        AuthName "Webshare"
        AllowOverride None
        order allow,deny
        allow from all
        Require valid-user
</Directory>


In my case I have also added the section below to the same file, in order to restrict access the the "Admin" folder within my webdav ibay to the two users listed:
<Directory /home/e-smith/files/ibays/webshare/html/Admin >
   Options +Indexes
   IndexOptions FancyIndexing IconsAreLinks
   AuthType Basic
   AuthExternal pwauth
   AuthName "Admin"
   order allow,deny
   allow from all
   AllowOverride None
   Require user mmccarn smoore
</Directory>


4. Expand the template and restart the httpd server:
[root@sme root]# /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
[root@sme root]# /etc/e-smith/events/actions/restart-httpd-full


Notes & Explanations
    96AddSecureIbayFolder:  This template is named "96AddSecureIbayFolder" in order to force the template expansion process to put these directives at the end of /etc/httpd/conf/httpd.conf.  Thus, these settings will override all other settings for these directories.
    Primary Ibay:  The first <Directory> section is included solely to override the default "Authname" and "Require" values for the Primary I-Bay.  I found on my system that until I did this I was prompted to login to "Primary I-bay" whenever I entered a new directory within my webdav share.  That is, I was able to access "webshare" using Microsoft's Web Folders, I could *create* a new directory, but when I tried to browse the new directory I would be prompted to login to "Primary I-bay".  I could press <Cancel> at this login prompt and proceed with no problems, but thought that would be confusing to my end users!
    <Directory ....>: Each <Directory...> section indicates the absolute path to the directory you wish to control
    Options +Indexes: instructs Apache to build dynamic directories of any folder that doesn't already contain "index.html" (or another of the default index files for your server).
    IndexOptions FancyIndexing IconsAreLinks: Allow users to sort the autoindex file listing by file size or access date, and allow them to open (download) files by clicking on the icons to the left of each filename
    AuthType Basic: Use Apache's "Basic Authentication" method
    AuthExternal pwauth: Use the external "pwauth" process for authenticating users.  "pwauth" is defined by default on SME 6.0.1 to refer authentication requests to the SME user database
    AuthName "Webshare":  causes the login prompt to ask for a username and password for "Webshare"
    order allow, deny: I don't know how this applies to us
    allow from all: I don't know how this applies to us
    AllowOverride None: This tells Apache to ignore .htaccess files (if there are any)
    Require user username-a username-b: Tells Apache to require that one of the listed users successfully authenticates before allowing access to this <Directory>
    Require valid-user: Tells Apache to allow access for any user that can successfully authenticate.[/list]

    Offline kmccarn

    • ***
    • 112
    • +0/-0
    WebDAV - mod_dav with SME user authentication
    « Reply #1 on: May 19, 2006, 03:06:06 AM »
    WOW - I am truly impressed.

    You must have much more free time than I thought.....

     :-o
    Kevin in WV 8-)......

    Offline mmccarn

    • *
    • 2,626
    • +10/-0
    WebDAV - mod_dav with SME user authentication
    « Reply #2 on: May 19, 2006, 12:45:13 PM »
    Well - I toyed w/ webdav for a year or so, and finally got it working the way I wanted -- I figured "why not put my notes on Contribs?"...

    Offline kmccarn

    • ***
    • 112
    • +0/-0
    WebDAV - mod_dav with SME user authentication
    « Reply #3 on: May 19, 2006, 12:49:26 PM »
    Well - I tried it - works a treat !!

    Good Job !!
    Kevin in WV 8-)......

    Offline mmccarn

    • *
    • 2,626
    • +10/-0
    WebDAV - mod_dav with SME user authentication
    « Reply #4 on: May 19, 2006, 02:17:32 PM »
    I forgot to mention in my original post that the name and original contents for 96AddSecureIbayFolder came from Ray Mitchell's post here regarding ".htaccess for sme 7.0 alpha4".

    I removed the "<Limit>...</Limit>" sections, as according to what I read from various google searches they were unnecessary for my purposes - since I wanted to "Require..." authorization for *all* access methods.  I suppose it should be possible to add back a <Limit>... section that allows read-only access to some users, while continuing to provide full read/write access for others...

    I changed "AuthUserFile..." to "AuthExternal pwauth" in order to use the SME user database for authentication.  Having done this, I no longer need to create the separate user file using "htpasswd" - but I *do* have to create user accounts in the SME server-manager panel for anyone who will have access to this share.

    I changed the suggested template fragment filename from 50AddSecureIbayFolder to 96AddSecureIbayFolder in order to move the resulting lines further down in the final httpd.conf file.  50AddSecureIbayFolder added the content *above* the SME description of <Directory...../Primary/html>, so my settings for Primary were getting ignored; 96AddSecureIbayFolder adds the content *below* the SME definition for Primary, so my changes override the SME default settings.

    Offline kingjm

    • **
    • 55
    • +0/-0
      • www.iking.ca
    mod dav woes
    « Reply #5 on: December 07, 2006, 08:19:41 PM »
    I am trying to get a .mac of my own to work and need to get mod_dav to authenticate before I move on so that it will be more secure.  I am hoping that you can help me.

    Here is where I have been posting hoping that someone will find this useful and even help figure out what needs to be done.

    http://forums.contribs.org/index.php?topic=34752.msg150825#msg150825

    Thanks