1. Skip to Menu
  2. Skip to Content
  3. Skip to Footer>
Image 1

WE Solutions / Our services

  • Previous
  • Next
  • Stop
  • Play

SAMBA/LDAP

Thin Client Server

Postfix Mail Server

Postfix Mail Server

HA Clustering

WebDAV

PDF Print E-mail

Written by Mr. Sontaya Photibut Friday, 13 November 2009 09:32

Install WebDAV over SSL using LDAP Authentication with Apache2 on SUSE Linux

WebDAV (Web-based Distributed Authoring and Versioning) คือ web-base ที่อนุญาตให้ผู้ใช้สามารถแก้ไขไฟล์ หรือจัดการไฟล์ได้เองด้วยการ Remote มายังเครื่อง WebDAV

แล้วทำไมต้อง WebDAV หรือ Web Folders?
- สามารถเข้าถึงไฟล์ได้ทุกๆที และกำหนดสิทธิการเข้าถึงได้ง่าย
- สามารถเข้าถึงไฟล์เว็บ web browser ได้เลย
- ผู้ใช้ไม่สามารถแก้ไขไฟล์เดียวกันได้ภายในเวลาเดียวกัน
- มีความปลอดภัยเพราะสามารถคอนฟิกให้ใช้งานผ่าน SSL Encryption ได้
- สนับสนุนการเข้าถึงไฟล์จาก Windows, Linux, Mac OS X เป็นต้น.

1. Create a directory for webdav database

$ mkdir -p /var/lib/apache2/dav
$ chown wwwrun.www /var/lib/apache2/dav

Create a user:
$ htpasswd2 /etc/apache2/dav_users <your username>
$ chmod 755 /etc/apache2/dav_users
Create the web directory:
$ mkdir /srv/www/webdav
$ chown wwwrun.www /srv/www/webdav

2. Enable DAV module

$ vi /etc/sysconfig/apache2
- add dav and dav_fs to APACHE_MODULES variable.

Create dav file config:
$ /etc/apache2/conf.d/dav.conf

<IfModule mod_dav_fs.c>
# Location of the WebDAV lock database.
DavLockDB /var/lib/apache2/dav/lockdb
</IfModule>

<IfModule mod_dav.c>
# XML request bodies are loaded into memory;
# limit to 128K by default
LimitXMLRequestBody 131072

# Location of the WebDav Repository.
Alias /webdav "/srv/www/webdav"

<Directory /srv/www/webdav>
# enable webdav for this directory
Dav On
Options +Indexes
IndexOptions FancyIndexing
AllowOverride All
AddDefaultCharset UTF-8
AuthType Basic
AuthName "WebDAV Server"

# htpasswd2 -c /etc/apache2/dav_users.db <username>
AuthUserFile /etc/apache2/dav_user
Require
Options None
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</IfModule>

#Example dav conf: /usr/share/doc/packages/apache2/original/extra/httpd-dav.conf

Reload Apache:
$ rcapache2 reload

3. Test

Access from browser:

http://IP Address/webdav

- Now you can access webdav directory.

Access from command line:
- Install package "cadaver" (webdav client) from YaST.
$ cadaver http://192.168.1.100/webdav
Authentication required for WebDAV Server on server `192.168.1.100':
Username: sontaya
Password:
dav:/webdav/>


4. Create a Webdav Server Certificate

Generate an encrypted key:

4.1). If you want to enter the key at boot time (When starting your webserver)
$ openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
............................++++++
...++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

4.2). Don't want to enter the key at boot time
$ openssl rsa -in server.key -out server.key.unsecure


5. Create Certificate
$ openssl req -nodes -new -keyout server.key -out webdav-server.csr

Request Server Certificate from Cacert.org:
Login:
http://www.cacert.org

No account, Register:
https://www.cacert.org/index.php?id=1

verify your account from email.

$ cat webdav-server.csr
- copy the contents

After login, Select Server Certificates Menu > New > "paste the contents of webdav-server.csr" > Submit
You'll will receive a certificate by mail (verify your domain).

$ cp server.crt /etc/apache2/ssl.key/
$ cp server.crt /etc/apache2/ssl.crt/


6. Import Certificate

Imported CAcert´s root certificate: (details will receive by mail)
$ wget http://www.cacert.org/certs/class3.crt
$ wget http://www.cacert.org/certs/root.crt

$ mv class3.crt ca.crt
$ cp class3.crt root.crt /etc/apache2/ssl.crt/

$ vi server.ca
"Save"


แทนที่ server.key ใน / etc/apache2/ssl.key/
และ server.crt ใน / etc/apache2/ssl.crt/
กับ server.key.unsecure และ server.crt ของคุณ.

$ cp server.key /etc/apache2/ssl.key/
$ cp server.crt /etc/apache2/ssl.crt/
$ cp server.key.unsecure /etc/apache2/ssl.crt/


7. Apache SSL config

$ cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/vhost-ssl.conf
$ vi /etc/apache2/vhosts.d/vhost-ssl.conf
uncomment the  SSLCertificateChainFile  and  SSLCACertificatePath  lines.

$ vi /etc/sysconfig/apache2
APACHE_SERVER_FLAGS="-DSSL"

Restart apache2:
$ rcapache2 restart

8. Test access from Browser (konqueror)

- เปิดโปรแกรม Konqueror ซึ่งสนับสนุนโปรโตคอล webdavs

พิมพ์ webdavs://IP Address/webdav



หรือเปิดโปรแกรม Mozilla Firefox
พิมพ์ https://IP Address/webdav

ตัวอย่าง Certificate





9. Config Apache Authenticaiton LDAP

Enable mode ssl, authnz_ldap and rewrite:
$ a2enmod ssl
$ a2enmod authnz_ldap

Or edit file "/etc/sysconfig/apache2"
- add ssl and authnz_ldap to APACHE_MODULES variable.

Edit dav file config:
$ vi /etc/apache2/conf.d/dav.conf

##Start##
<IfModule mod_dav_fs.c>
# Location of the WebDAV lock database.
DavLockDB /var/lib/apache2/dav/lockdb
</IfModule>

<IfModule mod_dav.c>
# XML request bodies are loaded into memory;
# limit to 128K by default
LimitXMLRequestBody 131072

# Location of the WebDav Repository.
Alias /webdav "/srv/www/webdav"
<Directory /srv/www/webdav>
# Enable webdav for this directory
Dav On
# Require SSL connection for password protection.
SSLRequireSSL
AuthBasicProvider ldap
# Do basic password authentication in the clear
AuthType Basic
# The name of the protected area or "realm"
AuthName "WebDAV LDAP Authorization"
AuthLDAPURL ldap://192.168.1.11:389/dc=company?uid??(objectclass=*)
# The LDAP query URL
# Format: scheme://host:port/basedn?attribute?scope?filter
# The URL below will search for all objects recursively below the basedn
# and validate against the sAMAccountName attribute

# LDAP Authentication & Authorization is final; do not check other databases
AuthzLDAPAuthoritative on
# Active Directory requires an authenticating DN to access records
# This is the DN used to bind to the directory service
# This is an Active Directory user account
AuthLDAPBindDN cn=Administrator,dc=company
# This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword ********
# Require authentication for this Location
Require valid-user
Require ldap-group cn=grp_branches,ou=group,dc=company
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order deny,allow
Allow from all
</Directory>
</IfModule>
##End##



Test:
$ cadaver https://IP Address/webdav


10. Setting Share Directory

- ให้สร้างกลุ่มที่ ldap ชื่อ grp_branches แล้วทำการเพิ่มผู้ใช้เข้าไปในกลุ่ม grp_branches

Create directory:
$ mkdir /srv/www/webdav/branches
$ mkdir /srv/www/webdav/branches/pattaya

Set permissions
$ chmod 770 /srv/www/webdav
$ chmod 755 /srv/www/webdav/branches -R

Create .htaccess
$ vi /srv/www/webdav/branches/pattaya/.htaccess
Satisfy all
Order deny,allow
Deny from all
Allow from all
AuthType Basic
AuthName "WebDAV LDAP Authorization"
AuthBasicProvider ldap
AuthLDAPURL ldap://192.168.1.11:389/dc=company?uid??(objectclass=*)
AuthzLDAPAuthoritative on
AuthLDAPBindDN cn=Administrator,dc=company
AuthLDAPBindPassword ********
Require ldap-user sontaya.photibut

อธิบาย: อนุญาตให้เฉพราะผู้ใช้ชื่อ sontaya.photibut สามารถเข้าถึงโฟร์เดอร์ pattaya ได้
ผู้ใช้คนอื่นจะไม่สามารถมองเห็นโฟร์เดอร์ pattaya จะสามารถเข้าได้แค่โฟร์เดอร์ branches.


11. Test

ทดสอบสร้าง Connect ที่ GNOME
เปิดหน้าต่าง File Browser > File > Connect to Server



ดังรูป ซึ่งจะมีการ Authentication อยู่ด้วยกันทั้งหมด 3 ครั้ง
1. authen เพื่อเข้าถึง WebDAV
2. authen เพือเข้าถึง WebDAV/branches
3. authen เพื่อเข้าถึง WebDAV/branches/pattaya

Note: ถ้าใช้ web browser จะมีการยืนยันตัวตนแค่ครั้งเดียว
ถ้าเชื่อมต่อด้วยโปรโตคอล davs:// ผู้ใช้สามารถแก้ไขไฟล์ต่างๆ ได้
แต่ถ้าเชื่อมต่อด้วยโปรโตคอล http, https ผู้ใช้ไม่มีสิทธิในการแก้ไขไฟล์เพราะติด permissions ที่เรากำหนด

Tips:
- เครื่อง Clients ที่เชื่อมต่อเข้ามายัง WebDAV ต้องเซต Proxy ที่เว็บ Browser ให้ No proxy for: IP Address WebDAV Server
ถ้าระบบของคุณ Squid ไม่มีการ Authen ก็ไม่ต้องเซตอย่างที่ว่า ที่เซต No proxy for เนื่องจาก WebDAV ติดต่อผ่านพอร์ต 80 และ 443
ซึ่งวิ่งผ่าน Proxy ถ้าไม่เซตจะขึ้นให้ Authen ทั้ง Squid (Proxy) และตามด้วย WebDAV อีก.


Troubleshooting:

- Logfile
$ tail -f /var/log/apache2/error_log

1. Error: Could not access /webdav/ (not WebDAV-enabled?):
Solution: Change permission
$ chmod 755 /etc/apache2/dav_users


2. Error: Client denied by server configuration:
Solution: Change the default permissions to be less restrictive with this instead.
<Directory />
AllowOverride None
Order Deny,Allow
</Directory>

3. Error:  Directory index forbidden by Options directive:
Solution: Eenabled module AutoIndex
Options Indexes FollowSymLinks MultiViews

4. Error: Permission denied: .htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
Solution: Check permission directory

5. Error: [error] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
Solution: Disable AppArmor from YaST.



Links of Reference:
http://www.tldp.org/HOWTO/Apache-WebDAV-LDAP-HOWTO/ssl.html
http://www.rolfs.no/2009/08/02/mount-webdav-in-ubuntulinux-from-firefox/
http://en.opensuse.org/Webdav
http://www.dhillonblog.com/2009/07/subversion-with-websvn-webdav-and-active-directory-or-ldap-authentication/
http://blog.micfo.com/cpanel-hosting/permission-denied-htaccess-pcfg_openfile-unable-to-check-htaccess-file-ensure-it-is-readable/
http://www.stern.nyu.edu/it/guides/passwordprotect.html
http://forums.opensuse.org/archives/sf-archives/archives-network-internet/338290-apache-problem.html


Comments (0)Add Comment
feedSubscribe to this comment's feed

Write comment

security code
Write the displayed characters


busy
 

SUSE Linux Enterprise Cool Solutions

  • Why You'll Want To Be At ATT Live 2012

    Memories of ATT Live 2010 are still fresh in my mind. It was a great event at a great location, The M in Las Vegas, NV. Novell customers and partners alike told us they were very happy with it. The Novell Training team was also extremely pleased with how it turned out. The venue was great, the location was perfect, and let's not forget how effective and beneficial the training was. I am excited to be part of the team again that is putting together ATT Live 2012. Due to the Attachmate acquisition, the heritage Novell/SUSE Training team is now also responsible for NetIQ training, so this is an exciting time for us and even greater opportunity than ever before for you.

    The main reason you'll want to attend ATT Live 2012 is: you get 4 days of intense, hands-on training geared specifically for people like you--system administrators, network engineers and IT specialists--who actually do the job of administering Novell, SUSE and NetIQ products. You get the real world, day-to-day administration, usability, troubleshooting, and tips & tricks training you need to succeed on the job.

    I blogged a little bit about ATT Live a couple months ago but the planning for the event is more complete now and there's more detailed information to share today that I wanted make you aware of. In addition to the general facts that ATT Live 2012 will be held May 15-18 at The M Resort Spa and Casino in Las Vegas, NV, I wanted to point out several exciting things you'll want to look at today:

    This year we are offering nearly 80 unique 2- and 4-hour sessions with:

    • 6 tracks dedicated to the Novell products ZEN, OES and GW
    • 3 NetIQ tracks focused on ISM, Sentinel, and legacy NetIQ products
    • 3 SUSE tracks focused on SLES administration, usability and troubleshooting

    At ATT Live 2012 you'll be rubbing shoulders with product managers, subject matter experts, and front & backline support engineers who will be helping the Training team to deliver more learning tracks and unique sessions than ever before.

    Once you're at the M Resort you'll find this to be a very affordable training event. The conference room rate is only $120 per night. The food is great (The M has the best buffet in Las Vegas) and breakfast and lunch all 4 days are covered by your conference registration. And you'll only be 10 minutes from the airport and from The Strip with free shuttles to and from both destinations.

    If you have questions or suggestions regarding ATT Live 2012, you can check the website or email the team at ATTLive@novell.com.

    As for me, I'll be blogging more about ATT Live 2012 in the weeks to come to provide more detailed information about the content of the sessions themselves. This is, after all, a technical training conference and it's the technical stuff that matters most to you so I'll be diving into that so you'll have more of an idea about what you'll be getting in return for your training investment.

    Please follow Novell, SUSE, and NetIQ Training on:
    http://twitter.com/novell_training
    http://www.facebook.com/NovellTraining

  • SUSE Linux Enterprise Server now available on Dell Cloud

    Good news for Dell customers. SUSE Linux Enterprise Server is now available to customers through Dell's new public cloud offering, Dell Cloud with VMware vCloud® Datacenter Service.

    SUSE Linux Enterprise Server is the first Linux operating system available to customers through the Dell Cloud. Now, Dell customers can efficiently run a wide range of ISV applications, on a pay-per-use basis, with maximum performance, while receiving streamlined support from Dell and SUSE.

    Learn more.

  • Relocating non-persistent parts of Firefox profile.

    Whilst the previous Cool Solution only redirected urlclassifer3.sqlite, this method redirected urlclassifer3.sqlite, Cache, OfflineCache and the fastloader files XUL.mfasl XPC.mfasl. This method also uses environment variables rather than creating a symbolic link, so it's cleaner.

    I figured out this solution after reading a bug report at https://bugzilla.mozilla.org/show_bug.cgi?id=239254

    The trick is to launch Firefox with both $XRE_PROFILE_PATH set to the location of the profile that's being used and $XRE_PROFILE_LOCAL_PATH set to where you want Cache, urlclassifer3.sqlite etc to be. Like the previous Cool Solution, a wrapper script called firefox in /usr/local/bin takes care of that. Also like the previous Cool Solution, this wrapper script makes use of another script findfirefoxprofilepath, also attached, which works out the location of the user's Firefox profile (it's output is set as the value of $XRE_PROFILE_PATH). The firefox script expects the findfirefoxprofilepath script to be in /usr/local/sbin.

    If $XDG_CACHE_HOME is set, the firefox script sets $XRE_PROFILE_LOCAL_PATH to somewhere in there. (It will always use the same location so the files will persist across sessions, assuming they're not deleted by something else.) If $XDG_CACHE_HOME is not set then a new directory will be created each time using mktemp.

    I've had this script in use in a production environment for about five months with no apparent problems and I've tested it with newer versions of Firefox than are currently in SLED. Hopefully Firefox will one day support the XDG directory specification and then a wrapper script such as this will not be necessary, you can just set $XDG_CACHE_HOME and be done with it. (I already set $XDG_CACHE_HOME to somewhere outside the user's home directory, hence why this wrapper scripts makes use of it if it's set.) The bugzilla entries for such support were raised some years ago though so I'm not expecting such support to appear any time soon.

    AttachmentSize
    firefox_wrapper_scripts.tbz2.16 KB
  • Ever search for KB TIDs/Articles? Take this survey and you could win a $20 Amazon gift card

    Do you ever look up TIDS/Articles in the Knowledgebase? They're making some changes to the way the Knowledgebase search process works, and they want to get some input from you. Take a VERY short survey, and we'll enter you in a drawing for three $20 Amazon Gift Cards.

    Don't be shy!

    https://www.surveymonkey.com/s/Knowledgebase-search

  • How to set up AutoAdminLogon with the Novell Client for Linux on SLE 11

    Setup Process:

    Step #1 - Configure the desktop to automatically login.

    1. Launch YaST or YaST2
    2. Click on System-->Sysconfig Editor-->Desktop-->Displaymanager-->displaymanager_autologin
    3. Enter the username used in logging into the desktop.

      4.  
      Now after the workstation is rebooted, the workstation should automatically do a local login to the desktop.

    Step #2 - Configure the Novell Client for Linux to automatically login.

    Option A: Use a script

    • Edit and append the following lines to the /home/<username>/.profile.
    NOTE: Lines in bold (found at the beginning) should be changed with your specific information
    #===================================
 
#USER="<mylocaluser>"
USER="<username>"
 
#SERVER="<myserver.novell.com>"
SERVER="<dns or IP>"
 
#VOLUME="SYS"
VOLUME="<volume>"
 
#EDIR_USER="<admin>"
EDIR_USER="<edir user>"
 
#EDIR_PASWORD="<novell>"
EDIR_PASWORD="<password>"
 
#EDIR_USER_CONTEXT="<ou=users,o=novell>"
EDIR_USER_CONTEXT="<edir context for user>"
 
#MAPLOCATION="</home/jmeldrum/Desktop/mymap>"
MAPLOCATION="<map location and name>"
 

loggedIn="$(nwconnections | sed -n "/[0-9]/p")"
 
if [ $(whoami) == "$USER" ]; then
        if [ -z "$loggedIn" ]; then
                echo "=========`date` ================" >> /tmp/mylogin.log
                /opt/novell/ncl/bin/nwmap -d $MAPLOCATION -s SERVER -v $VOLUME -u $EDIR_USER -p $EDIR_PASWORD-c $EDIR_USER_CONTEXT 2&1 >> /tmp/mylogin.log
        fi
else
        echo "$(whoami) does not match user $USER" >> /tmp/mylogin.log
fi
#===================================

    Option B: Setup Integrated Login

    AutoAdminLogon is now setup.