1. Skip to Menu
  2. Skip to Content
  3. Skip to Footer>

Thin Client Server

Thin Client Server

Linux Authentication

Linux Authentication

Linux Internet Gateway

WebDAV

Written by Mr. Sontaya Photibut Friday, 13 November 2009 09:32

Install WebDAV over SSL using LDAP Authentication with Apache2 on SUSE Linux

WebDAV (Web-based Distributed Authoring and Versioning) คือ web-base ที่อนุญาตให้ผู้ใช้สามารถแก้ไขไฟล์ หรือจัดการไฟล์ได้เองด้วยการ Remote มายังเครื่อง WebDAV

แล้วทำไมต้อง WebDAV หรือ Web Folders?
- สามารถเข้าถึงไฟล์ได้ทุกๆที และกำหนดสิทธิการเข้าถึงได้ง่าย
- สามารถเข้าถึงไฟล์เว็บ web browser ได้เลย
- ผู้ใช้ไม่สามารถแก้ไขไฟล์เดียวกันได้ภายในเวลาเดียวกัน
- มีความปลอดภัยเพราะสามารถคอนฟิกให้ใช้งานผ่าน SSL Encryption ได้
- สนับสนุนการเข้าถึงไฟล์จาก Windows, Linux, Mac OS X เป็นต้น.

1. Create a directory for webdav database

$ mkdir -p /var/lib/apache2/dav
$ chown wwwrun.www /var/lib/apache2/dav

Create a user:
$ htpasswd2 /etc/apache2/dav_users <your username>
$ chmod 755 /etc/apache2/dav_users
Create the web directory:
$ mkdir /srv/www/webdav
$ chown wwwrun.www /srv/www/webdav

2. Enable DAV module

$ vi /etc/sysconfig/apache2
- add dav and dav_fs to APACHE_MODULES variable.

Create dav file config:
$ /etc/apache2/conf.d/dav.conf

<IfModule mod_dav_fs.c>
# Location of the WebDAV lock database.
DavLockDB /var/lib/apache2/dav/lockdb
</IfModule>

<IfModule mod_dav.c>
# XML request bodies are loaded into memory;
# limit to 128K by default
LimitXMLRequestBody 131072

# Location of the WebDav Repository.
Alias /webdav "/srv/www/webdav"

<Directory /srv/www/webdav>
# enable webdav for this directory
Dav On
Options +Indexes
IndexOptions FancyIndexing
AllowOverride All
AddDefaultCharset UTF-8
AuthType Basic
AuthName "WebDAV Server"

# htpasswd2 -c /etc/apache2/dav_users.db <username>
AuthUserFile /etc/apache2/dav_user
Require
Options None
AllowOverride All
Order allow,deny
Allow from all
</Directory>
</IfModule>

#Example dav conf: /usr/share/doc/packages/apache2/original/extra/httpd-dav.conf

Reload Apache:
$ rcapache2 reload

3. Test

Access from browser:

http://IP Address/webdav

- Now you can access webdav directory.

Access from command line:
- Install package "cadaver" (webdav client) from YaST.
$ cadaver http://192.168.1.100/webdav
Authentication required for WebDAV Server on server `192.168.1.100':
Username: sontaya
Password:
dav:/webdav/>


4. Create a Webdav Server Certificate

Generate an encrypted key:

4.1). If you want to enter the key at boot time (When starting your webserver)
$ openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
............................++++++
...++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

4.2). Don't want to enter the key at boot time
$ openssl rsa -in server.key -out server.key.unsecure


5. Create Certificate
$ openssl req -nodes -new -keyout server.key -out webdav-server.csr

Request Server Certificate from Cacert.org:
Login:
http://www.cacert.org

No account, Register:
https://www.cacert.org/index.php?id=1

verify your account from email.

$ cat webdav-server.csr
- copy the contents

After login, Select Server Certificates Menu > New > "paste the contents of webdav-server.csr" > Submit
You'll will receive a certificate by mail (verify your domain).

$ cp server.crt /etc/apache2/ssl.key/
$ cp server.crt /etc/apache2/ssl.crt/


6. Import Certificate

Imported CAcert´s root certificate: (details will receive by mail)
$ wget http://www.cacert.org/certs/class3.crt
$ wget http://www.cacert.org/certs/root.crt

$ mv class3.crt ca.crt
$ cp class3.crt root.crt /etc/apache2/ssl.crt/

$ vi server.ca
"Save"


แทนที่ server.key ใน / etc/apache2/ssl.key/
และ server.crt ใน / etc/apache2/ssl.crt/
กับ server.key.unsecure และ server.crt ของคุณ.

$ cp server.key /etc/apache2/ssl.key/
$ cp server.crt /etc/apache2/ssl.crt/
$ cp server.key.unsecure /etc/apache2/ssl.crt/


7. Apache SSL config

$ cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/vhost-ssl.conf
$ vi /etc/apache2/vhosts.d/vhost-ssl.conf
uncomment the  SSLCertificateChainFile  and  SSLCACertificatePath  lines.

$ vi /etc/sysconfig/apache2
APACHE_SERVER_FLAGS="-DSSL"

Restart apache2:
$ rcapache2 restart

8. Test access from Browser (konqueror)

- เปิดโปรแกรม Konqueror ซึ่งสนับสนุนโปรโตคอล webdavs

พิมพ์ webdavs://IP Address/webdav



หรือเปิดโปรแกรม Mozilla Firefox
พิมพ์ https://IP Address/webdav

ตัวอย่าง Certificate





9. Config Apache Authenticaiton LDAP

Enable mode ssl, authnz_ldap and rewrite:
$ a2enmod ssl
$ a2enmod authnz_ldap

Or edit file "/etc/sysconfig/apache2"
- add ssl and authnz_ldap to APACHE_MODULES variable.

Edit dav file config:
$ vi /etc/apache2/conf.d/dav.conf

##Start##
<IfModule mod_dav_fs.c>
# Location of the WebDAV lock database.
DavLockDB /var/lib/apache2/dav/lockdb
</IfModule>

<IfModule mod_dav.c>
# XML request bodies are loaded into memory;
# limit to 128K by default
LimitXMLRequestBody 131072

# Location of the WebDav Repository.
Alias /webdav "/srv/www/webdav"
<Directory /srv/www/webdav>
# Enable webdav for this directory
Dav On
# Require SSL connection for password protection.
SSLRequireSSL
AuthBasicProvider ldap
# Do basic password authentication in the clear
AuthType Basic
# The name of the protected area or "realm"
AuthName "WebDAV LDAP Authorization"
AuthLDAPURL ldap://192.168.1.11:389/dc=company?uid??(objectclass=*)
# The LDAP query URL
# Format: scheme://host:port/basedn?attribute?scope?filter
# The URL below will search for all objects recursively below the basedn
# and validate against the sAMAccountName attribute

# LDAP Authentication & Authorization is final; do not check other databases
AuthzLDAPAuthoritative on
# Active Directory requires an authenticating DN to access records
# This is the DN used to bind to the directory service
# This is an Active Directory user account
AuthLDAPBindDN cn=Administrator,dc=company
# This is the password for the AuthLDAPBindDN user in Active Directory
AuthLDAPBindPassword ********
# Require authentication for this Location
Require valid-user
Require ldap-group cn=grp_branches,ou=group,dc=company
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order deny,allow
Allow from all
</Directory>
</IfModule>
##End##



Test:
$ cadaver https://IP Address/webdav


10. Setting Share Directory

- ให้สร้างกลุ่มที่ ldap ชื่อ grp_branches แล้วทำการเพิ่มผู้ใช้เข้าไปในกลุ่ม grp_branches

Create directory:
$ mkdir /srv/www/webdav/branches
$ mkdir /srv/www/webdav/branches/pattaya

Set permissions
$ chmod 770 /srv/www/webdav
$ chmod 755 /srv/www/webdav/branches -R

Create .htaccess
$ vi /srv/www/webdav/branches/pattaya/.htaccess
Satisfy all
Order deny,allow
Deny from all
Allow from all
AuthType Basic
AuthName "WebDAV LDAP Authorization"
AuthBasicProvider ldap
AuthLDAPURL ldap://192.168.1.11:389/dc=company?uid??(objectclass=*)
AuthzLDAPAuthoritative on
AuthLDAPBindDN cn=Administrator,dc=company
AuthLDAPBindPassword ********
Require ldap-user sontaya.photibut

อธิบาย: อนุญาตให้เฉพราะผู้ใช้ชื่อ sontaya.photibut สามารถเข้าถึงโฟร์เดอร์ pattaya ได้
ผู้ใช้คนอื่นจะไม่สามารถมองเห็นโฟร์เดอร์ pattaya จะสามารถเข้าได้แค่โฟร์เดอร์ branches.


11. Test

ทดสอบสร้าง Connect ที่ GNOME
เปิดหน้าต่าง File Browser > File > Connect to Server



ดังรูป ซึ่งจะมีการ Authentication อยู่ด้วยกันทั้งหมด 3 ครั้ง
1. authen เพื่อเข้าถึง WebDAV
2. authen เพือเข้าถึง WebDAV/branches
3. authen เพื่อเข้าถึง WebDAV/branches/pattaya

Note: ถ้าใช้ web browser จะมีการยืนยันตัวตนแค่ครั้งเดียว
ถ้าเชื่อมต่อด้วยโปรโตคอล davs:// ผู้ใช้สามารถแก้ไขไฟล์ต่างๆ ได้
แต่ถ้าเชื่อมต่อด้วยโปรโตคอล http, https ผู้ใช้ไม่มีสิทธิในการแก้ไขไฟล์เพราะติด permissions ที่เรากำหนด

Tips:
- เครื่อง Clients ที่เชื่อมต่อเข้ามายัง WebDAV ต้องเซต Proxy ที่เว็บ Browser ให้ No proxy for: IP Address WebDAV Server
ถ้าระบบของคุณ Squid ไม่มีการ Authen ก็ไม่ต้องเซตอย่างที่ว่า ที่เซต No proxy for เนื่องจาก WebDAV ติดต่อผ่านพอร์ต 80 และ 443
ซึ่งวิ่งผ่าน Proxy ถ้าไม่เซตจะขึ้นให้ Authen ทั้ง Squid (Proxy) และตามด้วย WebDAV อีก.


Troubleshooting:

- Logfile
$ tail -f /var/log/apache2/error_log

1. Error: Could not access /webdav/ (not WebDAV-enabled?):
Solution: Change permission
$ chmod 755 /etc/apache2/dav_users


2. Error: Client denied by server configuration:
Solution: Change the default permissions to be less restrictive with this instead.
<Directory />
AllowOverride None
Order Deny,Allow
</Directory>

3. Error:  Directory index forbidden by Options directive:
Solution: Eenabled module AutoIndex
Options Indexes FollowSymLinks MultiViews

4. Error: Permission denied: .htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable
Solution: Check permission directory

5. Error: [error] Failed to change_hat to 'HANDLING_UNTRUSTED_INPUT'
Solution: Disable AppArmor from YaST.



Links of Reference:
http://www.tldp.org/HOWTO/Apache-WebDAV-LDAP-HOWTO/ssl.html
http://www.rolfs.no/2009/08/02/mount-webdav-in-ubuntulinux-from-firefox/
http://en.opensuse.org/Webdav
http://www.dhillonblog.com/2009/07/subversion-with-websvn-webdav-and-active-directory-or-ldap-authentication/
http://blog.micfo.com/cpanel-hosting/permission-denied-htaccess-pcfg_openfile-unable-to-check-htaccess-file-ensure-it-is-readable/
http://www.stern.nyu.edu/it/guides/passwordprotect.html
http://forums.opensuse.org/archives/sf-archives/archives-network-internet/338290-apache-problem.html


Comments (0)Add Comment
feedSubscribe to this comment's feed

Write comment

security code
Write the displayed characters


busy
 

SUSE Linux Enterprise Cool Solutions

  • SLES 11 and High Availability Extension (HAE) with DLM, O2CB and SSH stonith

    In this scenario I will be setting up Novell High Availability Extension (HAE) on SLES 11. I will also demonstrate how to setup dlm, o2cb and SSH stonith.

    Some items that I have pre-configured are as follows.

    1. 1 SMT server
    2. 3 server installed with SLES 11 and HAE as a add-on product.

      Please see the following link:
      http://www.novell.com/documentation/sle_ha/book_sleha/data/part_install.html

    3. Each SLES 11 HAE server is fully patched with the latest code from my SMT server(2/24/10)
    4. Networking is setup as demonstrated in the following picture.

    Assumptions:

    In this document I assume the reader has some basic knowledge of quorm, fencing, and resource attributes. That said I will show each step with a screen shot during resource configuration. Although this document could be adopted into a production environment; I assume that this document will only be used in a test environment and for learning purposes only.

    Warning:

    During resource configuration I setup a ssh-stonith resource. As noted in the documentation this resource should not be used in production. Please also note that Novell will not support the resource except in a test situation where a real stonith resource, such as ilo, DRAC card, external power supply or other such stonith resource is not available.

    DRAC card:

    ilo card:

    Setup of the previous environment:

    Edit the /etc/hosts and put entries into the hosts file for each node.

    Create a ssh-key for every node.

    For example:

    #:~> ssh-keygen 
Generating public/private rsa key pair. 
Enter file in which to save the key (/root/.ssh/id_rsa): 
/root/.ssh/id_rsa already exists. 
Overwrite (y/n)? y 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa. 
Your public key has been saved in /root/.ssh/id_rsa.pub. 
The key fingerprint is: 
9e:92:9c:01:9e:fd:fb:12:73:7d:a7:cc:e1:11:ad:7f root@hae1 
The key's randomart image is: 
+--[ RSA 2048]----+ 
|                 | 
|                 | 
|    .          . | 
|   . +        . .| 
|    o o S  .   o | 
|     . *o.. . = .| 
|      = ++   = * | 
|       ...    = E| 
|        .o.     .| 
+-----------------+

    Now copy that key to every node. You will need to repeat this process on each node so that all nodes trust each other.

    Example:

    #:~$ cd .ssh/
#:~/.ssh$ ls
authorized_keys  id_rsa  id_rsa.keystore  id_rsa.pub  id_work  known_hosts
#:~/.ssh$

#: scp id_rsa.pub root@hae2:/root/.ssh/id.rsa.hae1.pub

    Now go to HAE2 and type the following:

    HAE2 /root/home/.ssh/: cat id.rsa.hae1.pub >> authorized_keys

    Repeat this for each node. When you are finished you should be able to ssh to any node from any node without entering a password or pass-phrase.

    I will be following these instructions from the HAE documentation:
    http://www.novell.com/documentation/sle_ha/book_sleha/data/cha_ha_installation_yast.html

    1. Open yast > cluster and configure it as the following:

      Communication Channels

      Note: Each node will have its own Node ID: For HAE1 – 1, HAE2 - it will be 2 and HAE3 - 3

      Security

      Note: When you enable security you add protection to the cluster. When you generate the Authentication file you will need to copy it over to each node in the cluster.

      Service

    2. Copy the /etc/ais/authkey and /etc/ais/openais.conf to the other nodes in the server.

      For example:

      #: scp /etc/ais/openais.conf  root@HAE2:/etc/ais/openais.conf
#: scp /etc/ais/openais.conf  root@HAE2:/etc/ais/openais.conf

      Note: Do this for each node.

      !Remember: Make sure to edit the openais.conf and match up the node id for the node you are on. For example. HAE1 will be 1 and HAE2 will be 2 and HAE3 will be 3. You can also do this via yast > cluster.

      Your cluster can now be started.

      #: rcopenais start

      Before you login to the cluster you will need to set hacluster's password on each node.

      #: passwd hacluster
enter new password:

      Now you are set to login.

      #: crm_gui

    Creating a dlm resource:

    Under Resources click Add and choose Clone and then Ok.

    Once you have passed through to this point you will want to click "ok, ok, apply or ok". You will now have a dlm resource. We will now configure o2cb and then a stonith resource before starting dlm.

    configuring O2CB:

    Configuring ssh:

    Configuring resource order:

    Once you are all done you can apply the changes. You will now want to start you resources starting with your ssh-stonith then dlm and finally O2CB.

    Final results:

  • REMUS: XEN high availability easy!

    Have you heard about the REMUS project? It's a fantastic piece of code maintaining an exact copy of your XEN virtual machines on a backup host.

    Better yet: it's now incorporated into the XEN hypervisor and expected in the next major release!

    "The Remus project has just been incorporated into the Xen hypervisor. Developed at the University of British Columbia, Remus provides a thin layer that continuously replicates a running virtual machine onto a second physical host. Remus requires no modifications to the OS or applications within the protected VM: on failure, Remus activates the replica on the second host, and the VM simply picks up where the original system died. Open TCP connections remain intact, and applications continue to run unaware of the failure. It's pretty fun to yank the plug out on your web server and see everything continue to tick along. This sort of HA has traditionally required either really expensive hardware, or very complex and invasive modifications to applications and OSes."

    http://dsg.cs.ubc.ca/remus

  • Take a Trip Down Memory Lane - 10 Year Anniversary Timeline for SUSE Linux Enterprise Server for System z

    From the moment we introduced SUSE Linux Enterprise Server for the mainframe more than ten years ago, our commitment to helping you optimize on IBM System z has never wavered. Together, with our valued partner IBM, we’ve developed more Linux-for-mainframe innovations than any other provider, delivering the simplest, most cost-effective alternative server consolidation platform to x86 platforms available today. So, as the only distributor that’s been delivering an enterprise-class and fully supported Linux operating system since the very start of Linux on the mainframe, we can safely say that if history often repeats itself, the future looks even brighter.

    View the timeline today at: http://bit.ly/a8dW44

  • Ten Years On the Mainframe!

    Mainframes are about 40 years old. And as you probably know, several years ago mainframes were written off as expensive, dated computers that were capable of running only large business applications. Mainframe go south, many said. Not anymore - thanks to Linux!

    Linux on mainframes has evolved rapidly during the past 10 years - yes - 2010 is the 10th anniversary of Linux on the mainframe. The more, there has been shifting of dynamics with the System z10. IBM has done an excellent job with the price/performance ratio, and many companies that have gone through a cost per transaction analysis have determined that the z10 can process their transactions at half the cost of a distributed environment. And the new IBM System z Solution Edition for Enterprise Linux and the Enterprise Linux Server is an additional catalyst for bringing new workloads to Linux on the mainframe.

    Today, in general we see many companies taking a critical look at their existing and new workloads, and asking hard business questions to determine the best platform. These companies are recognizing they need outstanding RAS to manage their mission-critical workloads, and the mainframe uniquely fulfills this business requirement. And these companies are realizing that investing in a first move turns back in consequence - even more if they run Linux on their mainframes.

    SUSE Linux Enterprise Server for System z has been available since the very start of Linux on the mainframe - yes - 2010 it has its 10th anniversary, too. If you want to hear from happy customers running SUSE Linux Enterprise Server for System z on their mainframes why and how they do so, and learn more from our experts, you should consider to drop over at one of the upcoming conferences for System z.

    SHARE in Seattle
    March 14-18 2010, Washington State Convention and Trade Center, Washington

    Recommended sessions:

    • Linux System Management for the Mainframe System Programmer - Part 1&2 (Mark Post, Novell), Mar 15 1:30-4:00 PM Room 608
    • Using Logical Volume Manager (LVM) to Reduce the Hassle Managing Disk Space on Linux (Mark Post, Novell), Tue Mar 16 9:30-10:30 AM Room 609
    • Linux Installation Planning (Mark Post, Novell), Mar 16 3:00-4:00 PM, Room 609
    • What's New with SLES 11 on System z (Mark Post, Novell), Mar 18 9:30-10:30AM, Room 609
    • Linux on System z at Wells Fargo: Penguins Board the Stagecoach (Marcy Cortes, Wells Fargo Bank), Mar 17 1:30-2:30 PM, Room 611
    • Success with Linux on System z at Nationwide - Lessons Learned (Jim Vincent, Nationwide Insurance), Mar 17 3:00-4:00PM, Room 611
    • Linux Servers on System z: Benefits and Features of Virtualization in the Enterprise Data Center (Rick Barlow, Nationwide Insurance), Mar 17 4:30-5:30PM, Room 611

    For more information, see
    http://www.share.org/Events/UpcomingConference/tabid/349/Default.aspx

    Novell BrainShare Salt Lake City
    March 22-25 2010, Salt Palace Convention Center in Salt Lake City, Utah

    • ELS208 German Pension Fund Goes Linux: Legacy Application Migration to z/Linux with Minimal Risk (Falk-Oliver Bischoff, German Pension Fund/Florian Delonge, Clerity/Olaf Senger, IBM), Mar 22 11:30AM, Room 150 D/E
    • ELS206 Hands-on Workshop: Install SUSE Linux Enterprise Server on IBM System z (Richard Lewis, IBM), Mar 23 9AM-1PM and Mar 25 9AM-1PM, Room 255B
    • ELS310 What's New with Linux on System z (Richard Lewis, IBM/Ihno Krumreich, Novell), Mar 24, Room 251 F

    For more information, see: http://www.novell.com/brainshare/

    WAVV - World Alliance of VSE VM Linux
    April 9-13, 2010 Covington, Kentucky, Embassy Suites Cincinnati - River Center

    • Linux Installation Planning (Mark Post, Novell), Apr 10 3:00PM
    • Using Logical Volume Manager (Mark Post, Novell), Apr 12 11:45AM
    • What’s new with SLES 11 on System z (Mark Post, Novell), Apr 12 4:15PM

    For more information, see: http://www.wavv.org/

  • Almost there.... Drupal 6 Migration

    OK -- we're in Drupal 6 now, if you don't count the bugs ;-) The IS&T Team is working like mad to address all the issues, so patience remains a virtue.

    If by tomorrow you still see vestiges of strangeness, pop us an email at coolguys@novell.com<.

    Thank you for being so understanding all day long. You can't believe how many customizations we have in here...

    -- Susan

Sponsors List