saqib@seagate.com
| Revision History | ||
|---|---|---|
| Revision v2.0 | 2002-03-22 | Revised by: sa |
| Added the SSL section | ||
| Revision v1.1 | 2001-11-29 | Revised by: sa |
| Initial public release. | ||
| Revision v1.0 | 2001-11-01 | Revised by: sa |
| Initial public release. | ||
The Objective of this document is to setup a Apache based WebDAV server that can authenticate against a LDAP server. You will learn how to install, configure, run, maintain and fine-tune a Apache-based WebDAV server. This document will provide the basic groundwork for setting up a WebDAV server. It will also provide information on fine tuning and maintaining the server.
Note: If you encounter any problems installing Apache or any of the modules please feel free to contact me.
WebDAV Support and Discussion Forum
This document is not a HOWTO on setting up LDAP server. For setting up a LDAP server please visit http://www.linuxdoc.org/HOWTO/LDAP-HOWTO-1.html
This document is Copyright 2001 by Saqib Ali. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover Texts, and with no Back-Cover Texts. A copy of the license is available at http://www.gnu.org/copyleft/fdl.html
WebDAV stands for Web enabled Distributed Authoring and Versioning. It provides a collaborative environment for users to edit/manage files on web-servers. Essentially DAV is an extension to the http protocol.
The tools needed to achieve this objective are:
Apache Web Server
LDAP Module for Apache
WebDAV Module for Apache
LDAP lib file
NOTE: All of these packages are free and are available for download on the net.
We will compile all the above mentioned packages to produce binaries for the Web Server. The WebDAV and LDAP module will be compiled statically into Apache. Static compilation results in faster execution times. Apache was chosen, because it is the most versatile web server ever to exist. Market Shares for Top Web Servers shows that Apache has the largest web server market share.
Apache is also being used by:
This document assumes that you have the following already installed on your system.
gzip or gunzip - available from http://www.gnu.org
gcc and GNU make - available from http://www.gnu.org
The document also assumes there is a LDAP server installed elsewhere which will be used for the authentication.
If you have any questions about the information available on this document, please contact me on the following email address: saqib@seagate.com
If you have commentaries and/or suggestions, please let me know as well!
Our game plan is to first install OpenLDAP package. OpenLDAP is not required for Apache_LDAP_DAV to work, but we will need the installed OpenLDAP lib files to compile mod_ldap. And then we will compile Apache with mod_ldap and mod_dav.
Please download the following packages.
OpenLDAP (for LDAP lib files)
mod_dav (Apache module for WebDAV)
mod_ldap (LDAP module for LDAP)
OpenSSL (SSL for encryption)
To compile the WebDAV service with LDAP authencation capability, we will need to have the LDAP library files installed on the machine. The LDAP library files will be used to compile the LDAP module for Apache. Best way to get the LDAP library files is to download the OpenLDAP sourcecode from http://www.openldap.org and compile it to produce the required library files. You may use any other LDAP like IPlanet as well, but I recommend an OpenSource solution.
Become root by using the su command:
$ su
Now change to the directory where you placed the OpenLDAP (tar) source file into. (I use a temp directory, /tmp/download):
# cd /tmp/download
Extract the files using the gzip and tar utility:
# gzip -d openldap-stable-xxxxxxx.tar.gz
# tar -xvf openldap-stable-xxxxxxx.tar
Change to the NEW directory which was created during the extract.
# cd openldap-x.x.xx
Now you can run "configure" for the openldap package. "configure" has many command line options. Type "configure --help to see all options.
For this WebServer we dont really need the LDAP deamon, assuming there is a LDAP server running elsewhere. We just need the LDAP lib files. Since we will not be compiling the LDAP deamon, we will have to specify '--disable-slapd' as a command line option to 'configure':
# ./configure --disable-slapd
After you are done with configuring, you can make the dependencies for the openldap package:
# make depend
After making the dependencies the openldap package needs to be compiled. Use the make command:
# make
If everything goes OK, you will end up with compiled version of openldap in the current directory. Then you will need to install the compiled binaries into appropriate places:
# make install
Now you should have the compiled LDAP lib files required for the mod_ldap in the correct directory structure.
OpenSSL is required to create and manage SSL certificates on the webserver. The installion is also necessary for the lib files that will be used by the SSL module for apache.
Now change to the directory where you placed the OpenSSL source code files
# cd /tmp/download
Unzip openssl source code gzip filegzip -d openssl.x.x.gz
tar -xvf openssl.x.x
cd openssl.x.x
make
make test
make install
mod_dav requires that you have Apache pre-configured so that it knows where where everything is. Change back to the directory where you have the source files:
# cd /tmp/download # gzip -d apache_1.x.x.tar.gz # tar -xvf apache_1.x.x.tar # cd apache_1.x.x # ./configure --prefix=/usr/local/apache |
As mentioned above mod_dav will be statically linked with the Apache installation. Start by changing to the temp download directory:
# cd /tmp/download
Extract the files using the gzip and tar utilities:
# gzip -d mod_dav-1.x.x.tar.gz
# tar -xvf mod_dav-1.x.x.tar
Change to the NEW directory which was created during the extract:
# cd mod_dav-1.x.x
Now configure the mod_dav package for static linking to Apache:
# ./configure --with-apache= /tmp/download/apache_1.x.x
Compile and install the files:
# make
# make install
mod_dav will have been partially compiled and placed into the Apache tree during the make install step.
Change back to the temp download directory:
# cd /tmp/download
Extract the mod_auth_ldap files:
# gzip -d mod _auth_ldap.tar.gz
# tar -xvf mod_auth_ldap.tar
Now install the modauthldap files to the Apache source tree:
cd apache_x.x.x
mv ../modauthldap ./src/modules/ldap
# cd /tmp/download
# gzip -d mod_ssl-2.x.x.tar.gz
# tar -xvf mod_ssl-2.x.tar
# ./configure --with-apache=../apache_1.3.x.x
Finally we have reached the destination. But not yet....... "The Journey is the Destination" (Jerry Garica of Grateful Dead)
Now we are ready to compile and install Apache with WebDAV and LDAP authentication for DAV.
Change back to the temp download directory:
# cd /tmp/download
Change to the Apache tree directory:
# cd apache-x.x.x
and configure apache for the compilation with mod_dav and mod_auth_ldap:
# ./configure --prefix=/usr/local/apache \
--activate-module=src/modules/ldap/mod_auth_ldap.c \
--activate-module=src/modules/dav/libdav.a
[...you can add more options here...] |
Now compile the Apache and install it into the appropriate place:
# make
# make install
Now for the easy part. In this section we will WebDAV enable a directory under Apache root.
Please verify that the following Apache directive appears in the /usr/local/apache/conf/httpd.conf :
Addmodule mod_dav.c |
If it does not please add it. This directive informs Apache about DAV capability. The directive must be placed outside any container.
Next we must specify where Apache should store the DAVLockDB file. DAVLockDB is a lock database for the WebDAV. This directory should be writable by the httpd process.
I store the DAVLock file under /usr/local/apache/var. I use this directory for other purposes as well. Please add the following line to your /usr/local/apache/conf/httpd.conf to specify that the DAVLockDB file will be under /usr/local/apache/var :
DAVLockDB /usr/local/apache/var/DAVLock |
The directive must be placed outside any container.
As mentioned above a directory must be created for DAVLockDB that can be written by the web server process. Usually web server process runs under the user 'nobody' . Please verify this for your system using the command 'ps -ef | grep httpd'. Under /usr/local/apache create the directory and set the permissions on it using the following commands:
# cd /usr/local/apache # mkdir var # chmod -R 755 var/ # chown -R nobody var/ # chgrp -R nobody var/ |
Enabling DAV is a trivial task. To enable DAV for a directory under Apache root, just add the following directive in the container for that particular directory:
DAV On |
This directive will enable DAV for the directory and its sub-directories.
The following is a sample configuration that will enable WebDAV and LDAP authentication on /usr/local/apache/htdocs/DAVtest. Place this in the /usr/local/apache/conf/httpd.conf file.
<Directory /usr/local/apache/htdocs/DAVtest> Dav On #Options Indexes FollowSymLinks AllowOverride None order allow,deny allow from all AuthName "username_and_passwd_required" AuthType Basic <Limit PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK> Require valid-user </Limit> LDAP_Server your.ldap.server.com LDAP_Port 007 Base_DN "o=ROOT" UID_Attr uid </Directory> |
As mentioned in a earlier section, all DAV directories have to be writable by the WebServer process. In this example we assume WebServer is running under username 'nobody'. This is usually the case. To check httpd is running under what user, please use 'ps -ef | grep httpd'.
Create a test directory called 'DAVtest' under /usr/local/apache/htdocs :
# mkdir /usr/local/apache/htdocs/DAVtest
Change the permissions on the directory to make it is read-writable by the httpd process. Assuming the httpd is running under username 'nobody', use the following commands:
# cd /usr/local/apache/htdocs # chmod -R 755 DAVtest/ # chown -R nobody DAVtest/ # chgrp -R nobody DAVtest/ |
Finally you must run the configuration test routine that comes with Apache to verify the syntax in httpd.conf :
# /usr/local/apache/bin/apachectl configtest
If you get error messages please verify that you followed all of the above mentioned steps correctly. If you can not figure out the error message feel free to email me with the error message (saqib@seagate.com).
If the configtest is successful start the apache web-server:
# /usr/local/apache/bin/apachectl restart
Now you have WebDAV enabled Apache Server with LDAP authentication.
If you have any questions, suggestions, recommendations, kudos, comments, or complaints, please email them to me (saqib@seagate.com).
Note: Please free to contact me if you encounter any problems installing Apache or any of the modules, or if you would like upgrade your existing Apache server to support WebDAV.