LDP
/
LDP
mirror of https://github.com/tLDP/LDP
0
1
Fork 0
Code Releases Activity
LDP/LDP/howto/docbook/Apache-WebDAV-LDAP-HOWTO.sgml

995 lines
36 KiB
Plaintext
Raw Blame History

<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook V3.1//EN">
<article>
<artheader>
<title>Apache based WebDAV Server with LDAP and SSL</title>
<author>
<firstname>Saqib</firstname>
<surname>Ali</surname>
<affiliation>
<address>
<email>saqib@seagate.com</email>
</address>
</affiliation>
</author>
<revhistory>
<revision>
<revnumber>v3.4</revnumber>
<date>2002-06-29</date>
<authorinitials>sa</authorinitials>
<revremark>
Added the section "How to generate a CSR"
</revremark>
</revision>
<revision>
<revnumber>v3.3</revnumber>
<date>2002-04-14</date>
<authorinitials>sa</authorinitials>
<revremark>
Add the section of DAV server management.
</revremark>
</revision>
<revision>
<revnumber>v3.2</revnumber>
<date>2002-04-13</date>
<authorinitials>sa</authorinitials>
<revremark>
Added the Litmus (WebDAV compatility tester) sub-section.
</revremark>
</revision>
<revision>
<revnumber>v3.1</revnumber>
<date>2002-04-11</date>
<authorinitials>sa</authorinitials>
<revremark>
Updated the introduction section
</revremark>
</revision>
<revision>
<revnumber>v3.0</revnumber>
<date>2002-04-09</date>
<authorinitials>sa</authorinitials>
<revremark>
Added "Implementing and using SSL to secure WebDAV traffic" section
</revremark>
</revision>
<revision>
<revnumber>v2.1</revnumber>
<date>2002-03-24</date>
<authorinitials>sa</authorinitials>
<revremark>
Refined the WebDAV Introduction and SSL section.
</revremark>
</revision>
<revision>
<revnumber>v2.0</revnumber>
<date>2002-03-20</date>
<authorinitials>sa</authorinitials>
<revremark>
Added the SSL section
</revremark>
</revision>
<revision>
<revnumber>v1.1</revnumber>
<date>2001-11-29</date>
<authorinitials>sa</authorinitials>
<revremark>
Initial public release.
</revremark>
</revision>
<revision>
<revnumber>v1.0</revnumber>
<date>2001-11-01</date>
<authorinitials>sa</authorinitials>
<revremark>
Initial public release.
</revremark>
</revision>
</revhistory>
<abstract>
<para>.This document is an HOWTO on installing a Apache based WebDAV server with LDAP for authentication and SSL
encryption.</para>
</abstract>
</artheader>
<sect1 id="intro"><title>Introduction</title>
<para> The Objective of this document is to setup a Apache based
WebDAV server that can authenticate against a LDAP server. This document will provide
the basic groundwork for setting up a WebDAV server. It will also provide information on fine tuning and maintaining
the server. </para>
<para><emphasis role="strong">Note: If you encounter any problems
installing Apache or any of the modules please feel free to contact
me @ saqib@seagate.com</emphasis> </para>
<sect2 id="copyright"><title>Copyright and License</title>
<para>
This document is Copyright 2001 by Saqib Ali. Permission is granted
to copy, distribute and/or modify this document under the terms of
the GNU Free Documentation License, Version 1.1 or any later version
published by the Free Software Foundation; with no Invariant
Sections, with no Front-Cover Texts, and with no Back-Cover Texts.
A copy of the license is available at
<ulink url="http://www.gnu.org/copyleft/fdl.html">http://www.gnu.org/copyleft/fdl.html</ulink>
</para>
</sect2>
<sect2><title>What is WebDAV?</title>
<para> WebDAV stands for Web enabled Distributed Authoring and
Versioning. It provides a collaborative environment for users to
edit/manage files on web-servers. Technically DAV is an extension
to the http protocol. </para>
<para>Here is a brief description of the extensions provided by DAV:<para>
<para><emphasis role="strong">Overwrite Protection:</emphasis> Lock and Unlock mechanism to prevent the "lost update problem". DAV protocol support both shared and exclusive locks.
</para>
<para><emphasis role="strong">Properties:</emphasis> Metadata (title, subject, creater, etc)
</para>
<para><emphasis role="strong">Name-space management:</emphasis> Copy, Rename, Move and Deletion of files
</para>
<para><emphasis role="strong">Access Control:</emphasis>Limit access to various resources. Currently DAV assumes access control is already in place, and does not provide strong authentication mechanism.</para>
<para><emphasis role="strong">Versioning:</emphasis>Revision control for the documents. Versioning is not implemented yet.</para>
</sect2>
<sect2><title>What do we need?</title>
<para>The tools needed to achieve this objective are: </para>
<itemizedlist>
<listitem><para>C Compiler e.g. GCC</para></listitem>
<listitem><para>Apache Web Server</para></listitem>
<listitem><para>LDAP Module for Apache</para></listitem>
<listitem><para>WebDAV Module for Apache</para></listitem>
<listitem><para>LDAP lib file</para></listitem>
<listitem><para>SSL engine</para></listitem>
<listitem><para>Mod SSL Libraries</para></listitem>
</itemizedlist>
<para><emphasis role="strong">NOTE:</emphasis> All of these packages are
free and are available for download on the net.</para>
<para>We will compile all the above mentioned packages to produce
binaries for the Web Server. The WebDAV and LDAP module will be
compiled statically into Apache. Static compilation results in
faster execution times. Apache was chosen, because it is the most
versatile web server ever to exist.
<ulink url="http://www.netcraft.com/survey/"> Market Shares for Top Web
Servers </ulink> shows that Apache has the largest web server market
share. </para>
<para>Apache is also being used by:</para>
<itemizedlist>
<listitem><para><ulink url="http://www.rackspace.com">RackSpace</ulink>
- WebHosting provider</para></listitem>
<listitem><para><ulink url="http://www.cihost.com">CIHost</ulink>
- WebHosting provider</para></listitem>
<listitem><para><ulink url="http://www.slashdot.org">SlashDot</ulink>
</para></listitem>
</itemizedlist>
</sect2>
<sect2><title>Assumptions</title>
<para> This document assumes that you have the following already
installed on your system. </para>
<orderedlist>
<listitem><para>gzip or gunzip - available from <ulink url="http://www.gnu.org">http://www.gnu.org</ulink></para></listitem>
<listitem><para>gcc and GNU make - available from <ulink url="http://www.gnu.org">http://www.gnu.org</ulink></para></listitem>
</orderedlist>
<para> The document also assumes there is a LDAP server installed
elsewhere which will be used for the authentication. </para>
</sect2>
<sect2><title>Opinions and Suggestions</title>
<para>
If you have any questions about the information available on this document,
please contact me on the following email address:
<ulink url="mailto:saqib@seagate.com">saqib@seagate.com</ulink>
</para>
<para>
If you have comments and/or suggestions, please let me know as well!
</para>
</sect2>
</sect1>
<sect1 id="requirements"><title>Requirements</title>
<para>You'll have to download and compile several packages. This HOWTO will explain the compilation process, but you should be
fimiliar with installing from source code.
</para>
<sect2><title>Basics</title>
<para>
You will need a machine running Solaris and GNU CC compiler. This compiler is available from <ulink url="http://www.sunfreeware.com">http://www.sunfreeware.com</ulink>. If
you need any help installing the compiler please email me. If your OS doesnt already have gzip, you will need that as well.
You can d/l gzip from <ulink url="http://www.sunfreeware.com">http://www.sunfreeware.com</ulink> as well.
</para>
<para>
Also create a directory /tmp/downloads . We will use this directory to store the downloaded source code.
</para>
</sect2>
<sect2><title>Apache 1.3.x</title>
<para>Apache is the HTTP server, it will be used to provide the WebDAV services. Please download the Apache 1.3.x source code from
<ulink url="http://www.apache.org/dist/httpd/">http://www.apache.org/dist/httpd/</ulink>.
</para>
<sect2><title>OpenSSL</title>
<para>
You will need to download the OpenSSL from http://www.openssl.org/source/ . Please download the latest version. OpenSSL
installation will be used for SSL libraries for compiling mod_ssl with Apache, and for managing SSL certificates on the WebServer.
Please download the OpenSSL source code gzipped file into /tmp/downloads
</para>
</sect2>
<sect2><title>OpenLDAP</title>
<para>
Download the OpenLDAP source code from <ulink url="http://www.openldap.org/software/download/">http://www.openldap.org/software/download/</ulink>. We will
OpenLDAP for the LDAP lib files. You may also use IPlanet LDAP lib files. However GNU packages are recommended.
</para>
</sect2>
<sect2><title>mod_dav</title>
<para>mod_dav will be used to enable DAV support in Apache. Download the source code for mod_dav from <ulink url="http://www.webdav.org/mod_dav/#how">http://www.webdav.org/mod_dav/#how</ulink>.
</para>
<para>
To find out more about mod_dav please visit <ulink url="http://www.webdav.org/mod_dav/faq/#00-00">http://www.webdav.org/mod_dav/faq/#00-00</ulink>
</para>
</sect2>
<sect2><title>mod_auth_ldap</title>
<para>mod_auth_ldap will be used for compiling LDAP support into Apache. Please download mod_auth_ldap from <ulink url="http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html">http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html</ulink>
</para>
</sect2>
<sect2><title>mod_ssl</title>
<para>mod_ssl will be used to enable SSL support in Apache, please download the mod_ssl source code from <ulink url="http://www.modssl.com/source/">http://www.modssl.com/source/</ulink></para>
</sect2>
</sect1>
<sect1 id="inst-webdav"> <title>Installing WebDAV services</title>
<para>Next is to first install pre-requisites (OpenSSL and OpenLDAP), and then Configure Apache with all the modules</para>
<sect2><title>Ground Work</title>
<para> To compile the WebDAV service with LDAP authencation
capability, we will need to have the LDAP library files installed on
the machine. The LDAP library files will be used to compile the LDAP
module for Apache. Best way to get the LDAP library files is to
download the OpenLDAP sourcecode from
<ulink url="http://www.openldap.org">http://www.openldap.org</ulink> and
compile it to produce the required library files. You may use any
other LDAP like IPlanet as well, but I recommend an OpenSource
solution. </para>
<sect3><title>OpenLDAP lib files installation</title>
<para> Become root by using the su command: </para>
<screen><command>$ su</command></screen>
<para> Now change to the directory (<filename>/tmp/downloads</filename>) where you placed the OpenLDAP
(tar) source file, and extract the content: </para>
<para><screen>
<command># cd /tmp/download</command>
<command># gzip -d openldap-stable-xxxxxxx.tar.gz</command>
<command># tar -xvf openldap-stable-xxxxxxx.tar</command>
<command># cd openldap-x.x.xx</command>
</screen>
</para>
<para> Now you can run "<command>configure</command>" for the
openldap package. "<command>configure</command>" has many command
line options. Type "<command>configure --help</command>" to see all
options. </para>
<para> For this WebServer we dont really need the LDAP deamon,
assuming there is a LDAP server running elsewhere. We just need the
LDAP lib files. Since we will not be compiling the LDAP deamon, we
will have to specify '<option>--disable-slapd</option>' as a
command line option to '<command>configure</command>':</para>
<screen><command># ./configure --disable-slapd</command></screen>
<para><option>--disable-slapd</option> will tell the configure to not install the deamon. After you are done with configuring, you can make the
dependencies for the openldap package: </para>
<screen><command># make depend</command></screen>
<para> After making the dependencies the openldap package needs to
be compiled. Use the <command>make</command> command: </para>
<screen><command># make</command></screen>
<para>If everything goes OK, you will end up with compiled version of
openldap in the current directory. Then you will need to install the
compiled binaries and LDAP lib file into appropriate places: </para>
<screen><command># make install</command></screen>
<para>Now you should have the compiled LDAP lib files required for
the mod_ldap in the correct directory structure. </para>
</sect3>
<sect3><title>OpenSSL Engine</title>
<para>OpenSSL is required to create and manage SSL certificates on the webserver. The installion is also necessary
for the lib files that will be used by the SSL module for apache.</para>
<para>Now change to the directory where you placed the OpenSSL source code files</para>
<para><screen>
<command># cd /tmp/download</command>
<command># gzip -d openssl.x.x.gz</command>
<command># tar -xvf openssl.x.x</command>
<command># cd openssl.x.x</command>
<command># make</command>
<command># make test</command>
<command># make install</command>
</screen></para>
</sect3>
</sect2>
<sect2><title>Pre-configuring Apache</title>
<para> mod_dav requires that you have Apache pre-configured so that
it knows where where everything is. Change back to the directory
where you have the source files: </para>
<para><screen>
<command> # cd /tmp/download </command>
<command> # gzip -d apache_1.x.x.tar.gz </command>
<command> # tar -xvf apache_1.x.x.tar </command>
<command> # cd apache_1.x.x </command>
<command> # ./configure --prefix=/usr/local/apache </command>
</screen></para>
</sect2>
<sect2><title>Configuring and Installing mod_dav</title>
<para>As mentioned above mod_dav will be statically linked with the
Apache installation. Start by extracting mod_dav files: </para>
<para><screen>
<command># cd /tmp/download </command>
<command># gzip -d mod_dav-1.x.x.tar.gz</command>
<command># tar -xvf mod_dav-1.x.x.tar</command>
</screen>
</para>
<para> Change to the NEW directory which was created during the
extract: </para>
<para><command># cd mod_dav-1.x.x</command></para>
<para>Now configure the mod_dav package for static linking to Apache:</para>
<para><command># ./configure --with-apache= /tmp/download/apache_1.x.x</command></para>
<para>Compile and install the files:</para>
<para><command># make </command></para>
<para><command># make install</command></para>
<para>mod_dav will have been partially compiled and placed into the
Apache tree during the make install step.</para>
</sect2>
<sect2><title>Installing and configuring mod_auth_ldap</title>
<para>Change back to the temp download directory, and extract the mod_auth_ldap files:</para>
<para><screen>
<command># cd /tmp/download</command>
<command># gzip -d mod _auth_ldap.tar.gz</command>
<command># tar -xvf mod_auth_ldap.tar</command>
</screen>
</para>
<para>Now install the modauthldap files to the Apache source tree: </para>
<para><screen>
<command># cd apache_x.x.x</command>
<command># mv ../modauthldap ./src/modules/ldap </command>
</screen></para>
</sect2>
<sect2><title>Installing and configuring mod_ssl</title>
<para><screen>
<command># cd /tmp/download </command>
<command># gzip -d mod_ssl-2.x.x.tar.gz</command>
<command># tar -xvf mod_ssl-2.x.tar</command>
<command># ./configure --with-apache=../apache_1.3.x.x</command>
</screen>
</para>
</sect2>
<sect2><title>Configuring and Installing Apache</title>
<para> Finally we have reached the destination. But not yet....... <screen>"The Journey is the Destination" (Jerry Garica of Grateful Dead)</screen> </para>
<para> Now we are ready to compile and install Apache with WebDAV and
LDAP authentication for DAV. </para>
<para>Change back to the temp download directory:</para>
<para><command># cd /tmp/download</command></para>
<para>Change to the Apache tree directory:</para>
<para><command># cd apache-x.x.x</command></para>
<para>Now set the variable SSL_BASE to the OpenSSL lib files. On tcsh it will be as following:</para>
<para><screen>
<command># setenv SSL_BASE /tmp/download/openssl-0.9.x</command>
</screen></para>
<para>This will the compiler where to find the SSL LIB files.</para>
<para>And now configure apache for the compilation with mod_dav, mod_auth_ldap, and mod_ssl: </para>
<para><screen>
<command> # ./configure --prefix=/usr/local/apache \
--enable-module=ssl \
--activate-module=src/modules/ldap/mod_auth_ldap.c \
--activate-module=src/modules/dav/libdav.a \
--enable-shared=ssl
[...you can add more options here...] </command>
</screen></para>
<para>--enable-shared is an optional, it tells the configure to compile SSL as dynamic module. Depending on the
services that you will be providing, you may or may not need dynamic compilation.</para>
<para>Now compile the Apache and install it into the appropriate
place: </para>
<para><command># make </command></para>
<para>Now create the SSL certification on the web server</para>
<para><command># make certificate TYPE=custom</command></para>
<para>Follow through the instructions, and you will have a certificate in no time. Remember CommonName is your
FQDN (Fully Qualified Domain Name) e.g. dav.yourcompany.com</para>
<para>For details on creating and managing the SSL certificates, please read the section titled "Creating and Managing SSL certificates".</para>
<para>Now install Apache into its own directory</para>
<para><command># make install</command></para>
</sect2>
</sect1>
<sect1 id="config-webdav"><title>Configuring and Setting up the
WebDAV services</title>
<para> Now for the easy part. In this section we will WebDAV enable a
directory under Apache root. </para>
<sect2><title>Modifications to the
<filename>/usr/local/apache/conf/httpd.conf</filename></title>
<para>
Please verify that the following Apache directive appears in the
<filename>/usr/local/apache/conf/httpd.conf</filename> :</para>
<para><screen>
Addmodule mod_dav.c
</screen></para>
<para> If it does not please add it. This directive informs Apache
about DAV capability. The directive must be placed outside any
container. </para>
<para>
Next we must specify where Apache should store
the DAVLockDB file. DAVLockDB is a lock database for the WebDAV.
This directory should be writable by the httpd process.
</para>
<para>
I store the DAVLock file under <filename>/usr/local/apache/var</filename>.
I use this directory for other purposes as well. Please add the
following line to your
<filename>/usr/local/apache/conf/httpd.conf</filename> to specify
that the DAVLockDB file will be under
<filename>/usr/local/apache/var</filename> : </para>
<para><screen>
DAVLockDB /usr/local/apache/var/DAVLock
</screen></para>
<para>The directive must be placed outside any container.</para>
</sect2>
<sect2><title>Creating a directory for DAVLockDB</title>
<para> As mentioned above a directory must be created for DAVLockDB
that can be written by the web server process. Usually web server
process runs under the user '<emphasis>nobody</emphasis>' . Please
verify this for your system using the command:
<screen><command>ps -ef | grep httpd</command></screen>
Under <filename>/usr/local/apache</filename> create
the directory and set the permissions on it using the following
commands: </para>
<para><screen>
<command># cd /usr/local/apache</command>
<command># mkdir var</command>
<command># chmod -R 755 var/</command>
<command># chown -R nobody var/</command>
<command># chgrp -R nobody var/</command>
</screen></para>
</sect2>
<sect2><title>Enabling DAV</title>
<para> Enabling DAV is a trivial task. To enable DAV for a directory
under Apache root, just add the following directive in the container
for that particular directory: </para>
<para><screen>
DAV On
</screen></para>
<para> This directive will enable DAV for the directory and its
sub-directories. </para>
<para>The following is a sample configuration that will enable WebDAV
and LDAP authentication on
<filename>/usr/local/apache/htdocs/DAVtest</filename>. Place this in
the <filename>/usr/local/apache/conf/httpd.conf</filename> file.
</para>
<para><screen>
&lt;Directory /usr/local/apache/htdocs/DAVtest&gt;
Dav On
#Options Indexes FollowSymLinks
AllowOverride None
order allow,deny
allow from all
AuthName "LDAP_userid_password_required"
AuthType Basic
&lt;Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK&gt;
Require valid-user
&lt;/Limit&gt;
LDAP_Server ldap.server.com
LDAP_Port 389
Base_DN "o=ROOT"
UID_Attr uid
&lt;/Directory&gt;
</screen></para>
</sect2>
<sect2><title>Create a Directory called DAVtest</title>
<para>As mentioned in a earlier section, all DAV directories have to
be writable by the WebServer process. In this example we assume
WebServer is running under username '<emphasis>nobody</emphasis>'.
This is usually the case. To check httpd is running under what user,
please use:
<screen><command># ps -ef | grep httpd</command></screen>
</para>
<para>Create a test directory called '<filename>DAVtest</filename>'
under <filename>/usr/local/apache/htdocs</filename> :</para>
<para><command># mkdir /usr/local/apache/htdocs/DAVtest</command></para>
<para>Change the permissions on the directory to make it is
read-writable by the httpd process. Assuming the httpd is running
under username '<emphasis>nobody</emphasis>', use the following
commands:</para>
<para><screen>
# cd /usr/local/apache/htdocs
# chmod -R 755 DAVtest/
# chown -R nobody DAVtest/
# chgrp -R nobody DAVtest/
</screen></para>
</sect2>
<sect2><title>Restart Apache</title>
<para> Finally you must run the configuration test routine that comes
with Apache to verify the syntax in <filename>httpd.conf</filename> :
</para>
<para><command># /usr/local/apache/bin/apachectl configtest</command></para>
<para>
If you get error messages please verify that you followed all of
the above mentioned steps correctly. If you can not figure out the
error message feel free to email me with the error message
(<ulink url="mailto:saqib@seagate.com">saqib@seagate.com</ulink>).
</para>
<para>If the configtest is successful start the apache web-server: </para>
<para><command># /usr/local/apache/bin/apachectl restart</command></para>
<para>Now you have WebDAV enabled Apache Server with LDAP
authentication and SSL encryption. </para>
</sect2>
<sect2><title>WebDAV server protocol compliance testing</title>
<para>It is very important that the WebDAV that we just implemented be fully complaint with the WebDAV-2 protocol. If it is not
fully compatible, the client side WebDAV applications will not function properly.</para>
<para>To test the complaince we will use a tool called Litmus. Litmus is a WebDAV server protocol compliance test suite,
which aims to test whether a server is compliant with the WebDAV protocol as specified in RFC2518. </para>
<para>Please download the Litmus source code from http://www.webdav.org/neon/litmus/ and place it in the /tmp/downloads directory.</para>
<para>Then use gzip and tar to extract the files:</para>
<screen>
<command># cd /tmp/downloads</command>
<command># gzip -d litmus-0.6.x.tar.gz</command>
<command># tar -xvf litmus-0.6.x.tar</command>
<command># cd litmus-0.6.x</command>
</screen>
<para>Compiling and installing Litmus is easy:</para>
<screen>
<command># ./configure</command>
<command># make</command>
<command># make install</command>
</screen>
<para><command>make install</command> will install the Litmus binary files under <filename>/usr/local/bin</filename> and the help files under <filename>/usr/local/man</filename>
<para>To the test the complaince of the WebDAV server that you just installed, please use the following command</para>
<screen>
<command># /usr/local/bin/litmus http://you.dav.server/DAVtest userid passwd</command>
</screen>
</sect1>
<sect1><title>WebDAV server management</title>
<para>In this section we will discuss about the various management task - e.g. using LDAP for access control, and working with DAV method on Apache</para>
<para>Most of the configuration changes for the DAV will have to done using the <filename>httpd.conf</filename> file. This file is located at <filename>/usr/local/apache/conf/httpd.conf</filename> </para>
<para><filename>httpd.conf</filename> is a text based configuration file that Apache uses. It can b editted using any text editor - I preffer using vi. Please make backup copy of this file, before changing it.</para>
<para>After making changes to the <filename>httpd.conf</filename> the Apache server has to be restarted using the <command>/usr/local/apache/bin/apachectl restart</command> command.
However before restarting you test for the validity of the <filename>httpd.conf</filename> by using the <command>/usr/local/apache/bin/apachectl configtest</command> comand. </para>
<sect2><title>Restricting access to DAV shares</title>
<para>In the previous section when we created the DAVtest share, we used the LDAP for authentication purposes. However anyone
who can authenticates using their LDAP useri/passwd will be able to access that folder. </para>
<para>Using the <command>require</command> directive in the httpd.conf file, we can limit access to certain individuals or groups of individuals.</para>
<para>If we look at the DAVtest configuration from the previosu section:
<screen>
&lt;Directory /usr/local/apache/htdocs/DAVtest&gt;
Dav On
#Options Indexes FollowSymLinks
AllowOverride None
order allow,deny
allow from all
AuthName "LDAP_userid_password_required"
AuthType Basic
&lt;Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK&gt;
Require valid-user
&lt;/Limit&gt;
LDAP_Server ldap.server.com
LDAP_Port 389
Base_DN "o=ROOT"
UID_Attr uid
&lt;/Directory&gt;
</screen>
We see that the <command>require</command> is set to <command>valid-user</command>. Which means any valid authenticated user
has access to this folder.
</para>
<sect3><title>Restricting access based on Individual UID(s)</title>
<para>LDAP UID can be used to restrict access to DAV folder.</para>
<para><command>require valid-user</command> directive can be changed to <command>require user 334455 445566</command></para>
<para>This will restrict access to individuals with UID 334455 and 445566. Anyone else will not be able to access this folder.</para>
</sect3>
<sect3><title>Restricting access based on groups of individuals.</title>
<para><command>require</command> can also be used to restrict access to groups of individuals. This can be either done using LDAP groups or LDAP filters. The filter must be valid LDAP filter syntax.</para>
</sect3>
</sect2>
<sect2><title>Restricting write access to DAV shares</title>
<para>It maybe be required that the editting for the resources on the DAV shares be restricted to certain individual, however anyone can view the resources. This can be easily done using the <command>&lt;Limit&gt;</command> tags in the httpd.conf file</para>
<para>
<screen>
&lt;Directory /usr/local/apache/htdocs/DAVtest&gt;
Dav On
#Options Indexes FollowSymLinks
AllowOverride None
order allow,deny
allow from all
AuthName "LDAP_userid_password_required"
AuthType Basic
&lt;Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK&gt;
Require valid-user
&lt;/Limit&gt;
LDAP_Server ldap.server.com
LDAP_Port 389
Base_DN "o=ROOT"
UID_Attr uid
&lt;/Directory&gt;
</screen>
</para>
<para>You restrict write access to certain individuals by changing the <command>&lt;limit&gt;</command> to
<screen>
&lt;Limit PUT POST DELETE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK&gt;
Require 334455
&lt;/Limit&gt;
</screen>
</para>
<para>Basically we are limiting the PUT POST DELETE PROPPATH MKCOL COPY MOVE LOCK and UNLOCK to an individual who has the UID of 334455. Everone else will be able to use the methods GET and PROPFIND on the resources, but not any other method.</para>
</sect2>
</sect1>
<sect1 id="ssl"><title>Implementing and using SSL to secure WebDAV traffic</title>
<para>
Security of the data stored on a file server is very important these days. Compromised data can cost thousands of dollars to
company. In the last section, we compiled LDAP authentication module into the Apache build to provide a Authentication
mechanism. However HTTP traffic is very insecure, and all data is transferred in clear text - meaning, the LDAP authentication
(userid/passwd) will be transmitted as clear text as well. This create a problem. Anyone can sniff these userid/passwd and gain
access to DAV store. To prevent this we have to encrypt HTTP traffic, essentially HTTP + SSL or HTTPS. Anything transferred over
HTTPS is encrypted, so the LDAP userid/passwd can not be sniffed. HTTPS runs on port 443. The resulting build from the last
section's compilation process will have Apache to listen to both port 80 (normal HTTP) and 443 (HTTPS). If you are just going
to use this server for DAV, then I will highly suggest that you close port 80. In this section of the HOWTO I will provide some
information regarding SSL and maintaining SSL on a WebDAV server. However this is a not limited to a DAV server, it can be
used on any web server.
</para>
<sect2><title>Introduction to SSL</title>
<para>
SSL (Secure Socket Layer) is a protocol layer that exists between the Network Layer and Application layer. As the name suggest
SSL provides a mechanism for encrypting all kinds of traffic - LDAP, POP, IMAP and most importantly HTTP.
</para>
<para>
The following is a over-simplified structure of the layers involved in SSL.
<screen>
+-------------------------------------------+
| LDAP | HTTP | POP | IMAP |
+-------------------------------------------+
| SSL |
+-------------------------------------------+
| Network Layer |
+-------------------------------------------+
</screen>
</para>
<sect3><title>Encryption algorithms used in SSL</title>
<para>
There are 2 kinds of encryption algorithms used in SSL.
</para>
<para>
<emphasis role="strong">Public-Private Key Crytography - Initiating SSL connection: </emphasis> This algorithm is used for initiating the SSL session. In this algorithm, the encryption must
be performed using the Public Key, and the decryption can only be performed using the Private Key. The Web-server holds the
private Key, and sends the Public key to the client. The public key is sent to the client in a certificate.
</para>
<orderedlist>
<listitem>
<para>The client request content from the Web Server using HTTPS.</para>
</listitem>
<listitem>
<para>The web server responds with a Certificate which includes the server's public key.</para>
</listitem>
<listitem>
<para>The client check to see if the certificate has expired.</para>
</listitem>
<listitem>
<para>Then the client checks if the Certificate Authority that signed the certificate, is a trusted authority listed in the browser. This explains why we need to get a certificate from a a trusted CA.</para>
</listitem>
<listitem>
<para>The client then checks to see if the Domain Name of the web server matches the Comman Name (CN) on the certificate?</para>
</listitem>
<listitem>
<para>If everything is successful the SSL connection is initiated.</para>
</listitem>
</orderedlist>
<para>
<emphasis role="strong">Symmetric Cryptography - Actuall transmission of data</emphasis>: After the SSL connection has been established, Symmetric cryptography
is used to encrypting data. Public-Private Key cryptography is CPU cycle intensive, so Symmetric cryptography is used. In
symmetric cryptography the data can be encrypted and decrypted using the same key. The Key for symmetric cryptography was
exchange in the initiation process.
</para>
</sect3>
</sect2>
<sect2><title>Test Certificates</title>
<para>While compiling Apache we created a test certificate. We used the makefile provided by
mod_ssl to create this custom Certificate. We used the command:
<screen># make certificate TYPE=custom</screen>
</para>
<para>This certificate can be used for testing purposes.</para>
<sect2><title>Certificates for Production use</title>
<para>
For production use you will need a certificate from a CA.
CA or Certificate Authorities are certificate vendors, who are listed as a Trusted CA in user's browser client. As mentioned in
the Encryption Algorithms section, if the CA is not listed as a trusted authority, your user will get a warning message when
trying to connect to a secure location.
</para>
<para>
Similarly the test certificates will also cause a warning message to appear on the user's browser.
</para>
</sect2>
<sect2><title>How to generate a CSR</title>
<para>
CSR or Certificate Signing Request must be sent to the trusted CA for signing. This section discusses howto create a CSR,
and send it to the CA of your choice.
</para>
<screen>
<command>cd /usr/local/apache/conf/</command>
<command>/usr/local/ssl/bin/openssl req -new -nodes -keyout private.key -out public.csr</command>
</screen>
<para>
At this point you will be asked several about your server location, to generat the Certificate Signing Request</para>
<para>
Note: You Common Name is the DNS name of your webserver e.g. dav.server.com . If you put in anything else, it will NOT work. Remember the passwd that you use, for future reference.
</para>
<para>Once the process is complete, you will have private.key and a public.csr . At this pointe the public.key is not encrypted. To encrypt"
</para>
<screen>
<command>mv private.key private.key.unecrpyted</command>
<command>/usr/local/ssl/bin/openssl rsa -in private.key.unecrpyted -des3 -out private.key</command>
</screen>
</sect2>
<sect2><title>Removing passphrase from the RSA Private Key</title>
<para>RSA Private Key stored on the webserver is usually encrypted, and you need a passphrase to parse the file. That is why you
are prompted for a passphrase when start Apache with modssl:</para>
<para>
<screen>
<command># apachectl startssl</command>
<command>Apache/1.3.23 mod_ssl/2.8.6 (Pass Phrase Dialog)</command>
<command>Some of your private key files are encrypted for security reasons.</command>
<command>In order to read them you have to provide us with the pass phrases.</command>
<command>Server your.server.dom:443 (RSA)</command>
<command>Enter pass phrase:</command>
</screen>
</para>
<para>Encrypting the RSA Private Key is very important. If somebody gets hold of the you "Unencrypted RSA Private Key" he/she can easily
impersonate your webserver. If the Key is encrypted, the hacker can not do anything without the passphrase. </para>
<para>However encrypting the Key can sometimes be nuisance, since you will be prompted for a passphrase everytime you start the web-server.
Specially if you are using rc scripts to start the webserver at boot time, the prompt for passphrase creates problems.</para>
<para>You can get rid of the passphrase prompt easily by decrypting the Key. However make sure that no one can hold of this Key. I would
recommend Hardening and Securing guidelines be followed before decrypting the Key on the webserver.</para>
<para>To decrypt the Key:</para>
<para>First make a copy of the encrypted key</para>
<para><screen><command># cp server.key server.key.cryp</command></screen></para>
<para>Then re-write the key with encryption. You will be prompted for the original encrypted Key passphrase</para>
<para><screen><command># /usr/local/ssl/bin/openssl rsa -in server.key.cryp -out server.key</command>
read RSA key
Enter PEM pass phrase:
writing RSA key
</screen>
</para>
<para>
One way to secure the decrypted Private Key is to make readable only by the root:
<screen>
<command># chmod 400 server.key</command>
</screen>
</para>
</sect2>
<sect2><title>Trusted Certificate Authorities</title>
<para>The following is list of Certificate Authorities that are trusted by the various browsers:</para>
<orderedlist>
<listitem>
<para><ulink url="http://www.verisign.com">Verisign</ulink></para>
</listitem>
<listitem>
<para><ulink url="http://www.thawte.com">Thawte</ulink></para>
</listitem>
</orderedlist>
</sect2>
</sect1>
</article>
View Git Blame Copy Permalink