Apache based WebDAV with LDAP and SSL HOWTO

Saqib Ali

saqib@seagate.com

Revision History                                                             
Revision v2.1            2002-03-24            Revised by: sa                
Refined the WebDAV Introduction and SSL section.                             
Revision v2.0            2002-03-20            Revised by: sa                
Added the SSL section                                                        
Revision v1.1            2001-11-29            Revised by: sa                
Initial public release.                                                      
Revision v1.0            2001-11-01            Revised by: sa                
Initial public release.                                                      


This document is an HOWTO on installing a Apache based WebDAV server with
LDAP for authentication and SSL encryption.

-----------------------------------------------------------------------------
Table of Contents
1. Introduction
    1.1. Copyright and License
    1.2. What is WebDAV?
    1.3. Why use WebDAV?
    1.4. How does WebDAV work?
    1.5. What do we need?
    1.6. Assumptions
    1.7. Opinions and Suggestions
   
   
2. Installing WebDAV services
    2.1. Pre-Requirements
    2.2. Pre-configuring Apache
    2.3. Configuring and Installing mod_dav
    2.4. Installing and configuring mod_auth_ldap
    2.5. Installing and configuring mod_ssl
    2.6. Configuring and Installing Apache
   
   
3. Configuring and Setting up the WebDAV services
    3.1. Modifications to the /usr/local/apache/conf/httpd.conf
    3.2. Creating a directory for DAVLockDB
    3.3. Enabling DAV
    3.4. Create a Directory called DAVtest
    3.5. Restart Apache
   
   

1. Introduction

The Objective of this document is to setup a Apache based WebDAV server that
can authenticate against a LDAP server. You will learn how to install,
configure, run, maintain and fine-tune a Apache-based WebDAV server. This
document will provide the basic groundwork for setting up a WebDAV server. It
will also provide information on fine tuning and maintaining the server.

Note: If you encounter any problems installing Apache or any of the modules
please feel free to contact me.

[http://www.stonebeat.org] WebDAV Support and Discussion Forum

This document is not a HOWTO on setting up LDAP server. For setting up a LDAP
server please visit [http://www.linuxdoc.org/HOWTO/LDAP-HOWTO-1.html] http://
www.linuxdoc.org/HOWTO/LDAP-HOWTO-1.html
-----------------------------------------------------------------------------

1.1. Copyright and License

This document is Copyright 2001 by Saqib Ali. Permission is granted to copy,
distribute and/or modify this document under the terms of the GNU Free
Documentation License, Version 1.1 or any later version published by the Free
Software Foundation; with no Invariant Sections, with no Front-Cover Texts,
and with no Back-Cover Texts. A copy of the license is available at [http://
www.gnu.org/copyleft/fdl.html] http://www.gnu.org/copyleft/fdl.html
-----------------------------------------------------------------------------

1.2. What is WebDAV?

WebDAV stands for Web enabled Distributed Authoring and Versioning. It
provides a collaborative environment for users to edit/manage files on
web-servers. Technically DAV is an extension to the http protocol.

WebDAV introduces several new properties to the existing HTTP properties. A
property in HTTP terminology refers to the descriptive information about a
file on the webserver. The properties that DAV introduces are PROPFIND,
PROPPATCH, MKCOL, PUT, COPY, MOVE, DELETE, LOCK, and obviously UNLOCK. The
following is a brief description of the properties introduced by DAV:

PROPFIND - Retrieves the properties of file or resource on the web server.

PROPPATCH - Sets the properties of a file or resource on the web server.

MKCOL - Makes a collections of resources.

PUT - Puts a resource/collection on the server.

COPY - Copies a Resource/collection

MOVE - Moves a Resource/collection

DELETE - Deletes a Resource/collection

LOCK - Locks a Resource for PROPPATCH, MKCOL, PUT, MOVE, and DELETE

UNLOCK - Unlocks a resource

Remember these properties, as we will need them later in this tutorial.
-----------------------------------------------------------------------------

1.3. Why use WebDAV?

I ask, Why not? Who doesn't like distrtibuted authoring of the documents?
Using WebDAV technology people throughout the world can be working on the
same document. With the locking mechanism that DAV provides, the person who
is editing the resource will lock it for editing. Others can read it but not
modify it. When the person who is editing the document, is done editing, he/
she will release the lock, and then others can modify the documents as well.

Authentication to gain access to resources is available in HTTP. This HOWTO
discusses using LDAP for authentication. Permissions using groups and users
in LDAP directory can be setup to control read/write access to various
resources(documents) on the WebDAV server, so that you dont need to share
passwords to work on the same documents

If you are worried about people trying to sniff your traffic, and gain access
to confidential data, then worry not - you can always use HTTP with SSL ver3.
This is the best encryption available. This documents details on how to
implement WebDAV server which uses SSL encryption for transferring data.
-----------------------------------------------------------------------------

1.4. How does WebDAV work?

text goes here...
-----------------------------------------------------------------------------

1.5. What do we need?

The tools needed to achieve this objective are:

*Apache Web Server
   
*LDAP Module for Apache
   
*WebDAV Module for Apache
   
*LDAP lib file
   

NOTE: All of these packages are free and are available for download on the
net.

We will compile all the above mentioned packages to produce binaries for the
Web Server. The WebDAV and LDAP module will be compiled statically into
Apache. Static compilation results in faster execution times. Apache was
chosen, because it is the most versatile web server ever to exist. Market
Shares for Top Web Servers shows that Apache has the largest web server
market share.

Apache is also being used by:

*[http://www.rackspace.com] RackSpace - WebHosting provider
   
*[http://www.cihost.com] CIHost - WebHosting provider
   
*[http://www.slashdot.org] SlashDot
   

-----------------------------------------------------------------------------
1.6. Assumptions

This document assumes that you have the following already installed on your
system.

 1. gzip or gunzip - available from [http://www.gnu.org] http://www.gnu.org
   
 2. gcc and GNU make - available from [http://www.gnu.org] http://www.gnu.org
   

The document also assumes there is a LDAP server installed elsewhere which
will be used for the authentication.
-----------------------------------------------------------------------------

1.7. Opinions and Suggestions

If you have any questions about the information available on this document,
please contact me on the following email address: [mailto:saqib@seagate.com]
saqib@seagate.com

If you have comments and/or suggestions, please let me know as well!
-----------------------------------------------------------------------------

2. Installing WebDAV services

Our game plan is to first install OpenLDAP package. OpenLDAP is not required
for Apache_LDAP_DAV to work, but we will need the installed OpenLDAP lib
files to compile mod_ldap. And then we will compile Apache with mod_ldap and
mod_dav.

Please download the following packages.

*[http://www.apache.org] Apache Web Server
   
*[http://www.openldap.org/] OpenLDAP (for LDAP lib files)
   
*[http://www.webdav.org/mod_dav/] mod_dav (Apache module for WebDAV)
   
*[http://www.muquit.com/muquit/software/mod_auth_ldap/mod_auth_ldap.html]
    mod_ldap (LDAP module for LDAP)
   
*[http://www.openssl.org] OpenSSL (SSL enginer for creating/managing
    certificates)
   
*[http://www.modssl.org/] mod_SSL (SSL Module for Apache)
   

-----------------------------------------------------------------------------
2.1. Pre-Requirements

To compile the WebDAV service with LDAP authencation capability, we will need
to have the LDAP library files installed on the machine. The LDAP library
files will be used to compile the LDAP module for Apache. Best way to get the
LDAP library files is to download the OpenLDAP sourcecode from [http://
www.openldap.org] http://www.openldap.org and compile it to produce the
required library files. You may use any other LDAP like IPlanet as well, but
I recommend an OpenSource solution.
-----------------------------------------------------------------------------

2.1.1. OpenLDAP lib files installation

Become root by using the su command:

$ su

Now change to the directory where you placed the OpenLDAP (tar) source file,
and extract the content. (I use a temp directory, /tmp/download):

+---------------------------------------------------------------------------+
|# cd /tmp/download                                                         |
|# gzip -d openldap-stable-xxxxxxx.tar.gz                                   |
|# tar -xvf openldap-stable-xxxxxxx.tar                                     |
|# cd openldap-x.x.xx                                                       |
+---------------------------------------------------------------------------+

Now you can run "configure" for the openldap package. "configure" has many
command line options. Type "configure --help to see all options.

For this WebServer we dont really need the LDAP deamon, assuming there is a
LDAP server running elsewhere. We just need the LDAP lib files. Since we will
not be compiling the LDAP deamon, we will have to specify '--disable-slapd'
as a command line option to 'configure':

# ./configure --disable-slapd

After you are done with configuring, you can make the dependencies for the
openldap package:

# make depend

After making the dependencies the openldap package needs to be compiled. Use
the make command:

# make

If everything goes OK, you will end up with compiled version of openldap in
the current directory. Then you will need to install the compiled binaries
into appropriate places:

# make install

Now you should have the compiled LDAP lib files required for the mod_ldap in
the correct directory structure.
-----------------------------------------------------------------------------

2.1.2. OpenSSL Engine

OpenSSL is required to create and manage SSL certificates on the webserver.
The installion is also necessary for the lib files that will be used by the
SSL module for apache.

Now change to the directory where you placed the OpenSSL source code files

+---------------------------------------------------------------------------+
|# cd /tmp/download                                                         |
|# gzip -d openssl.x.x.gz                                                   |
|# tar -xvf openssl.x.x                                                     |
|# cd openssl.x.x                                                           |
|# make                                                                     |
|# make test                                                                |
|# make install                                                             |
+---------------------------------------------------------------------------+
-----------------------------------------------------------------------------

2.2. Pre-configuring Apache

mod_dav requires that you have Apache pre-configured so that it knows where
where everything is. Change back to the directory where you have the source
files:

+---------------------------------------------------------------------------+
|  # cd /tmp/download                                                       |
|  # gzip -d apache_1.x.x.tar.gz                                            |
|  # tar -xvf apache_1.x.x.tar                                              |
|  # cd apache_1.x.x                                                        |
|  # ./configure --prefix=/usr/local/apache                                 |
+---------------------------------------------------------------------------+
-----------------------------------------------------------------------------

2.3. Configuring and Installing mod_dav

As mentioned above mod_dav will be statically linked with the Apache
installation. Start by extracting mod_dav files:

+---------------------------------------------------------------------------+
|# cd /tmp/download                                                         |
|# gzip -d mod_dav-1.x.x.tar.gz                                             |
|# tar -xvf mod_dav-1.x.x.tar                                               |
+---------------------------------------------------------------------------+

Change to the NEW directory which was created during the extract:

# cd mod_dav-1.x.x

Now configure the mod_dav package for static linking to Apache:

# ./configure --with-apache= /tmp/download/apache_1.x.x

Compile and install the files:

# make

# make install

mod_dav will have been partially compiled and placed into the Apache tree
during the make install step.
-----------------------------------------------------------------------------

2.4. Installing and configuring mod_auth_ldap

Change back to the temp download directory, and extract the mod_auth_ldap
files:

+---------------------------------------------------------------------------+
|# cd /tmp/download                                                         |
|# gzip -d mod _auth_ldap.tar.gz                                            |
|# tar -xvf mod_auth_ldap.tar                                               |
+---------------------------------------------------------------------------+

Now install the modauthldap files to the Apache source tree:

+---------------------------------------------------------------------------+
|cd apache_x.x.x                                                            |
|mv ../modauthldap ./src/modules/ldap                                       |
+---------------------------------------------------------------------------+
-----------------------------------------------------------------------------

2.5. Installing and configuring mod_ssl

Now we willl need to configure the SSL module for Apache

+---------------------------------------------------------------------------+
|# cd /tmp/download                                                         |
|# gzip -d mod_ssl-2.x.x.tar.gz                                             |
|# tar -xvf  mod_ssl-2.x.tar                                                |
|# ./configure --with-apache=../apache_1.3.x.x                              |
+---------------------------------------------------------------------------+
-----------------------------------------------------------------------------

2.6. Configuring and Installing Apache

Finally we have reached the destination. But not yet.......
+---------------------------------------------------------------------------+
|"The Journey is the Destination" (Jerry Garica of Grateful Dead)           |
+---------------------------------------------------------------------------+

Now we are ready to compile and install Apache with WebDAV and LDAP
authentication for DAV.

Change back to the temp download directory:

# cd /tmp/download

Change to the Apache tree directory:

# cd apache-x.x.x

Now set the variable SSL_BASE to the OpenSSL lib files. On tcsh it will be as
following:

+---------------------------------------------------------------------------+
|# setenv SSL_BASE /tmp/download/openssl-0.9.x                              |
+---------------------------------------------------------------------------+

This will the compiler where to find the SSL LIB files.

And now configure apache for the compilation with mod_dav, mod_auth_ldap, and
mod_ssl:

+---------------------------------------------------------------------------+
|  # ./configure --prefix=/usr/local/apache \                               |
|     --enable-module=ssl \                                                 |
|     --activate-module=src/modules/ldap/mod_auth_ldap.c \                  |
|     --activate-module=src/modules/dav/libdav.a \                          |
|     --enable-shared=ssl                                                   |
|                                                                           |
|     [...you can add more options here...]                                 |
+---------------------------------------------------------------------------+

--enable-shared is an optional, it tells the configure to compile SSL as
dynamic module. Depending on the services that you will be providing, you may
or may not need dynamic compilation.

Now compile the Apache and install it into the appropriate place:

# make

Now create the SSL certification on the web server

# make certificate TYPE=custom

Follow through the instructions, and you will have a certificate in no time.
Remember CommonName is your FQDN (Fully Qualified Domain Name) e.g.
dav.yourcompany.com

For details on creating and managing the SSL certificates, please read the
section titled "Creating and Managing SSL certificates".

Now install Apache into its own directory

# make install
-----------------------------------------------------------------------------

3. Configuring and Setting up the WebDAV services

Now for the easy part. In this section we will WebDAV enable a directory
under Apache root.
-----------------------------------------------------------------------------

3.1. Modifications to the /usr/local/apache/conf/httpd.conf

Please verify that the following Apache directive appears in the /usr/local/
apache/conf/httpd.conf :

+---------------------------------------------------------------------------+
|  Addmodule mod_dav.c                                                      |
+---------------------------------------------------------------------------+

If it does not please add it. This directive informs Apache about DAV
capability. The directive must be placed outside any container.

Next we must specify where Apache should store the DAVLockDB file. DAVLockDB
is a lock database for the WebDAV. This directory should be writable by the
httpd process.

I store the DAVLock file under /usr/local/apache/var. I use this directory
for other purposes as well. Please add the following line to your /usr/local/
apache/conf/httpd.conf to specify that the DAVLockDB file will be under /usr/
local/apache/var :

+---------------------------------------------------------------------------+
|  DAVLockDB      /usr/local/apache/var/DAVLock                             |
+---------------------------------------------------------------------------+

The directive must be placed outside any container.
-----------------------------------------------------------------------------

3.2. Creating a directory for DAVLockDB

As mentioned above a directory must be created for DAVLockDB that can be
written by the web server process. Usually web server process runs under the
user 'nobody' . Please verify this for your system using the command 'ps -ef
| grep httpd'. Under /usr/local/apache create the directory and set the
permissions on it using the following commands:

+---------------------------------------------------------------------------+
|  # cd /usr/local/apache                                                   |
|  # mkdir var                                                              |
|  # chmod -R 755 var/                                                      |
|  # chown -R nobody var/                                                   |
|  # chgrp -R nobody var/                                                   |
+---------------------------------------------------------------------------+
-----------------------------------------------------------------------------

3.3. Enabling DAV

Enabling DAV is a trivial task. To enable DAV for a directory under Apache
root, just add the following directive in the container for that particular
directory:

+---------------------------------------------------------------------------+
|  DAV On                                                                   |
+---------------------------------------------------------------------------+

This directive will enable DAV for the directory and its sub-directories.

The following is a sample configuration that will enable WebDAV and LDAP
authentication on /usr/local/apache/htdocs/DAVtest. Place this in the /usr/
local/apache/conf/httpd.conf file.

+---------------------------------------------------------------------------+
|  <Directory /usr/local/apache/htdocs/DAVtest>                             |
|  Dav On                                                                   |
|  #Options Indexes FollowSymLinks                                          |
|                                                                           |
|  AllowOverride None                                                       |
|  order allow,deny                                                         |
|  allow from all                                                           |
|  AuthName "username_and_passwd_required"                                  |
|  AuthType Basic                                                           |
|  <Limit PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>   |
|  Require valid-user                                                       |
|  </Limit>                                                                 |
|  LDAP_Server your.ldap.server.com                                         |
|  LDAP_Port 007                                                            |
|  Base_DN "o=ROOT"                                                         |
|                                                                           |
|  UID_Attr uid                                                             |
|  </Directory>                                                             |
+---------------------------------------------------------------------------+
-----------------------------------------------------------------------------

3.4. Create a Directory called DAVtest

As mentioned in a earlier section, all DAV directories have to be writable by
the WebServer process. In this example we assume WebServer is running under
username 'nobody'. This is usually the case. To check httpd is running under
what user, please use '
+---------------------------------------------------------------------------+
|ps -ef | grep httpd                                                        |
+---------------------------------------------------------------------------+
'.

Create a test directory called 'DAVtest' under /usr/local/apache/htdocs :

# mkdir /usr/local/apache/htdocs/DAVtest

Change the permissions on the directory to make it is read-writable by the
httpd process. Assuming the httpd is running under username 'nobody', use the
following commands:

+---------------------------------------------------------------------------+
|  # cd /usr/local/apache/htdocs                                            |
|  # chmod -R 755 DAVtest/                                                  |
|  # chown -R nobody DAVtest/                                               |
|  # chgrp -R nobody DAVtest/                                               |
+---------------------------------------------------------------------------+
-----------------------------------------------------------------------------

3.5. Restart Apache

Finally you must run the configuration test routine that comes with Apache to
verify the syntax in httpd.conf :

# /usr/local/apache/bin/apachectl configtest

If you get error messages please verify that you followed all of the above
mentioned steps correctly. If you can not figure out the error message feel
free to email me with the error message ([mailto:saqib@seagate.com]
saqib@seagate.com).

If the configtest is successful start the apache web-server:

# /usr/local/apache/bin/apachectl restart

Now you have WebDAV enabled Apache Server with LDAP authentication.

If you have any questions, suggestions, recommendations, kudos, comments, or
complaints, please email them to me ([mailto:saqib@seagate.com]
saqib@seagate.com).

Note: Please free to contact me if you encounter any problems installing
Apache or any of the modules, or if you would like upgrade your existing
Apache server to support WebDAV.

[http://www.stonebeat.org] WebDAV Support and Discussion Forum
