Difference between revisions of "Talk:Mod dav"

From SME Server
Jump to navigationJump to search
Line 1: Line 1:
== 30 May 2009 ==
+
== 1 Jun 2009 ==
=== Windows Web Folders Client ===
+
A patch has been created for 95Addmod_dav2ibays that modifies DAV-enabled ibay behavior.
* After modifying 95Addmod_dav2ibays to require auth only for write functions, Windows XP Web Folders (My Network Places) started randomly popping up a message asking for a client certificate.  I could find no server setting to get this to stop, but did find several mentions online about this issue.  I finally downloaded the "web folders update 12" from http://www.microsoft.com/downloads/details.aspx?FamilyID=17c36612-632e-4c04-9382-987622ed1d64&DisplayLang=en (even though my workstation is running XP Professional SP3)
 
 
 
* Followup: the "web folders" update did *not* solve the problem - WebDAV works from Windows XP using "My Network Places", but users will get random requests to select a client certificate.  When asked, the user can click either "OK" or "Cancel", and will then be allowed to open the selected item.
 
 
 
 
 
 
 
== Older Notes ==
 
I was about to add the following to the article, but there seem to be some problems w/ the ibay support.  (I'm putting this here so I don't lose my work).
 
  
Problems:  
+
=== Installation ===
# the current ibay script does not set any "AuthName", so the ibays fail if you enable WebDav
+
* Install smeserver-mod_dav as described in http://wiki.contribs.org/DAV#Installation
# The group auth logic doesn't seem to work - it is based on the groups listed in 'db accounts' as groups - so there doesn't seem to be an ''easy'' way to authenticate using the ibay username and password (you have to create an empty group, then assign the ibay to that group using server-manager, which doesn't feel very intuitive to me...)
+
* Download and install the modified version of 95Addmod_dav2ibays as follows (Note: review [[Buzgillz:4564]] to make sure you are getting the latest version):
 +
<nowiki>mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
 +
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
 +
wget -O 95Addmod_dav2ibays http://bugs.contribs.org/attachment.cgi?id=2467
 +
signal-event ibay-modify</nowiki>
 +
* Enable DAV and Optionally set a value for "FileETag" using the instructions in http://wiki.contribs.org/DAV#Configuration
  
=== DAV Enabled Ibays ===
+
=== Reference Information ===
smeserver-mod_dav now provides dav-enabled i-bays (at least as of smeserver-mod_dav-0.1-15.el4.sme).
 
 
 
You can enable
 
  
 +
==== command line settings ====
 +
The following settings are only available on the command line
 
{| width="100%" border="1" cellpadding="5" cellspacing="0"
 
{| width="100%" border="1" cellpadding="5" cellspacing="0"
 
!Command
 
!Command
Line 35: Line 31:
 
|Read more at http://httpd.apache.org/docs/2.2/mod/core.html#fileetag
 
|Read more at http://httpd.apache.org/docs/2.2/mod/core.html#fileetag
 
|-
 
|-
|db accounts setprop ''ibayname'' Group ''groupname''
+
|}
|[[http://httpd.apache.org/docs/2.2/mod/core.html#require Require-user]]
+
 
|Authentication
+
=== server-manager settings ===
|If ''groupname'' exists (in the accounts database) and has members, add all current members of the specified group as authorized users.<br>If ''groupname'' has no members (which is the case if you select the ibayname as the group name), set ''ibayname'' as the only authorized user.<br>If this keyword does not exist, then any local SME user can access ''ibayname'' using their own username and password.
+
The following ibay settings selected in server-manager will have the indicated effect on the specified ibay:
 +
 
 +
==== Description ====
 +
{| width="100%" border="1" cellpadding="5" cellspacing="0"
 +
!Setting
 +
!Apache Directive
 +
!Effect
 +
!notes
 +
|-
 +
|My WebDav Ibay
 +
|AuthName "My WebDav Ibay"
 +
|Specify the name that will be used by the ibay when requesting authentication.
 +
|The specified name is included in the password prompt provided to the client.
 +
|-
 +
|}
 +
 
 +
 
 +
==== Group ====
 +
The ''Group'' setting determines the list of authorized users for your DAV-enabled ibay, according to the following rules.
 +
{| width="100%" border="1" cellpadding="5" cellspacing="0"
 +
!Setting
 +
!Apache Directive
 +
!Authorized Users
 +
!notes
 +
|-
 +
|My Group (mygroup)
 +
|Require user
 +
|<groupmember1> <groupmember2> <groupmember3> etc.
 +
|Due to problems with Apache 2.0 handling of "Require group" we expand the group to the list of members specified in the accounts db (that is, the list of members added to the selected group via server-manager).
 +
|-
 +
|null (null)
 +
|Require user
 +
|<ibayname>
 +
|
 +
|-
 +
|Admin or Everyone
 +
|Require user
 +
|<ibayname>
 +
|The built-in SME groups 'Admin' and 'Everyone' do not exist in the accounts database, and so don't have any "Members".  Both of these groups if selected will behave the same as the "null (null)" group - that is, the
 +
|-
 +
|}
 +
 
 +
 
 +
==== User access via file sharing or user ftp ====
 +
The server-manager setting ''User access via file sharing or user ftp'' is used to separately control read and write access to the DAV-enabled ibay.
 +
{| width="100%" border="1" cellpadding="5" cellspacing="0"
 +
!Setting
 +
!Write Access
 +
!Read Access
 +
!notes
 +
|-
 +
|Write = admin, Read = group
 +
|Admin
 +
|Authorized Users plus "admin"
 +
|"admin" is added to the list of users with "Read Access" to avoid odd authentication issues.
 +
|-
 +
|Write = group, Read = everyone
 +
|Authorized Users
 +
|No authentication required
 +
|Local Only vs. Internet Access can be set using [[#Public access via web or anonymous ftp]]
 +
|-
 +
|Write = group, Read = group
 +
|Authorized Users
 +
|Authorized Users
 +
|
 +
|-
 +
|}
 +
 
 +
 
 +
==== Public access via web or anonymous ftp  ====
 +
The server-manager setting ''Public access via web or anonymous ftp'' is used to control whether or not the DAV-enabled ibay is available to outside users.
 +
 
 +
Password requirements are controlled by the setting of ''User access via file sharing or user ftp''.
 +
 
 +
{| width="100%" border="1" cellpadding="5" cellspacing="0"
 +
!Setting
 +
!Ibay Accessibility
 +
!notes
 +
|-
 +
|Local network (no password required)
 +
|Local network only
 +
|Password requirements specified with [[#User access via file sharing or user ftp]]
 +
|-
 +
|Local network (password required)
 +
|Local network only
 +
|Password requirements specified with [[#User access via file sharing or user ftp]]
 +
|-
 +
|Entire Internet (no password required)
 +
|Entire Internet
 +
|Password requirements specified with [[#User access via file sharing or user ftp]]
 +
|-
 +
|Entire Internet (password required)
 +
|Entire Internet
 +
|Password requirements specified with [[#User access via file sharing or user ftp]]
 +
|-
 +
|Entire Internet (password required outside local network)
 +
|Entire Internet
 +
|Password requirements specified with [[#User access via file sharing or user ftp]]
 
|-
 
|-
 
|}
 
|}
 +
=== Security ===
 +
It is possible that this add-in will allow unencrypted ''HTTP'' login to your website using valid SME usernames and passwords.  If true, this would be a serious security weakness, as it would expose your SME usernames and passwords to any entity providing connectivity between your clients and your SME server such as hotspot operators and ISPs.
 +
 +
=== Problems ===
 +
As currently written, this contrib creates a static list of authorized users for each DAV-enabled ibay when the ibay is created or modified.
 +
 +
The userlist is *not* updated automatically when you add or remove users from the selected group.
 +
 +
To work around this issue, be sure to 'modify', then 'save' ''any'' ibay after modifying any of your Groups, in order to force the update of the web server configuration.
 +
 +
 +
== 30 May 2009 ==
 +
=== Windows Web Folders Client ===
 +
* After modifying 95Addmod_dav2ibays to require auth only for write functions, Windows XP Web Folders (My Network Places) started randomly popping up a message asking for a client certificate.  I could find no server setting to get this to stop, but did find several mentions online about this issue.  I finally downloaded the "web folders update 12" from http://www.microsoft.com/downloads/details.aspx?FamilyID=17c36612-632e-4c04-9382-987622ed1d64&DisplayLang=en (even though my workstation is running XP Professional SP3)
 +
 +
* Followup: the "web folders" update did *not* solve the problem - WebDAV works from Windows XP using "My Network Places", but users will get random requests to select a client certificate.  When asked, the user can click either "OK" or "Cancel", and will then be allowed to open the selected item.
  
[[User:Mmccarn|Mmccarn]] 13:40, 16 September 2008 (UTC)
+
 
 +
 
 +
== Older Notes ==
 +
I was about to add the following to the article, but there seem to be some problems w/ the ibay support.  (I'm putting this here so I don't lose my work).
 +
 
 +
Problems:  
 +
# the current ibay script does not set any "AuthName", so the ibays fail if you enable WebDav
 +
# The group auth logic doesn't seem to work - it is based on the groups listed in 'db accounts' as groups - so there doesn't seem to be an ''easy'' way to authenticate using the ibay username and password (you have to create an empty group, then assign the ibay to that group using server-manager, which doesn't feel very intuitive to me...)
  
  

Revision as of 14:38, 1 June 2009

1 Jun 2009

A patch has been created for 95Addmod_dav2ibays that modifies DAV-enabled ibay behavior.

Installation

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
wget -O 95Addmod_dav2ibays http://bugs.contribs.org/attachment.cgi?id=2467
signal-event ibay-modify

Reference Information

command line settings

The following settings are only available on the command line

Command Apache Directive Effect notes
db accounts setprop ibayname ModDav enabled [DAV On] Enable DAV for ibayname. If the ModDav property does not exist, or if it has any value other than "enabled", DAV is not enabled for this ibay.
db accounts setprop ibayname ModDav-FileETag "some values" [FileETag] Controls the FileEtag directive for ibayname. Read more at http://httpd.apache.org/docs/2.2/mod/core.html#fileetag

server-manager settings

The following ibay settings selected in server-manager will have the indicated effect on the specified ibay:

Description

Setting Apache Directive Effect notes
My WebDav Ibay AuthName "My WebDav Ibay" Specify the name that will be used by the ibay when requesting authentication. The specified name is included in the password prompt provided to the client.


Group

The Group setting determines the list of authorized users for your DAV-enabled ibay, according to the following rules.

Setting Apache Directive Authorized Users notes
My Group (mygroup) Require user <groupmember1> <groupmember2> <groupmember3> etc. Due to problems with Apache 2.0 handling of "Require group" we expand the group to the list of members specified in the accounts db (that is, the list of members added to the selected group via server-manager).
null (null) Require user <ibayname>
Admin or Everyone Require user <ibayname> The built-in SME groups 'Admin' and 'Everyone' do not exist in the accounts database, and so don't have any "Members". Both of these groups if selected will behave the same as the "null (null)" group - that is, the


User access via file sharing or user ftp

The server-manager setting User access via file sharing or user ftp is used to separately control read and write access to the DAV-enabled ibay.

Setting Write Access Read Access notes
Write = admin, Read = group Admin Authorized Users plus "admin" "admin" is added to the list of users with "Read Access" to avoid odd authentication issues.
Write = group, Read = everyone Authorized Users No authentication required Local Only vs. Internet Access can be set using #Public access via web or anonymous ftp
Write = group, Read = group Authorized Users Authorized Users


Public access via web or anonymous ftp

The server-manager setting Public access via web or anonymous ftp is used to control whether or not the DAV-enabled ibay is available to outside users.

Password requirements are controlled by the setting of User access via file sharing or user ftp.

Setting Ibay Accessibility notes
Local network (no password required) Local network only Password requirements specified with #User access via file sharing or user ftp
Local network (password required) Local network only Password requirements specified with #User access via file sharing or user ftp
Entire Internet (no password required) Entire Internet Password requirements specified with #User access via file sharing or user ftp
Entire Internet (password required) Entire Internet Password requirements specified with #User access via file sharing or user ftp
Entire Internet (password required outside local network) Entire Internet Password requirements specified with #User access via file sharing or user ftp

Security

It is possible that this add-in will allow unencrypted HTTP login to your website using valid SME usernames and passwords. If true, this would be a serious security weakness, as it would expose your SME usernames and passwords to any entity providing connectivity between your clients and your SME server such as hotspot operators and ISPs.

Problems

As currently written, this contrib creates a static list of authorized users for each DAV-enabled ibay when the ibay is created or modified.

The userlist is *not* updated automatically when you add or remove users from the selected group.

To work around this issue, be sure to 'modify', then 'save' any ibay after modifying any of your Groups, in order to force the update of the web server configuration.


30 May 2009

Windows Web Folders Client

  • Followup: the "web folders" update did *not* solve the problem - WebDAV works from Windows XP using "My Network Places", but users will get random requests to select a client certificate. When asked, the user can click either "OK" or "Cancel", and will then be allowed to open the selected item.


Older Notes

I was about to add the following to the article, but there seem to be some problems w/ the ibay support. (I'm putting this here so I don't lose my work).

Problems:

  1. the current ibay script does not set any "AuthName", so the ibays fail if you enable WebDav
  2. The group auth logic doesn't seem to work - it is based on the groups listed in 'db accounts' as groups - so there doesn't seem to be an easy way to authenticate using the ibay username and password (you have to create an empty group, then assign the ibay to that group using server-manager, which doesn't feel very intuitive to me...)


Text removed from the article:

This contrib can be found in the SME Dev repository. To install this contrib get shell access as root user and issue the following command:

yum install smeserver-mod_dav --enablerepo=smedev

Mmccarn 08:05, 20 November 2007 (MST)