Talk:Mod dav

From SME Server
Jump to navigation Jump to search

1 Jun 2009

A patch has been created for 95Addmod_dav2ibays that modifies DAV-enabled ibay behavior.

Installation

The default authentication behavior of smeserver-mod_dav contrib does not behave as expected.

To make DAV-enabled ibays authenticate according to the rules specified on this page (see below):

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf
wget -O 95Addmod_dav2ibays http://bugs.contribs.org/attachment.cgi?id=2467
signal-event ibay-modify

Reference Information

command line settings

The following settings are only available on the command line

Command Apache Directive Effect notes
db accounts setprop ibayname ModDav enabled [DAV On] Enable DAV for ibayname. If the ModDav property does not exist, or if it has any value other than "enabled", DAV is not enabled for this ibay.
db accounts setprop ibayname ModDav-FileETag "some values" [FileETag] Controls the FileEtag directive for ibayname. Read more at http://httpd.apache.org/docs/2.2/mod/core.html#fileetag

server-manager settings

The following ibay settings selected in server-manager will have the indicated effect on the specified ibay:

Description

Setting Apache Directive Effect notes
My WebDav Ibay AuthName "My WebDav Ibay" Specify the name that will be used by the ibay when requesting authentication. The specified name is included in the password prompt provided to the client.


Group

The Group setting determines the list of authorized users for your DAV-enabled ibay, according to the following rules.

Setting Apache Directive Authorized Users notes
My Group (mygroup) Require user <groupmember1> <groupmember2> <groupmember3> etc. Due to problems with Apache 2.0 handling of "Require group" we expand the group to the list of members specified in the accounts db (that is, the list of members added to the selected group via server-manager).
null (null) Require user <ibayname>
Admin or Everyone Require user <ibayname> The built-in SME groups 'Admin' and 'Everyone' do not exist in the accounts database, and so don't have any "Members". Both of these groups if selected will behave the same as the "null (null)" group - that is, the


User access via file sharing or user ftp

The server-manager setting User access via file sharing or user ftp is used to separately control read and write access to the DAV-enabled ibay.

Setting Write Access Read Access notes
Write = admin, Read = group Admin Authorized Users plus "admin" "admin" is added to the list of users with "Read Access" to avoid odd authentication issues.
Write = group, Read = everyone Authorized Users No authentication required Local Only vs. Internet Access can be set using #Public access via web or anonymous ftp
Write = group, Read = group Authorized Users Authorized Users


Public access via web or anonymous ftp

The server-manager setting Public access via web or anonymous ftp is used to control whether or not the DAV-enabled ibay is available to outside users.

Password requirements are controlled by the setting of User access via file sharing or user ftp.

Setting Ibay Accessibility notes
Local network (no password required) Local network only Password requirements specified with #User access via file sharing or user ftp
Local network (password required) Local network only Password requirements specified with #User access via file sharing or user ftp
Entire Internet (no password required) Entire Internet Password requirements specified with #User access via file sharing or user ftp
Entire Internet (password required) Entire Internet Password requirements specified with #User access via file sharing or user ftp
Entire Internet (password required outside local network) Entire Internet Password requirements specified with #User access via file sharing or user ftp

Security

It is possible that this add-in will allow unencrypted HTTP login to your website using valid SME usernames and passwords. If true, this would be a serious security weakness, as it would expose your SME usernames and passwords to any entity providing connectivity between your clients and your SME server such as hotspot operators and ISPs.

Problems

As currently written, this contrib creates a static list of authorized users for each DAV-enabled ibay when the ibay is created or modified.

The userlist is *not* updated automatically when you add or remove users from the selected group.

To work around this issue, be sure to 'modify', then 'save' any ibay after modifying any of your Groups, in order to force the update of the web server configuration.


30 May 2009

Windows Web Folders Client

  • Followup: the "web folders" update did *not* solve the problem - WebDAV works from Windows XP using "My Network Places", but users will get random requests to select a client certificate. When asked, the user can click either "OK" or "Cancel", and will then be allowed to open the selected item.


Older Notes

I was about to add the following to the article, but there seem to be some problems w/ the ibay support. (I'm putting this here so I don't lose my work).

Problems:

  1. the current ibay script does not set any "AuthName", so the ibays fail if you enable WebDav
  2. The group auth logic doesn't seem to work - it is based on the groups listed in 'db accounts' as groups - so there doesn't seem to be an easy way to authenticate using the ibay username and password (you have to create an empty group, then assign the ibay to that group using server-manager, which doesn't feel very intuitive to me...)


Text removed from the article:

This contrib can be found in the SME Dev repository. To install this contrib get shell access as root user and issue the following command:

yum install smeserver-mod_dav --enablerepo=smedev

Mmccarn 08:05, 20 November 2007 (MST)