Talk:Mod dav
1 Jun 2009
A patch has been created for 95Addmod_dav2ibays that modifies DAV-enabled ibay behavior.
Installation
The default authentication behavior of the smeserver-mod_dav contrib does not behave as expected.
To make DAV-enabled ibays authenticate according to the rules specified on this page (see below):
- Install smeserver-mod_dav as described in http://wiki.contribs.org/DAV#Installation
- Download and install the modified version of 95Addmod_dav2ibays as follows (Note: review
Bugzilla:4564to make sure you are getting the latest version of 95Addmod_dav2ibays):
mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf wget -O 95Addmod_dav2ibays http://bugs.contribs.org/attachment.cgi?id=2467 signal-event ibay-modify
- Enable DAV and Optionally set a value for "FileETag" using the instructions in http://wiki.contribs.org/DAV#Configuration
Reference Information
command line settings
The following settings are only available on the command line
Command | Apache Directive | Effect | notes |
---|---|---|---|
db accounts setprop ibayname ModDav enabled | [DAV On] | Enable DAV for ibayname. | If the ModDav property does not exist, or if it has any value other than "enabled", DAV is not enabled for this ibay. |
db accounts setprop ibayname ModDav-FileETag "some values" | [FileETag] | Controls the FileEtag directive for ibayname. | Read more at http://httpd.apache.org/docs/2.2/mod/core.html#fileetag |
server-manager settings
The following ibay settings selected in server-manager will have the indicated effect on the specified ibay:
Description
Setting | Apache Directive | Effect | notes |
---|---|---|---|
My WebDav Ibay | AuthName "My WebDav Ibay" | Specify the name that will be used by the ibay when requesting authentication. | The specified name is included in the password prompt provided to the client. |
Group
The Group setting determines the list of authorized users for your DAV-enabled ibay, according to the following rules.
Setting | Apache Directive | Authorized Users | notes |
---|---|---|---|
My Group (mygroup) | Require user | <groupmember1> <groupmember2> <groupmember3> etc. | Due to problems with Apache 2.0 handling of "Require group" we expand the group to the list of members specified in the accounts db (that is, the list of members added to the selected group via server-manager). See #Problems for more on this issue. |
null (null) | Require user | <ibayname> | |
Admin or Everyone | Require user | <ibayname> | The built-in SME groups 'Admin' and 'Everyone' do not exist in the accounts database, and so don't have any "Members". Both of these groups if selected will behave the same as the "null (null)" group - that is, the |
User access via file sharing or user ftp
The server-manager setting User access via file sharing or user ftp is used to separately control read and write access to the DAV-enabled ibay.
Setting | Write Access | Read Access | notes |
---|---|---|---|
Write = admin, Read = group | Admin | Authorized Users plus "admin" | "admin" is added to the list of users with "Read Access" to avoid odd authentication issues. |
Write = group, Read = everyone | Authorized Users | No authentication required | Local Only vs. Internet Access can be set using #Public access via web or anonymous ftp |
Write = group, Read = group | Authorized Users | Authorized Users |
Public access via web or anonymous ftp
The server-manager setting Public access via web or anonymous ftp is used to control whether or not the DAV-enabled ibay is available to outside users.
Password requirements are controlled by the setting of User access via file sharing or user ftp.
Setting | Ibay Accessibility | notes |
---|---|---|
Local network (no password required) | Local network only | Password requirements specified with #User access via file sharing or user ftp |
Local network (password required) | Local network only | Password requirements specified with #User access via file sharing or user ftp |
Entire Internet (no password required) | Entire Internet | Password requirements specified with #User access via file sharing or user ftp |
Entire Internet (password required) | Entire Internet | Password requirements specified with #User access via file sharing or user ftp |
Entire Internet (password required outside local network) | Entire Internet | Password requirements specified with #User access via file sharing or user ftp |
Security
It is possible that this add-in will allow unencrypted HTTP login to your website using valid SME usernames and passwords. If true, this would be a serious security weakness, as it would expose your SME usernames and passwords to any entity providing connectivity between your clients and your SME server such as hotspot operators and ISPs.
Problems
As currently written, this contrib creates a static list of authorized users for each DAV-enabled ibay when the ibay is created or modified.
The userlist is *not* updated automatically when you add or remove users from the selected group.
To work around this issue, be sure to 'modify', then 'save' any ibay after modifying any of your Groups, in order to force the update of the web server configuration.
30 May 2009
Windows Web Folders Client
- After modifying 95Addmod_dav2ibays to require auth only for write functions, Windows XP Web Folders (My Network Places) started randomly popping up a message asking for a client certificate. I could find no server setting to get this to stop, but did find several mentions online about this issue. I finally downloaded the "web folders update 12" from http://www.microsoft.com/downloads/details.aspx?FamilyID=17c36612-632e-4c04-9382-987622ed1d64&DisplayLang=en (even though my workstation is running XP Professional SP3)
- Followup: the "web folders" update did *not* solve the problem - WebDAV works from Windows XP using "My Network Places", but users will get random requests to select a client certificate. When asked, the user can click either "OK" or "Cancel", and will then be allowed to open the selected item.
Older Notes
I was about to add the following to the article, but there seem to be some problems w/ the ibay support. (I'm putting this here so I don't lose my work).
Problems:
- the current ibay script does not set any "AuthName", so the ibays fail if you enable WebDav
- The group auth logic doesn't seem to work - it is based on the groups listed in 'db accounts' as groups - so there doesn't seem to be an easy way to authenticate using the ibay username and password (you have to create an empty group, then assign the ibay to that group using server-manager, which doesn't feel very intuitive to me...)
Text removed from the article:
This contrib can be found in the SME Dev repository. To install this contrib get shell access as root user and issue the following command:
yum install smeserver-mod_dav --enablerepo=smedev
Mmccarn 08:05, 20 November 2007 (MST)