WebDAV support

Good ideas? Share with us!
gb119
Posts: 18
Joined: 30 Sep 2008, 16:45

WebDAV support

Post by gb119 » 13 Oct 2008, 09:56

In the quest for new ways to get at my files, I've set my Bubba2 up to run as a webdav server on the https virtual host with authentication via PAM. It's very handy for getting at my files when behind a firewall that blocks outgoing except to well known ports....

It would be great if something like this could be turned on and off with the admin UI. In fact it would be really nice if the bubba2 and its admin UI could provide webdav, nfsd and smb servers that could be turned on and off to suit the user's needs (with smb on by default and the others off).

tojacob
Posts: 4
Joined: 09 Nov 2008, 13:04

Post by tojacob » 09 Nov 2008, 13:43

Can you please give a step procedure how to set up B2 as webdav server? I need this to sync omnifocus todo lists...

Thanks, Jacob

gb119
Posts: 18
Joined: 30 Sep 2008, 16:45

Post by gb119 » 09 Nov 2008, 14:54

Ok, it took a certain amount of fiddling on my part because I was trying to get it to authenticate with PAM and had also broken my virtual host config at the same time but basically here's what I did:

I'll assume that you're able to connect to the bubba via ssh and are happy editing text files and navigating your way around a linux system and that you've enabled the main debian package repositories. If you are not then you might want to rethink your plan...

1) The apache webdav module is already installed as part of apache2, so just need to enable the relevant modules - as root do:

Code: Select all

a2enmod dav_fs
a2enmod dav
2) Install the apache2 PAM module:

Code: Select all

apt-get update && apt-get install libapache2-mod-auth-pam 
Edit: I forgot (see next post) to enable the AuthPAM module:

Code: Select all

a2enmod auth_pam
Add the www-data user to the shadow group so that the apache server can read the shadow file to authenticate users (NB this does have a security implication in that if you misconfigure your apache2 it might be possible for remote users to download your shadow passwords file).

You want to edit /etc/group/ so that the lentry for the shadow group reads:

Code: Select all

shadow:x:42:www-data,root
3) I decided to enable webdav on the default https web-server as I don't use the bubba for its PIM functionality outside of my local network so can live withut needing the SSL web server for anything else. It's probably a good idea to use an SSL enabled server for WebDAV if you are connecting to it remotely as otherwise you'll be sending user credentials unencrypted over an untrusted network.

I edited /etc/apache2/sites-enabled/bubba to change the https virtual host:

Code: Select all

<VirtualHost *:443>
Change the document root to be /home to enable access to all home directories

Code: Select all

	DocumentRoot /home/
Edit the root directory config section:

Code: Select all

	<Directory />
		DAV on
	  	AuthPAM_Enabled on
  		AuthType Basic
                AuthBasicAuthoritative Off
  		AuthName "PAM"
  		require valid-user
		AuthUserFile /dev/null 
4) With any luck, if I've not missed some important step out (!), then when you restart the web-server:

Code: Select all

/etc/init.d/apache2 restart
You should have a webdav server running on port 443 that you can use to access the home and storage directory using your normal login and password. Probably a sensible thing to do would be to restrict the user accounts a bit more in the apache confoiguration to stop a root login via webdave.[/code][/b]
Last edited by gb119 on 22 Nov 2008, 12:44, edited 1 time in total.

tojacob
Posts: 4
Joined: 09 Nov 2008, 13:04

Post by tojacob » 22 Nov 2008, 09:32

Thanks a million for the great tutorial!

When restarting apache2 after following your instructions I received an error message.
Forcing reload of web server (apache2)... waiting Syntax error on line 17 of /etc/apache2/sites-enabled/bubba:
Invalid command 'AuthPAM_Enabled', perhaps misspelled or defined by a module not included in the server configuration
failed!
It seemed to be one thing missing in your procedure. I had to enable the auth_pam.load by typing the following as su:

Code: Select all

a2enmod auth_pam
Links that helped me:

How to enable modules:
http://www.debuntu.org/book/export/html/72

Omnifucus info:
http://forums.omnigroup.com/showthread.php?t=9306

Works great, thanks again!

gb119
Posts: 18
Joined: 30 Sep 2008, 16:45

Post by gb119 » 22 Nov 2008, 12:47

tojacob wrote: It seemed to be one thing missing in your procedure. I had to enable the auth_pam.load by typing the following as su:

Code: Select all

a2enmod auth_pam
Oops, sorry about that - as I said I'd fiddled a lot before I worked out what I was doing. I've edited the instructions above in case anyone else want to set up WebDAV.

jonte
Posts: 65
Joined: 05 Nov 2008, 11:52

Re: WebDAV support

Post by jonte » 24 Aug 2009, 10:19

gb119 wrote:In the quest for new ways to get at my files, I've set my Bubba2 up to run as a webdav server on the https virtual host with authentication via PAM. It's very handy for getting at my files when behind a firewall that blocks outgoing except to well known ports....

It would be great if something like this could be turned on and off with the admin UI.

Bringing up an old thread. Is webdav for the Admin UI something planned for future updates of B2?

//Jonte

jonte
Posts: 65
Joined: 05 Nov 2008, 11:52

Re:

Post by jonte » 27 Aug 2009, 09:57

gb119 wrote: I'll assume that you're able to connect to the bubba via ssh and are happy editing text files and navigating your way around a linux system and that you've enabled the main debian package repositories. If you are not then you might want to rethink your plan...
What if I'm familiar with all the steps excluding enabling main debian package repositories? ;)
What should the sources.list entry look like?

Is it possible to enable the main debian package repository, apt-get the libapache2-mod-auth-pam and then disable main deebian package repository in the sources.list, i.e. returning to the normal B2 sources.list setup?

Thanks!
//Jonte

gb119
Posts: 18
Joined: 30 Sep 2008, 16:45

Re: Re:

Post by gb119 » 27 Aug 2009, 10:12

jonte wrote: What if I'm familiar with all the steps excluding enabling main debian package repositories? ;)
What should the sources.list entry look like?
All you have to do is have a line like:

deb http://ftp.uk.debian.org/debian/ etch main

(replacing the "uk" with an appropriately close debian mirror)
jonte wrote: Is it possible to enable the main debian package repository, apt-get the libapache2-mod-auth-pam and then disable main deebian package repository in the sources.list, i.e. returning to the normal B2 sources.list setup?
That will work ok.

jonte
Posts: 65
Joined: 05 Nov 2008, 11:52

Re: WebDAV support

Post by jonte » 27 Aug 2009, 10:30

@gb119
Great!

I'll give it a go (after backing up) ;)

Thanks //Jonte

UPDATE: Odd or not, I checked my sources.list and it already has an uncommented debian etch main line (last edited november 2008). Still a good idea to comment the line after apt-geting Apache 2 PAM-module?

//J

gb119
Posts: 18
Joined: 30 Sep 2008, 16:45

Re: WebDAV support

Post by gb119 » 27 Aug 2009, 11:50

jonte wrote:@gb119
UPDATE: Odd or not, I checked my sources.list and it already has an uncommented debian etch main line (last edited november 2008). Still a good idea to comment the line after apt-geting Apache 2 PAM-module?
I tend to work on the "if it ain't broke..." principle

jonte
Posts: 65
Joined: 05 Nov 2008, 11:52

Re: WebDAV support

Post by jonte » 27 Aug 2009, 12:17

gb119 wrote:
jonte wrote:@gb119
UPDATE: Odd or not, I checked my sources.list and it already has an uncommented debian etch main line (last edited november 2008). Still a good idea to comment the line after apt-geting Apache 2 PAM-module?
I tend to work on the "if it ain't broke..." principle
Haha, I like the way you're thinking :lol:
Thanks helping out!

//J

tor
Posts: 703
Joined: 06 Dec 2006, 12:24
Contact:

Re: WebDAV support

Post by tor » 28 Aug 2009, 06:25

Hi,

Regarding WebDAV support. This is of course a feature we have thought of. Unfortunately it proved to be a bit of a problem to integrate with the rest of the system features.

The main problem is that webdav is run by Apache and thus only can access things that Apache can. Ie it cant handle multiple users in a practical way.

The other big problem is that Apache, and WebDav run by it, assumes exclusive access to the file system that it exposes. This can be a big problem if files are simultaneously accessed in another way, fx via samba or ftp.

That said it should of course be possible to export a dedicated Dav area from Bubba. But i'm not sure that this has any good use case.

I'm as always interested in thoughts and feedback regarding these things ;) But here you have the main reasons why we don't provide this feature atm.

/Tor
Co-founder OpenProducts and Ex Excito Developer

jonte
Posts: 65
Joined: 05 Nov 2008, 11:52

Re: WebDAV support

Post by jonte » 28 Aug 2009, 06:34

tor wrote: That said it should of course be possible to export a dedicated Dav area from Bubba. But i'm not sure that this has any good use case.
I was planning on using WebDAV in that way. Create a dedicated area, in this case for a work-project involving 3 people. Sharing/using documents. We now use an Apple Mobileme webDAV account for this task, and it's painstakingly slow.

//Jonte

tiddler
Posts: 32
Joined: 07 Apr 2009, 03:23

Re:

Post by tiddler » 16 Sep 2009, 11:18

gb119 wrote:Ok, it took a certain amount of fiddling on my part because I was trying to get it to authenticate with PAM and had also broken my virtual host config at the same time but basically here's what I did:
...
Ok, I followed your steps, and now my virtual host config is broken too.

Can you tell me what you did to fix yours?

Code: Select all

bubba:/etc/apache2# apache2 -t
[Wed Sep 16 15:13:32 2009] [warn] NameVirtualHost *:443 has no VirtualHosts
[Wed Sep 16 15:13:32 2009] [warn] NameVirtualHost *:80 has no VirtualHosts
Syntax OK
Many thanks.

Jonci
Posts: 1
Joined: 11 Feb 2011, 16:20

Re: WebDAV support

Post by Jonci » 11 Feb 2011, 16:26

Is there another viable solution than adding www-data to the shadow group?

see: http://pam.sourceforge.net/mod_auth_pam/shadow.html

Easy WebDAV-Support would come in really handy as I'm trying to set up syncing for Zotero (which supports only WebDAV).

Post Reply