DAV Enabled Ibays

From SME Server

Contents 1 HOWTO Configure mod_DAV and DAV Enable an iBay with SSL 1.1 History 1.1.1 Wiki 1.1.2 PDF 1.2 Prerequisites 1.3 Installation 1.3.1 Setup Apache 2.x 1.3.1.1 Create a custom-template fragments directory 1.3.1.2 Load mod_dav module 1.3.1.3 Dav lockfile 1.3.1.4 Add BrowserMatch directives 1.3.1.5 Add mod_dav to ibays 1.3.1.6 Expand the template and restart Apache 1.3.2 Create or Configure an Ibay 1.3.2.1 For an iBay for general access. 1.3.2.2 For an iBay with individual file locking 1.3.3 Enable / Disable MOD_DAV for any ibay 1.4 Accessing Your DAV-Enabled Ibay 1.4.1 Windows 'My Network Places' 1.4.2 Internet Explorer 1.4.2.1 References 1.5 Problems 1.5.1 Windows does not provide a true DavFS implementation

[edit] HOWTO Configure mod_DAV and DAV Enable an iBay with SSL

This is based on an alpha release of HowTo I found written by Peter Walter (pwalter@itlsys.com). I have modified it for our purposes. It is ALL manually configured. Currently there is no Web Administration interface.

Bug 3470 has been opened to request that DAV enabled iBay support be included in the SME base.

[edit] History

[edit] Wiki

Based on http://correa.namsys.com.au/misc/files/sme/doco/WebDavWithHTTPS.pdf posted by StephenHodgeman, with other information from http://forums.contribs.org/index.php?topic=38214.0

[edit] PDF

2007-04-30 Ver 1.0 Released BACKGROUND We wanted to be able to publish directories that would be accessible as “webshare” folders. This requires the folder to be DAV enabled. We wanted to use a standard iBay for this and just be able to set properties to make it work. We also wanted these to be accessed with HTTPS for security. This meant that we needed to use username/pawwords for access. Our other requirement was to allow individuals to validate as themselves. This will allow file locking to work properly on the shared folder. What we have now is the following: a) If we just want a WebDAV folder with general validation and are not worried about locking then we create an iBay read and write access by the group. Then, webdav access validates with the iBay name. b) If we want file locking then we do the same as above but we then add smeserver users to the controlling group. In this case when there are members of the group, then validation MUST be done as one of the SME group members using their individual username and password.. Note: The group here is the SMEServer Group, not the contents of the /etc/group file.

[edit] Prerequisites

• SME 7.1 or higher
• mod_dav (SME installation instructions can be found here)

[edit] Installation

[edit] Setup Apache 2.x

[edit] Create a custom-template fragments directory

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf

[edit] Load mod_dav module

• Open a template fragment

pico -w /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/20LoadModule80mod_dav

• Type the content:

LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so

• Save the file

[edit] Dav lockfile

• Open a template fragment

pico -w /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/35DavLock

• Type the content:

DAVLockDB /var/run/davLocks/DAVLock

• Save the file (ctrl+X)
• Create the lock directory and give it the right ownership (updated 11/6/07 per Bugzilla:3524 courtesy of Sterling Chavis):

mkdir /var/run/davLocks
touch /var/run/davLocks/DAVLock
chown -R www:www /var/run/davLocks

[edit] Add BrowserMatch directives

• Open a template fragment

pico -w /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/75BrowserMatchMod_Dav

• Type the content:

#
# The following directive disables redirects on non-GET requests for
# a directory that does not include the trailing slash. This fixes a
# problem with Microsoft WebFolders which does not appropriately handle
# redirects for folders with DAV methods.
# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
#
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully

• Save the file.

[edit] Add mod_dav to ibays

• Open a template fragment

pico -w /etc/e-smith/templatescustom/etc/httpd/conf/httpd.conf/95AddModDav2ibays

• Type the content:

{
 use esmith::AccountsDB;
 my $adb = esmith::AccountsDB->open_ro();
 $OUT = "";
 foreach my $ibay ($adb->ibays)
 {
  my %properties = $ibay->props;
  my $key = $ibay->key;
  if ($properties{'ModDav'})
  {
   if ($properties{'ModDav'} eq 'enabled')
   {
    $OUT .= "\n<Directory /home/e-smith/files/ibays/$key/html>\n";
    $OUT .= " # Turn DAV on for this directory tree\n";
    $OUT .= " DAV On\n";
    $OUT .= " AllowOverride None\n";
    $OUT .= " Options +Indexes \n";
    $OUT .= " # Allow fancy indexing by columns and download by clicking icon\n";
    $OUT .= " IndexOptions FancyIndexing IconsAreLinks\n";
    if ($properties{'Group'})
    {
     $OUT .= " AuthType Basic\n";
     $OUT .= " AuthExternal pwauth\n";
     # Save groupname and find it in the group list
     $iBayGroup = $properties{'Group'};
     foreach my $group ($adb->groups)
     {
      my %groupprops = $group->props;
      my $grpkey = $group->key;
      if ($grpkey eq $iBayGroup)
      {
       # we have the group that owns the DAV iBay
       # If there are members of the group validate on them,
       # otherwise on the ibayname
       if ($groupprops{'Members'})
       {
        # need to break user list on commas then output each one...
        my @values = split(',',$groupprops{'Members'});
        $OUT .= " # Replace ibay name with any valid group member to validate\n";
        $OUT .= " Require user ";
        foreach my $val (@values) {
         $OUT .= $val . " ";
        }
        $OUT .= "\n";
       }
       else
       {
        # No group members so use ibay name for validation
        $OUT .= " # use ibay name to validate\n";
        $OUT .= " Require user " . $key . "\n";
       }
      }
     }
    }
    # Ensure only valid users get to do stuff...
    $OUT .= " <Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>\n";
    $OUT .= " allow from all\n";
    $OUT .= " Require valid-user\n";
    $OUT .= " </Limit>\n";
    $OUT .= "</Directory>\n";
   }
  }
 }
}

• Save the file.

[edit] Expand the template and restart Apache

/sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
/etc/rc7.d/S86httpd-e-smith restart

[edit] Create or Configure an Ibay

[edit] For an iBay for general access.

• Create a group for this webDav folder
• Create an ibay that is controlled by this group

User access via file sharing or user ftp Read = group Write = group Public access via web or anonymous ftp: Local network (Password Required) Execution of dynamic content : Disabled

• Configure password for the iBay.

When accessing, use iBay name and the configured password

[edit] For an iBay with individual file locking

• Create or configure an Ibay as described above.
• Create users or Addusers to the controlling group
• When accessing the ibay use individual user name and password for validation

[edit] Enable / Disable MOD_DAV for any ibay

N.B. This is the bit that needs to bcome a Web admin interface panel.

• mod_dav is disabled by default for all ibays
• Enabling MOD_DAV

/sbin/e-smith/db accounts setprop IbayName ModDav enabled
/sbin/e-smith/signal-event ibay-modify IbayName

• Disabling MOD_DAV

/sbin/e-smith/db accounts setprop IbayName ModDav disabled
/sbin/e-smith/signal-event ibay-modify IbayName

[edit] Accessing Your DAV-Enabled Ibay

DAV-enabled Ibays can be accessed in any of several ways:

[edit] Windows 'My Network Places'

• "My Network Places"
• select "Add a network place"
• "Next"
• "Choose another network location"

- "http://server/data" or "https://server/data"

[edit] Internet Explorer

According to this post: http://forums.contribs.org/index.php?topic=33157.msg142168#msg142168 you can allow Windows/Internet Explorer users to open your DAV-enabled Ibays in Explorer for read-write access directly from your website by using code similar to:

<html>
 
 <head>
 <title>Web Folder Sample Site</title>
  <STYLE>
  a {behavior: url(#default#AnchorClick);}
  </STYLE>
 </head>
 
 <body>
 <a href="http://www.google.com/">Link to Google</a> (Normal Link)
 <br />
 <a href="" folder="http://localhost/data/">Data Folder</a> (Web Folder Link)
 </body>
 
 </html>

[edit] References

• http://msdn.microsoft.com/library/default.asp?url=/workshop/author/behaviors/reference/behaviors/anchor.asp
• http://www.aspheute.com/artikel/20030203.htm (german)
• http://msdn.microsoft.com/library/default.asp?url=/workshop/author/behaviors/overview/WebFolder.asp

[edit] Problems

[edit] Windows does not provide a true DavFS implementation

(Quoted from Mophilly in [this post])
I did learn some things in the past week. First, the implementation of webDAV in Windows, aka Web Folders, is incomplete in my estimation. It appears that the volume is not mounted in the typical sense. Rather, Windows "shortcuts" are created for each action. That is, when you log on to the volume a "shortcut" file is written to disk. When the volume is "opened" by the user, the "shortcut" is used to get the list of content. When the user double clicks on an item in the list, another "shortcut" is written to the local drive and used for file operations.

The volume and file "shortcuts" are not readily available to the applications using standard operating system file utilities. That they appear on the user's desktop is merely GUI make-believe. Application developers are required to implement the webDAV protocol themselves. IMO, this is a lame design compared to other implementations where the webDAV volume is mounted in the typical sense and the file operations are handled in the o.s.

To create a link to the webDAV shared volume on Windows, one must use the Network Neighborhood "Add a Network Place". However, you must also ensure that the applications in use are webDAV compliant or the end users will have problems. In my solution, the applications have been modified to ignore the Windows file system entirely when webDAV is involved.

---