Apache based WebDAV Server with LDAP and SSL

Saqib Ali


Revision History
Revision v3.42002-06-29Revised by: sa
Added the section "How to generate a CSR"
Revision v3.32002-04-14Revised by: sa
Add the section of DAV server management.
Revision v3.22002-04-13Revised by: sa
Added the Litmus (WebDAV compatility tester) sub-section.
Revision v3.12002-04-11Revised by: sa
Updated the introduction section
Revision v3.02002-04-09Revised by: sa
Added "Implementing and using SSL to secure WebDAV traffic" section
Revision v2.12002-03-24Revised by: sa
Refined the WebDAV Introduction and SSL section.
Revision v2.02002-03-20Revised by: sa
Added the SSL section
Revision v1.12001-11-29Revised by: sa
Initial public release.
Revision v1.02001-11-01Revised by: sa
Initial public release.

Table of Contents
1. Introduction
1.1. Copyright and License
1.2. What is WebDAV?
1.3. What do we need?
1.4. Assumptions
1.5. Opinions and Suggestions
2. Requirements
2.1. Basics
2.2. Apache 1.3.x
2.3. OpenSSL
2.4. OpenLDAP
2.5. mod_dav
2.6. mod_auth_ldap
2.7. mod_ssl
3. Installing WebDAV services
3.1. Ground Work
3.2. Pre-configuring Apache
3.3. Configuring and Installing mod_dav
3.4. Installing and configuring mod_auth_ldap
3.5. Installing and configuring mod_ssl
3.6. Configuring and Installing Apache
4. Configuring and Setting up the WebDAV services
4.1. Modifications to the /usr/local/apache/conf/httpd.conf
4.2. Creating a directory for DAVLockDB
4.3. Enabling DAV
4.4. Create a Directory called DAVtest
4.5. Restart Apache
4.6. WebDAV server protocol compliance testing
5. WebDAV server management
5.1. Restricting access to DAV shares
5.2. Restricting write access to DAV shares
6. Implementing and using SSL to secure WebDAV traffic
6.1. Introduction to SSL
6.2. Test Certificates
6.3. Certificates for Production use
6.4. How to generate a CSR
6.5. Removing passphrase from the RSA Private Key
6.6. Trusted Certificate Authorities

1. Introduction

The Objective of this document is to setup a Apache based WebDAV server that can authenticate against a LDAP server. This document will provide the basic groundwork for setting up a WebDAV server. It will also provide information on fine tuning and maintaining the server.

Note: If you encounter any problems installing Apache or any of the modules please feel free to contact me @ saqib@seagate.com

1.4. Assumptions

This document assumes that you have the following already installed on your system.

  1. gzip or gunzip - available from http://www.gnu.org

  2. gcc and GNU make - available from http://www.gnu.org

The document also assumes there is a LDAP server installed elsewhere which will be used for the authentication.

2. Requirements

You'll have to download and compile several packages. This HOWTO will explain the compilation process, but you should be fimiliar with installing from source code.

2.1. Basics

You will need a machine running Solaris and GNU CC compiler. This compiler is available from http://www.sunfreeware.com. If you need any help installing the compiler please email me. If your OS doesnt already have gzip, you will need that as well. You can d/l gzip from http://www.sunfreeware.com as well.

Also create a directory /tmp/downloads . We will use this directory to store the downloaded source code.

2.4. OpenLDAP

Download the OpenLDAP source code from http://www.openldap.org/software/download/. We will OpenLDAP for the LDAP lib files. You may also use IPlanet LDAP lib files. However GNU packages are recommended.

3. Installing WebDAV services

Next is to first install pre-requisites (OpenSSL and OpenLDAP), and then Configure Apache with all the modules

3.1. Ground Work

To compile the WebDAV service with LDAP authencation capability, we will need to have the LDAP library files installed on the machine. The LDAP library files will be used to compile the LDAP module for Apache. Best way to get the LDAP library files is to download the OpenLDAP sourcecode from http://www.openldap.org and compile it to produce the required library files. You may use any other LDAP like IPlanet as well, but I recommend an OpenSource solution.

3.2. Pre-configuring Apache

mod_dav requires that you have Apache pre-configured so that it knows where where everything is. Change back to the directory where you have the source files:

  # cd /tmp/download 
  # gzip -d apache_1.x.x.tar.gz 
  # tar -xvf apache_1.x.x.tar 
  # cd apache_1.x.x 
  # ./configure --prefix=/usr/local/apache  

3.4. Installing and configuring mod_auth_ldap

Change back to the temp download directory, and extract the mod_auth_ldap files:

# cd /tmp/download
# gzip -d mod _auth_ldap.tar.gz
# tar -xvf mod_auth_ldap.tar

Now install the modauthldap files to the Apache source tree:

# cd apache_x.x.x
# mv ../modauthldap ./src/modules/ldap 

3.5. Installing and configuring mod_ssl

# cd /tmp/download 
# gzip -d mod_ssl-2.x.x.tar.gz
# tar -xvf  mod_ssl-2.x.tar
# ./configure --with-apache=../apache_1.3.x.x

3.6. Configuring and Installing Apache

Finally we have reached the destination. But not yet.......
"The Journey is the Destination" (Jerry Garica of Grateful Dead)

Now we are ready to compile and install Apache with WebDAV and LDAP authentication for DAV.

Change back to the temp download directory:

# cd /tmp/download

Change to the Apache tree directory:

# cd apache-x.x.x

Now set the variable SSL_BASE to the OpenSSL lib files. On tcsh it will be as following:

# setenv SSL_BASE /tmp/download/openssl-0.9.x

This will the compiler where to find the SSL LIB files.

And now configure apache for the compilation with mod_dav, mod_auth_ldap, and mod_ssl:

  # ./configure --prefix=/usr/local/apache \
     --enable-module=ssl \
     --activate-module=src/modules/ldap/mod_auth_ldap.c \
     --activate-module=src/modules/dav/libdav.a \
     [...you can add more options here...] 

--enable-shared is an optional, it tells the configure to compile SSL as dynamic module. Depending on the services that you will be providing, you may or may not need dynamic compilation.

Now compile the Apache and install it into the appropriate place:

# make

Now create the SSL certification on the web server

# make certificate TYPE=custom

Follow through the instructions, and you will have a certificate in no time. Remember CommonName is your FQDN (Fully Qualified Domain Name) e.g. dav.yourcompany.com

For details on creating and managing the SSL certificates, please read the section titled "Creating and Managing SSL certificates".

Now install Apache into its own directory

# make install

4. Configuring and Setting up the WebDAV services

Now for the easy part. In this section we will WebDAV enable a directory under Apache root.

4.3. Enabling DAV

Enabling DAV is a trivial task. To enable DAV for a directory under Apache root, just add the following directive in the container for that particular directory:

  DAV On

This directive will enable DAV for the directory and its sub-directories.

The following is a sample configuration that will enable WebDAV and LDAP authentication on /usr/local/apache/htdocs/DAVtest. Place this in the /usr/local/apache/conf/httpd.conf file.

  <Directory /usr/local/apache/htdocs/DAVtest>
  Dav On
  #Options Indexes FollowSymLinks

  AllowOverride None
  order allow,deny
  allow from all
  AuthName "LDAP_userid_password_required"
  AuthType Basic
  Require valid-user
  LDAP_Server ldap.server.com
  LDAP_Port 389
  Base_DN "o=ROOT"

  UID_Attr uid

5. WebDAV server management

In this section we will discuss about the various management task - e.g. using LDAP for access control, and working with DAV method on Apache

Most of the configuration changes for the DAV will have to done using the httpd.conf file. This file is located at /usr/local/apache/conf/httpd.conf

httpd.conf is a text based configuration file that Apache uses. It can b editted using any text editor - I preffer using vi. Please make backup copy of this file, before changing it.

After making changes to the httpd.conf the Apache server has to be restarted using the /usr/local/apache/bin/apachectl restart command. However before restarting you test for the validity of the httpd.conf by using the /usr/local/apache/bin/apachectl configtest comand.

6. Implementing and using SSL to secure WebDAV traffic

Security of the data stored on a file server is very important these days. Compromised data can cost thousands of dollars to company. In the last section, we compiled LDAP authentication module into the Apache build to provide a Authentication mechanism. However HTTP traffic is very insecure, and all data is transferred in clear text - meaning, the LDAP authentication (userid/passwd) will be transmitted as clear text as well. This create a problem. Anyone can sniff these userid/passwd and gain access to DAV store. To prevent this we have to encrypt HTTP traffic, essentially HTTP + SSL or HTTPS. Anything transferred over HTTPS is encrypted, so the LDAP userid/passwd can not be sniffed. HTTPS runs on port 443. The resulting build from the last section's compilation process will have Apache to listen to both port 80 (normal HTTP) and 443 (HTTPS). If you are just going to use this server for DAV, then I will highly suggest that you close port 80. In this section of the HOWTO I will provide some information regarding SSL and maintaining SSL on a WebDAV server. However this is a not limited to a DAV server, it can be used on any web server.

6.1. Introduction to SSL

SSL (Secure Socket Layer) is a protocol layer that exists between the Network Layer and Application layer. As the name suggest SSL provides a mechanism for encrypting all kinds of traffic - LDAP, POP, IMAP and most importantly HTTP.

The following is a over-simplified structure of the layers involved in SSL.

	|   LDAP   |    HTTP    |   POP   |   IMAP  |
	|                   SSL                     |
	|               Network Layer               |

6.5. Removing passphrase from the RSA Private Key

RSA Private Key stored on the webserver is usually encrypted, and you need a passphrase to parse the file. That is why you are prompted for a passphrase when start Apache with modssl:

# apachectl startssl
Apache/1.3.23 mod_ssl/2.8.6 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.
Server your.server.dom:443 (RSA)
Enter pass phrase:

Encrypting the RSA Private Key is very important. If somebody gets hold of the you "Unencrypted RSA Private Key" he/she can easily impersonate your webserver. If the Key is encrypted, the hacker can not do anything without the passphrase.

However encrypting the Key can sometimes be nuisance, since you will be prompted for a passphrase everytime you start the web-server. Specially if you are using rc scripts to start the webserver at boot time, the prompt for passphrase creates problems.

You can get rid of the passphrase prompt easily by decrypting the Key. However make sure that no one can hold of this Key. I would recommend Hardening and Securing guidelines be followed before decrypting the Key on the webserver.

To decrypt the Key:

First make a copy of the encrypted key

# cp server.key server.key.cryp

Then re-write the key with encryption. You will be prompted for the original encrypted Key passphrase

# /usr/local/ssl/bin/openssl rsa -in server.key.cryp -out server.key
read RSA key
Enter PEM pass phrase:
writing RSA key

One way to secure the decrypted Private Key is to make readable only by the root:
# chmod 400 server.key