How To Set Up WebDAV With MySQL Authentication On Apache2 (Debian Lenny)

This guide explains how to set up WebDAV with MySQL authentication (using mod_auth_mysql) on Apache2 on a Debian Lenny server. WebDAV stands for Web-based Distributed Authoring and Versioning and is a set of extensions to the HTTP protocol that allow users to directly edit files on the Apache server so that they do not need to be downloaded/uploaded via FTP. Of course, WebDAV can also be used to upload and download files.

I do not issue any guarantee that this will work for you!

1 Preliminary Note

I'm using a Debian Lenny server with the hostname server1.example.com and the IP address 192.168.0.100 here.

2 Installing Apache2, WebDAV, MySQL, mod_auth_mysql

To install Apache2, WebDAV, MySQL, and mod_auth_mysql, we run:

aptitude install apache2 mysql-server mysql-client libapache2-mod-auth-mysql

You will be asked to provide a password for the MySQL root user - this password is valid for the user root@localhost as well as root@server1.example.com, so we don't have to specify a MySQL root password manually later on:

New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword

Afterwards, enable the WebDAV and mod_auth_mysql modules:

a2enmod dav_fs
a2enmod dav
a2enmod auth_mysql

Restart Apache:

/etc/init.d/apache2 restart

3 Creating A Virtual Host

I will now create a default Apache vhost in the directory /var/www/web1/web. For this purpose, I will modify the default Apache vhost configuration in /etc/apache2/sites-available/default. If you already have a vhost for which you'd like to enable WebDAV, you must adjust this tutorial to your situation.

First, we create the directory /var/www/web1/web and make the Apache user (www-data) the owner of that directory:

mkdir -p /var/www/web1/web
chown www-data /var/www/web1/web

Then we back up the default Apache vhost configuration (/etc/apache2/sites-available/default) and create our own one:

mv /etc/apache2/sites-available/default /etc/apache2/sites-available/default_orig
vi /etc/apache2/sites-available/default

NameVirtualHost *

ServerAdmin webmaster@localhost

DocumentRoot /var/www/web1/web/

Options Indexes MultiViews
AllowOverride None
Order allow,deny
allow from all


Then reload Apache:

/etc/init.d/apache2 reload

4 Configure The Virtual Host For WebDAV

You can find the documentation for mod_auth_mysql in the /usr/share/doc/libapache2-mod-auth-mysql directory. To read it, you have to gunzip the DIRECTIVES.gz and USAGE.gz files:

cd /usr/share/doc/libapache2-mod-auth-mysql
gunzip DIRECTIVES.gz
vi DIRECTIVES

gunzip USAGE.gz
vi USAGE

Having read these two files, we create a MySQL database called webdav in which we will create the table mysql_auth which will contain our users and passwords. In addition to that we create the MySQL user webdav_admin - this user will be used by mod_auth_mysql to connect to MySQL later on:

mysqladmin -u root -p create webdav

mysql -u root -p

GRANT SELECT, INSERT, UPDATE, DELETE ON webdav.* TO 'webdav_admin'@'localhost' IDENTIFIED BY 'webdav_admin_password';
GRANT SELECT, INSERT, UPDATE, DELETE ON webdav.* TO 'webdav_admin'@'localhost.localdomain' IDENTIFIED BY 'webdav_admin_password';
FLUSH PRIVILEGES;

(Replace webdav_admin_password with a password of your choice.)

USE webdav;

create table mysql_auth (
username char(25) not null,
passwd char(32),
groups char(25),
primary key (username)
);

(Of course, you can as well use existing tables holding your user credentials, and you can as well have additional fields in the table, such as a field that defines if a user is active or not, for example.)

Now we insert the user test into our mysql_auth table with the password test (MD5 encrypted); this user belongs to the group testgroup:

INSERT INTO `mysql_auth` (`username`, `passwd`, `groups`) VALUES('test', MD5('test'), 'testgroup');

You can later on use the URL http://192.168.0.100/webdav to connect to WebDAV. If you do this on a Windows XP client and type in the user name test, Windows translates this to 192.168.0.100\test. Therefore we create a second user account now:

INSERT INTO `mysql_auth` (`username`, `passwd`, `groups`) VALUES('192.168.0.100\\test', MD5('test'), 'testgroup');

(We must use a second backslash here in the user name to escape the first one!)

You don't have to do this if you specify the port in the WebDAV URL, e.g. http://192.168.0.100:80/webdav - in this case Windows will simply look for the user test, not 192.168.0.100\test.

Then we leave the MySQL shell:

quit;

Now we modify our vhost in /etc/apache2/sites-available/default and add the following lines to it:

vi /etc/apache2/sites-available/default

[...]
Alias /webdav /var/www/web1/web

DAV On
AuthBasicAuthoritative Off
AuthUserFile /dev/null
AuthMySQL On
AuthName "webdav"
AuthType Basic
Auth_MySQL_Host localhost
Auth_MySQL_User webdav_admin
Auth_MySQL_Password webdav_admin_password
AuthMySQL_DB webdav
AuthMySQL_Password_Table mysql_auth
Auth_MySQL_Username_Field username
Auth_MySQL_Password_Field passwd
Auth_MySQL_Empty_Passwords Off
Auth_MySQL_Encryption_Types PHP_MD5
Auth_MySQL_Authoritative On
require valid-user

[...]

The Alias directive makes (together with ) that when you call /webdav, WebDAV is invoked, but you can still access the whole document root of the vhost. All other URLs of that vhost are still "normal" HTTP.

The AuthBasicAuthoritative Off and AuthUserFile /dev/null are there to prevent that you get errors like these ones in your Apache error log (/var/log/apache2/error.log):

[Wed Jun 11 17:02:45 2008] [error] Internal error: pcfg_openfile() called with NULL filename
[Wed Jun 11 17:02:45 2008] [error] [client 127.0.0.1] (9)Bad file descriptor: Could not open password file: (null)

If you have additional fields in your MySQL table that define if a user is allowed to log in or not (e.g. a field called active), you can add the Auth_MySQL_Password_Clause directive, e.g.:

[...]
Auth_MySQL_Password_Clause " AND active=1"
[...]

(It is important that the string within the quotation marks begins with a space!)

The require valid-user directive makes that each user listed in the mysql_auth table can log in as long as he/she provides the correct password. If you only want certain users to be allowed to log in, you'd use something like

[...]
require user jane joe
[...]

instead. And if you only want members of certain groups to be allowed to log in, you'd use something like this:

[...]
require group testgroup
[...]

The final vhost should look like this:

NameVirtualHost *

ServerAdmin webmaster@localhost

DocumentRoot /var/www/web1/web/

Options Indexes MultiViews
AllowOverride None
Order allow,deny
allow from all


Alias /webdav /var/www/web1/web

DAV On
AuthBasicAuthoritative Off
AuthUserFile /dev/null
AuthMySQL On
AuthName "webdav"
AuthType Basic
Auth_MySQL_Host localhost
Auth_MySQL_User webdav_admin
Auth_MySQL_Password webdav_admin_password
AuthMySQL_DB webdav
AuthMySQL_Password_Table mysql_auth
Auth_MySQL_Username_Field username
Auth_MySQL_Password_Field passwd
Auth_MySQL_Empty_Passwords Off
Auth_MySQL_Encryption_Types PHP_MD5
Auth_MySQL_Authoritative On
require valid-user

Reload Apache afterwards:

/etc/init.d/apache2 reload

5 Testing WebDAV

We will now install cadaver, a command-line WebDAV client:

aptitude install cadaver

To test if WebDAV works, type:

cadaver http://localhost/webdav/

You should be prompted for a user name. Type in test and then the password for the user test. If all goes well, you should be granted access which means WebDAV is working ok. Type quit to leave the WebDAV shell:

server1:~# cadaver http://localhost/webdav/
Authentication required for webdav on server `localhost':
Username: test
Password:
dav:/webdav/> quit
Connection to `localhost' closed.
server1:~#

Now test again with the username 192.168.0.100\test (this is the format that Windows XP needs if you don't use :80 in the WebDAV URL):

cadaver http://localhost/webdav/

server1:~# cadaver http://localhost/webdav/
Authentication required for webdav on server `localhost':
Username: 192.168.0.100\test
Password:
dav:/webdav/> quit
Connection to `localhost' closed.
server1:~#

6 Configure A Windows XP Client To Connect To The WebDAV Share

This is described on http://www.howtoforge.com/how-to-set-up-webdav-with-apache2-on-debian-lenny-p2.

If you don't use :80 in the WebDAV URL (http://192.168.0.100:80/webdav), you must log in with the username 192.168.0.100\test; if you do use :80, then you can simply log in with the username test.

7 Configure A Linux Client (GNOME) To Connect To The WebDAV Share

This is described on http://www.howtoforge.com/how-to-set-up-webdav-with-apache2-on-debian-lenny-p3.

8 Troubleshooting

It's a good idea to watch the Apache error log (/var/log/apache2/error.log) while you're trying to connect to WebDAV, e.g. with this command:

tail -f /var/log/apache2/error.log

If you get an error like this:

[Wed Jun 11 15:39:04 2008] [error] [client 192.168.0.46] (13)Permission denied: Could not open property database. [500, #1]

this means that /var/lock/apache2 is not owned by the Apache user (www-data on Debian). You can fix this problem by running:

chown www-data /var/lock/apache2

If Windows keeps asking and asking about the username and password, you should specify the port in the WebDAV URL, e.g. http://192.168.0.100:80/webdav (see chapter four).

9 Links




Share this

Related Posts

Previous
Next Post »

JS-Kit Comments