Implementing True WebDAV Homedirs? 47
from the my-$HOME-is-on-the-d.a.v dept.
"Apache has mod_dav, which seems to be primarily designed to provide a single shared space to files, where the Apache process user has read/write access. mod_auth_digest doesn't seem to be usable at the same time as mod_auth_shadow. It would appear that the only way to 'properly' do what I want to do would be to run Apache as root(!), have vhosts for every user (webdav.username.domain.com), have Apache change to that user's uid and gid before enabling webdav for their home directory, and then use basic authentication instead of digest authentication.
Is anyone out there trying this? Has Anyone used Jigsaw, kirra-httpd or even the no-longer-available MoulDAVia in a production environment? What are you using to provide non-trivial, safe WebDAV services?
I know I can use something like a restricted SCP- and SFTP-only shell, like scponly and rssh, but again, I'd prefer WebDAV as it wouldn't require the end user to install a client
application."
mod_waklog (Score:4, Informative)
Some of my experiences (Score:4, Informative)
Somethings to watch for: Windows 2000 SP2 had some issues with the mod_dav/mod_ssl combination we're running (uploads failed). Upgrading to SP3 fixed that problem.
Windows makes it a royal pain in the ass if you are planning on using self-signed certificates. I just couldn't figure out how to make IE accept self-signed CA certs. After literally years of seeking this information, I've finally found a solution this past week. This is something you have to consider for your users if you're going to use SSL with self-signed certs: how much can they take the constant popup cert warnings and how happy will they be about going through a 8 step process to get rid of it. Either way: poor user experience, which makes it hard for me to convince my users that DAV is a good thing (they're used to FTP).
OSX natively supports DAV but unless something has changed recently, it does NOT natively support DAV over SSL. You need Goliath [webdav.org] for that. At least Goliath has a single "Accept this certificate permanently?" button that actually does what it advertises
I have to say I feel your pain. I'm not trying to do something as ambitious as you (I just wanted something to replace FTP for users that wanted to share files with other users outside of our network), but I've still been frustrated with trying to get the authentication business worked out with different directories having different sets of users that can access them, some with read/write and some with read-only.
To be honest, I've recently started to re-evaluate using DAV for our needs. It just hasn't been as flexible as I had hoped.
-h3
Re:Some of my experiences (Score:5, Informative)
I'll be the first to admit that I don't know much about Windows and I'm no export on cryptography so maybe I'm an idiot for not having found a solution sooner. The big hurdle for me was that if I navigated to a site that used one of my own certs, IE would *offer* to add it permanently, walk me through the process, then congratulate me on successfully adding it. But it was all lies. It wasn't added.
As the document above describes (see the 12 step usage section near the middle) the solution I found to work is to convert my openssl CA cert to "DER" format, make that a downloadable file for IE users, and have them *download and open it*. With the proper mime type, this will trigger IE to walk you through exactly the same process as above, but this time it works, suggesting IE really only likes certs in a particular format. No excuse for making up lies, though.
Also, the way I set it up may not work for IE5, but I've had enough for one week
From a personal standpoint, I couldn't care less how IE handles these certs since I don't use it, but I needed to find a solution that our users could handle.
-h3
There is solution but in apache2 (Score:2, Informative)
perchild MPM (Score:4, Informative)
davenport (Score:3, Informative)
davenport.sourceforge.net