Some time ago, I just published a short summary of how to set up a WebDAV over SSL using Apache2 with PAM authentication. Unfortunatelly, the solution had one ugly part: The user www-data must be added to the group shadow, so that it can read the /etc/shadow which is needed for authentication. So I thought, let’s just migrate it to LDAP. :-)
~# aptitude install slapd libpam-ldap libnss-ldap ldap-utils migrationtools nscd
Enter your rootbinddn and a secret, besides select the ldap protocol version 3. Then open /etc/ldap/ldap.conf and configure it the way needed. As URI take ldap://127.0.0.1. At this point we do not use SSL/TLS, since the SLAPD will only run on the local host and no data will be sent over the network. However, /etc/pam_ldap.conf:
host 127.0.0.1
base [your basedn]
ldap_version 3
rootbinddn [your rootbinddn, usually cn=admin,[base]]
pam_password crypt
nss_initgroups_ignoreusers backup,bin,daemon,dhcp,games,gnats,irc,klog,libuuid,list,lp,mail,man,news,ntp,nx,proxy,root,sshd,statd,sync,sys,syslog,uucp,www-data
/etc/nsswitch.conf
passwd: ldap files
group: ldap files
shadow: ldap files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Btw: Don’t forget to put your secret into /etc/pam_ldap.secret! Anyway, let’s go on…
/etc/pam.d/common-account:
account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so
/etc/pam.d/common-auth
auth sufficient pam_unix.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
/etc/pam.d/common-password
password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient pam_ldap.so use_first_pass use_authtok md5
password required pam_deny.so
The common-session doesn’t need to be changed on the setup we need. Now, edit /usr/share/migrationtools/migrate_common.ph and change the domain to yours. With the tools (migrate_base, *_passwd, *_group) contained in that directory you can migrate your actualy existing /etc/passwd and /etc/group to your ldap. Or you just create these entries manually. However, now let’s load the apache modules:
a2enmod ldap
a2enmod authnz_ldap
… and reconfigure our WebDAV VirtualHost:
...
DAV On
AuthType Basic
AuthName "WebDAV"
AuthBasicProvider ldap
AuthLDAPURL "ldap://127.0.0.1/ou=people,[your base here]"
AuthLDAPRemoteUserIsDN off
ForceType text/plain
Require valid-user
Require ldap-filter &(uid=*)
...
And last but not least, let’s restart all servics:
/etc/init.d/slapd restart
/etc/init.d/nscd restart
/etc/init.d/apache2 restart
Voila! The authentication of your WebDAV against LDAP should be working now. Now the only thing that’s left to do, is to remove the user www-data from the shadow group again. And maybe you’d like to change your LDAP-user’s passwords:
ldappasswd -x -D cn=admin,[your base here] -W uid=[username],ou=people,[your base here] -S
And the next time, I’ll show you how you can build yourself an automatic back-scratcher using a wall, glue and a cat.
