TWiki> Users Web>WebDavInstallation (12 Jan 2009, IvanaCace)EditAttach

WebDavInstallation

Introduction

Parts of ops project require a webdav environment to serve resources, namely the timesheet .ics files for timetracking and reporting. You can also use this webdav to securely serve calendars (also ics files) and project related documents. There are multiple ways to set up a webdav environment. Here we describe two options, you'll need to choose only one of these:
  • OPS WebDav Filter
  • apache with mod_dav (no per-file authorization, all users have read/write access to all files)
Choose option 2 only if you have a very good reason to do so.

Ops WebDav servlet with authentication filter

We have developed a filter for the tomcat webdav servlet to enable a very fine grained authorization scheme. With this filter it is possible to specify user that have read or write rights per resource.

Installing the servlet

You can find all ops downloads, including the ldap schema and the OpsAuthenticationFilter.war, on the ops Source Forge homepage: https://sourceforge.net/projects/ops/

  1. To use this authentication filter you will need a running ldap with the ops schema. Pick the schema version that goes with the OPS version you intend to use, webdav will run from version 0.1.1.
  2. First download OpsAuthenticationFilter.war and place it somewhere on your server.
  3. Follow the instructions in deploy.txt (this file is inside the war)

Start using timesheet and calendar files

If you followed the instructions in the deploy.txt file you now have a running servlet (filter) with two directories: calendars and timesheets, for storing .ics files. For each user of ops project timetracking - each user whose logged hours you want to include in the reporting - you will need a timesheet file. If you are using calenders, you will also need a calendar file for each user. N.B. Tomcat needs to have read and write access in the files in calenders and timesheets directories!

For your users to start using timesheets and calendars, you will need to do the following:

  1. create a file in the timesheets directory called <username>.ics
  2. create a ldap entry for this timesheet (see below)
  3. create a file in the calendar directory called <username>.ics
  4. create a ldap entry for this calendar (see below)

The assumption is that you will be creating a new ldap user-entry for a each new emplyee, when you do this you can also create a timesheet- and calender file (the ldap entry as wel as the actual file) for this user.

Create ldap entry for ics file

There are several GUI tools you can use to manually create ldap entries, for example phpldapadmin and eclipse. The calendar and timesheet entries in ldap are identical, except that calendars are created in a ou=Calendars and timesheets in ou=Timesheets. Set the values for timesheet each entry as follows:
  • name - <username>s-timesheet (this is just the name of the ldap entry)
  • ics - <server_that_runs_webdav>/opswebdav/timesheets/<username>.ics (actual file location)
  • ownerRef - set this to the user's uid.
  • type - current
Repeat the above for each calendar entry, replacing 'timesheet' with calendar.

You may also specify the following additional attributes:

  • reader - This is a list of people authorized to read the timesheet/calendar.
  • writer - This is a list of people authorized to read/write to the timesheet/calendar.
Bear in mind that users from the OPS administrators group have access to everyones timesheets and calendars and to project documents.

How it works

Every time someone requests a a resource the filter checks ldap to see if this person is a logged in as either:
  • the administrator
  • the owner of the resource
  • a project member or the project manager if the resource is a project resource.

If the user is authorised for the requested requested resource, the resource is returned. If there is no ldap entry for the resource the filter will return a 401, unauthorised response.

-- IvanaCace - 24 Dec 2008

More on the OpsAuthenticationFilter configuration options

The location of the config-file can be changed by editing the web.xml and changing the value of the configFile param 
...
 <filter>
   <filter-name>OpsAuthenticationFilter</filter-name>
   <filter-class>org.openprojectservices.filters.OpsAuthenticationFilter</filter-class>
   <init-param>
      <param-name>configFile</param-name>
      <param-value>WEB-INF/opsprops.properties</param-value>
   </init-param>
</filter>
...

More on directory layout

By default all content ends up in CATALINA_HOME/webapps/opswebdav/. This is where the calendar and timesheet directories reside. We haven't found a way to configure the servlet to take another root(If you do please let us know) but you can create symbolic links to another location.

Easy configuration for apache2 / mod_auth_ldap(openldap) / mod_dav

You can configure your apache server to serve calendars and timesheets (ics files). This way you can use a directory in your www-root to serve calendars and timesheets. The only drawaback is that everybody who's got access can read/wrtie to every timesheet/calendar. If discover a way to enhance the authentication, please let us know. Another way is to use the build-in webdavservlet provided by apache tomcat.


Add this to your apache configuration: 

LDAPTrustedCAType BASE64_FILE
LDAPTrustedCA /etc/ldap/cert/your_certificate_file.pem

        <Directory /var/www/webdav/>
                Dav on
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
                #ldap authentication
                AuthName "LDAP uid and password required"
                AuthType Basic
                AuthLDAPEnabled on
                AuthLDAPURL "ldaps://your.server:636/<your_base_dn>?uid?sub?"
                AuthLDAPAuthoritative on
                AuthLDAPBindDN uid=auth,ou=Users,dc=linops01,dc=func,dc=nl
                AuthLDAPBindPassword <password of your auth user>
                #AuthLDAPGroupAttribute memberUid
                #AuthLDAPGroupAttributeIsDN off
                #require group cn=OpsProject,ou=Groups,<your_base_dn>
                require valid-user
        </directory>
To allow only your ops users to acces the webdav resources uncomment the 3 fore-last lines and comment the last one. This instructs apache to check if the user is a member of the OpsProject group
When you create the directory for the calendars don't forget to make apache the owner eg for debian:
chown www-data:www-data -R /var/www/webdav

Don't forget to load the needed modules. Add the following lines to apache2.conf(or enable the modules by linking them in debian) 

LoadModule ldap_module /usr/lib/apache2/modules/mod_ldap.so
LoadModule auth_ldap_module /usr/lib/apache2/modules/mod_auth_ldap.so
LoadModule dav_module /usr/lib/apache2/modules/mod_dav.so
That's it. -- IvoVanDongen - 24 Oct 2005
Edit | Attach | Print version | History: r11 < r10 < r9 < r8 < r7 | Backlinks | Raw View | More topic actions
Topic revision: r11 - 12 Jan 2009 - 13:57:16 - IvanaCace

tip TWiki Tip of the Day
InterwikiPlugin links
The InterwikiPlugin automatically links ExternalSite:Page text to external sites based on aliases defined ... Read on Read more

 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback