Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Use DigestAuthentication' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Use DigestAuthentication
Authored by: professor on Sep 12, '02 11:29:09PM

>In the Shared Library section, where modules are loaded, add these two lines in
>the same ordering in their repective sections:
>
>LoadModule dav_module libexec/httpd/libdav.so
>AddModule mod_dav.c

I\'m using Apache 2.0.40, so the mod_dav module is automatically built
and installed. If you configure with \"--enable-mods-shared=all\" it\'s automatically loaded from httpd.conf. In 1.3.x, mod_dav is considered
a \"3rd party\" module and not included in the standard distribution.


>Then somewhere in the global section add:
>
>DAVLockDB /Library/WebServer/davlocks/DAVLockDB

You mention mention this later, but it's important that this directory must owned by the www user:

chown www.www /Library/WebServer/davlocks/
chmod 755 /Library/WebServer/davlocks/

>I used this section to have a webdav folder managed by Apache:
>
><Directory \"/Library/WebServer/Documents/dav\">
> DAV On
> AuthName \'WebDAV\'
> AuthType Basic
> AuthUserFile /etc/httpd/.htpasswd
> AuthGroupFile /dev/null
> <LimitExcept GET HEAD OPTIONS>
> require valid-user
> </LimitExcept>
></Directory>

Basic Authentication? Yuck! That sends your password in cleartext.
Let\'s use Digest Authentication instead:

<Directory /Library/WebServer/Documents/dav/billy>
DAV On
AuthType Digest
AuthDigestFile /usr/local/apache2/var/davusers
AuthDigestGroupFile /usr/local/apache2/var/davgroups
AuthDigestDomain /dav/
AuthName \"dav\"
AllowOverride None
Options FollowSymLinks Indexes
<LimitExcept GET HEAD OPTIONS>
require user billy
</LimitExcept>
require group family
</Directory>
</blockquote>

Several things are going on here.

1)to create the password file (\"davusers\"), we need to use the \"htdigest\" command instead of \"htpasswd\".

2) the groups file (\"davgroups\") contains lines of the form

family: billy jane sarah
friends: tom dick harry

where the users (billy, ... ,harry) all have entries in the password file.

In the above example, members of the \"family\" group can read (but not write to) the files in this directory. While the others can subscribe to his calendars,
only \"billy\" (who has write-permission) can publish changes.

Obviously, there are a greate many variations . . .

>Then set up the folder with permissions.
>
> % cd /Library/WebServer/
> % mkdir davlocks
> % chown www:www davlocks
> % cd Documents
> % mkdir dav
> % chown www:www dav
>
>In iCal, choose Publish Calendar and specify http://localhost/dav/iCal.

Presumably, that\'s a typo unless you also created the subdirectory \"iCal\" and made it owned by the www user.



[ Reply to This | # ]
Use DigestAuthentication
Authored by: froz on Sep 13, '02 03:55:35AM

This will only work if you have Apache2 installed. Unfortunately, digest authentication is still not well supported, so you may not get this to work. It does work with Opera, Mozilla and cadaver. The AuthDigestGroupFile and AuthDigestDomain directives aren't needed for simple installations and, in fact this forum seems to have eaten some required text in the AuthDigestDomain. Create your davusers file like this (if you are following the above instructions):

htdigest davusers "dav" username



[ Reply to This | # ]
Use DigestAuthentication
Authored by: froz on Sep 13, '02 03:58:08AM

Uhm, I left out an arg:

htdigest -c davusers "dav" username



[ Reply to This | # ]
Use DigestAuthentication
Authored by: professor on Sep 13, '02 10:20:44AM

Uhm, I left out an arg:


htdigest -c davusers "dav" username


Use the "-c" (for "create the password file") argument for the first user you add.

Omit it for subsequent users, or you will wipe out the previously-created password file.


My hhtpd.conf entry got munged, so let me repeat it:

\<Directory /Library/WebServer/Documents/dav/billy\>
DAV On
AuthType Digest
AuthDigestFile /usr/local/apache2/var/davusers
AuthDigestGroupFile /usr/local/apache2/var/davgroups
AuthDigestDomain /dav/
AuthName "dav"
AllowOverride None
Options FollowSymLinks Indexes
\<LimitExcept GET HEAD OPTIONS\>
require user billy
\</LimitExcept\>
require group family
\</Directory\>


As was mentioned,

  • The "groups" file is only necessary if you want to restrict access by group of users.
  • With Apache 1.3.x, you need to get the revised mod_auth_digest module. This comes automatically with Apache 2.0.x.
  • iCal and most current wweb browsers (Mozilla, IE, Opera,...) support Digest Authentication. Some older browsers and the webDAV client, Goliath 0.9.1, do not.


[ Reply to This | # ]
Use DigestAuthentication
Authored by: mithras on Sep 13, '02 06:11:25AM
iCal uses an updated Digest spec, which is incompatible with the mod_digest module that comes with Apache 1.3.26 (in 10.2). Instead, you need to use mod_auth_digest. I compiled it for use with 10.2; you can download it from me. Untar the module, put it somewhere handy (/usr/libexec/httpd, or /Library/Application Support) then add the appropriate lines to httpd.conf: LoadModule digest_auth_module /path/to/mod_auth_digest.so and AddModule mod_auth_digest.c Then you can be on your way with secure Digest authentication!

[ Reply to This | # ]
Use DigestAuthentication
Authored by: rumorcontrol on Sep 16, '02 04:05:24PM

here's what I get..

Syntax error on line 47 of /etc/httpd/httpd.conf:
Invalid command 'DAVLockDB', perhaps mis-spelled or defined by a module not included in the server configuration
/usr/sbin/apachectl start: httpd could not be started

47 DAVLockDB /Library/WebServer/davlocks/DAVLockDB$



[ Reply to This | # ]
Use DigestAuthentication
Authored by: professor on Sep 17, '02 10:28:28AM

Is mod_dav really being loaded?
I.e., did you do the AddModule/LoadModule stuff?

N.B. mod_dav is NOT part of the standard Apache 1.3.x distribution. Apple
distributes it, but if you build Apache yourself (eg, using Fink), then you
need to build/install mod_dav too.

With Apache 2.0.x, mod_dav is part of the standard distribution. If you build
it with the standard

./configure --enable-mods-shared=all

mod_dav will be built and installed along with everything else. The standard
httpd.conf file (with this option), IIRC, includes the necessary

LoadModule dav_module modules/mod_dav.so

line (Apache 2.0.x doesn't have a separate AddModule directive).



[ Reply to This | # ]