Sunday, 6 September 2009

WebDAV read and write access for different groups

For certain tasks I need to allow read only access to WebDAV resource for one LDAP group of users and full access for other group. I tried a bit and found that configuration directives below do a job. Members of davdata-rw have full access to resource and members of davdata-ro LDAP group can only read DAV file and folders.
NOTE: Allowing PROPFIND method is necessary for GET operation, because any operation begins from it. Not sure about REPORT and OPTIONS. I have to check more cafully.

Alias /davdata /mnt/webdav/davdata

DAV On
AllowOverride None
Options Indexes

Order deny,allow
Deny from All
AuthName "DAV File Share"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPUrl ldap://ldap.company.com:389/dc=company,dc=com?mail
AuthLDAPBindDN cn=ldapuser,dc=company,dc=com
AuthLDAPBindPassword PASSWORD

AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off


Require ldap-group cn=davdata-rw,ou=groups,dc=company,dc=com
Require ldap-attribute gidNumber=1300


Require ldap-group cn=davdara-ro,ou=groups,dc=company,dc=com
Require ldap-attribute gidNumber=1400



Satisfy any

No comments: