Monday, 10 August 2009

Allow access to WebDAV resources based on LDAP group membership

I need to provide different access level to my WebDav server using LDAP groups membership (in the example below members of group davdata-rw can read/write/make collections/move and etc, and members of davdata LDAP group can only read/get/read properties of resource). I have found little information about it and, after some testing I found the config file below working:

Alias /davdata "/home/davdata"

Options Indexes
AllowOverride None
AddDefaultCharset utf-8

Order deny,allow
Deny from All
AuthName "Data File Share"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
# Users authorized by providing e-mail address and password stored in LDAP server
AuthLDAPUrl ldap://,dc=com?mail
AuthLDAPBindDN cn=user,ou=systems,dc=example,dc=com

AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
# Allow maximum access to WebDAV resource

Require ldap-group cn=davdata-rw,ou=groups,dc=example,dc=com
#I have to add the line below so I have no attribute in LDAP user to search for group membership.
#LDAP user can have only one group and I need some more...
Require ldap-attribute gidNumber=1043

# Allow ONLY limited access to resource

Require ldap-group cn=davdata,ou=groups,dc=example,dc=com
Require ldap-attribute gidNumber=1030

Satisfy any

No comments: