Sunday, 6 September 2009

WebDAV read and write access for different groups

For certain tasks I need to allow read only access to WebDAV resource for one LDAP group of users and full access for other group. I tried a bit and found that configuration directives below do a job. Members of davdata-rw have full access to resource and members of davdata-ro LDAP group can only read DAV file and folders.
NOTE: Allowing PROPFIND method is necessary for GET operation, because any operation begins from it. Not sure about REPORT and OPTIONS. I have to check more cafully.

Alias /davdata /mnt/webdav/davdata

AllowOverride None
Options Indexes

Order deny,allow
Deny from All
AuthName "DAV File Share"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPUrl ldap://,dc=com?mail
AuthLDAPBindDN cn=ldapuser,dc=company,dc=com

AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off

Require ldap-group cn=davdata-rw,ou=groups,dc=company,dc=com
Require ldap-attribute gidNumber=1300

Require ldap-group cn=davdara-ro,ou=groups,dc=company,dc=com
Require ldap-attribute gidNumber=1400

Satisfy any

No comments: