Control access to WebDav/Apache using Python

Question

I want to give users access to WebDav using Apache, but I want to autenticate them first and give each user access to a specific folder. All authentication must be done against a Django-based database. I can get the Django-authentication working myself, but I need help with the part where I authenticate each user and provide them with a dedicated webdav user-specific area.

Any hints?

Answer 1

You might find that the apache mod_authn_dbd module gives you what you want. This module lets apache check an SQL database for authentication and authorization. You would use this directive in the <Location>, <Directory> (etc) area that you are trying to protect:

<Directory /usr/www/myhost/private>
    # other config ere
    # mod_authn_dbd SQL query to authenticate a user
    AuthDBDUserPWQuery \
         "SELECT password FROM authn WHERE user = %s"
 </Directory>

Strictly speaking, this means you're authenticating against Django's database, not against the Django app itself. Note that you have full control over the query, so you CAN combine it with other parameters in any tables to make sure the user is in good standing, or in certain groups, or whatever, before allowing the authentication.

You may need to fuss around a bit to make sure the hashing mechanisms used are the same in both apache and django.

If this doesn't suit, consider moving your authentication out of the django database into, say, an LDAP server. With a custom authentication backend (there are existing LDAP implementations for django out there), django will happily use LDAP... and LDAP auth/auth support in Apache is quite robust.

Answer 2

First, for you other readers, my authentication was done against Django using a WSGI authentication script.

Then, there's the meat of the question, giving each Django user, in this case, their own WebDav dir separated from other users. Assuming the following WebDAV setup in the Apache virtual sites configuration (customarily in /etc/apache2/sites-enabled/)

<Directory /webdav/root/on/server>
        DAV On

        # No .htaccess allowed
        AllowOverride None      

        Options Indexes

        AuthType Basic
        AuthName "Login to your webdav area"
        Require valid-user
        AuthBasicProvider wsgi
        WSGIAuthUserScript  /where/is/the/authentication-script.wsgi
   </Directory>

Note how there's no public address for WebDav set up yet. This, and the user area thing, is fixed in two lines in the same config file (put these after the ending clause):

RewriteEngine On
RewriteRule ^/webdav-url/(.*?)$ /webdav/root/on/server/%{LA-U:REMOTE_USER}/$1

Now, webdav is accessed on http://my-server.com/webdav-url/ The user gets a login prompt and will then land in a subdirectory to the webdav root, having the same name as their username. LA-U: makes Apache "look ahead" and let the user sign in before determining the mounting path, which is crucial since that path depends on the user name. Without some rewrite-rule there will be no URL, and the user won't get a login prompt. In other words, LA-U avoids a catch-22 for this type of login handling.

Precautions: requires mod_rewrite to be enabled, and user names must be valid as dir names without any modification. Also, the user dirs won't be created automatically by these commands, so their existence must be assured in some other way.

Answer 3

I know this question is old, but just as an addition... If you are using mod_python, you may also be interested in "Authenticating against Django’s user database from Apache" section of Django documentation.