Apache based WebDAV Server with LDAP and SSL

Saqib Ali

 saqib@seagate.com
         

yomoyomo - {

ymgrtq@ma.neweb.ne.jp

Revision History                                                       
Revision v4.1.0             2003-09-02        Revised by: sa           
ǎ҂̃tB[hobNɊÂ SSL ̃ZNVXV              
Revision v4.0.2             2003-08-01        Revised by: sa           
Apache ̐ݒƃR}hC̃}Ci[Abvf[gB SSL ̃ZNV 
 /dev/random ֘A̋LqǉB                                      
Revision v4.0.1             2003-07-27        Revised by: sa           
SSL ̃ZNVɏǉB                                         
Revision v4.0               2003-06-29        Revised by: sa           
Apache 2.0 ɂ킹 HOWTO XVBɃ\[X XML B            

  {́AF؂ LDAP 𗘗pASSL ňÍsAApache x[X
WebDAV T[õCXg[ HOWTO łB

 

Table of Contents
1. ͂߂
   
    1.1. ̕ɂ
    1.2. {ւ̍v
    1.3. Apache ĉ?
    1.4. WebDAV ĉ?
    1.5. PHP ĉ?
    1.6. MySQL ĉ?
    1.7. Kvł?
    1.8. Ƃ̑O
   
2. Kv
   
    2.1. {
    2.2. Apache 2.0.46
    2.3. OpenSSL
    2.4. iPlanet LDAP Cu
    2.5. mod_auth_ldap
    2.6. MySQL DB GW
    2.7. PHP
   
3. CXg[
   
    3.1. OĕKvȂ
    3.2. MySQL
    3.3. Apache 2.0
    3.4. mod_auth_ldap
    3.5. CERT DB for LDAPS://
    3.6. PHP
   
4. WebDAV T[rX̐ݒƋN
   
    4.1. /usr/local/apache/conf/httpd.conf ̏C
    4.2. DAVLockDB p̃fBNg̍쐬
    4.3. DAV Lɂ
    4.4. DAVtest fBNg̍쐬
    4.5. Apache ̍ċN
    4.6. WebDAV T[ovgRɏĂ邩
   
5. WebDAV T[oǗ
   
    5.1. DAV L@\ւ̃ANZX𐧌
    5.2. DAV L@\ւ̏݃ANZX𐧌
   
6. SSL gp WebDAV gtBbN̕ی
   
    6.1. SSL 
    6.2. eXgpؖ
    6.3. ^pɎgؖ
    6.4. CSR ̍쐬@
    6.5. T[o閧ƃT[oؖ̃CXg[
    6.6. RSA 閧̃pXt[Y
    6.7. MłF؋
   
7. {ɂ
PKI pꎫT

1. ͂߂

 {̖ڕẂAF؂ LDAP 𗘗p Apache + MySQL + PHP + WebDAV
x[X̃EFuAvP[VT[o\z邱ƂłB́̕A
LDAP gUNV̈ÍɊւڍׂȉs܂B

    L::  Apache ₻̑̃W[̃CXg[ŉɑ
    AȂ <saqib@seagate.com> ɘAĂB
   
 

1.1. ̕ɂ

 {́AX2001Nɏꂽ̂łBꂩ炽̍XVVK
̒ǉ{ĂĂ܂BXV񋟂ĂꂽׂĂ̐lBɊ
ӂ܂B

 { XML \[X́A http://www.xml-dev.com:8080/cocoon/mount/
docbook/Apache-WebDAV-LDAP-HOWTO.xml ɂēł܂B

 {̍ŐVł́A http://www.xml-dev.com:8080/cocoon/mount/docbook/
Apache-WebDAV-LDAP-HOWTO.html ɂēł܂B

 

1.2. {ւ̍v

 { HOWTO ɍvȂA http://www.xml-dev.com:8080/cocoon/
mount/docbook/Apache-WebDAV-LDAP-HOWTO.xml 炻 XML \[X_E
[hA҃XgƉɂȂ̖OAXVꂽ\[X
saqib@seagate.com ɑ邱Ƃł܂:) ΁AXV
ƂɁA̐lɘA₷Ȃ܂B낵肢܂B

 

1.3. Apache ĉ?

 Apache HTTP T[óAUNIX  Windows NT ܂ލŐṼIy[eBO
VXẽI[v\[X HTTP T[ołBApache ́As HTTP
WɓK HTTP T[rX񋟂܂B

 Apache EFuT[óA http://httpd.apache.org/ 玩RɃ_E[
hł܂B

 

1.4. WebDAV ĉ?

 WebDAV Ƃ́AEFugUI[TOƃo[WǗ (Web
enabled Distributed Authoring and Versioning)ӖĂ܂B WebDAV
́A[UEFuT[oɂt@C̕ҏW/ǗsƊ
܂BZpIɂ́ADAV  HTTP vgR̊głB

 ȉɁADAV ɂ񋟂gȒPɏ܂B

 ㏑ی: uXVvhAbNƃbÑJjYB
DAV vgŔALbNƔrIbN̗T|[gĂ܂B

 vpeB: ^f[^(^CgATuWFNgA쐬҂Ȃ)

 OԂ̊Ǘ: t@C̕A̕ύXAړAč폜

 ANZX: lXȃ\[Xւ̃ANZX̐B DAV ł́AANZ
X䂪ɓK؂ɍsĂ̂Ƒz肵ĂAg͋͂ȔF؋@\
񋟂Ă܂B

 o[WǗ: hLg̃rWǗBo[WǗ͂܂
Ă܂B

 

1.5. PHP ĉ?

 PHP ("PHP: nCp[eLXgEvvZbT" ̍ċA) ́AEFu
JɓɓKĂAHTML ɑgݍ݉\ȁALpĂI[v
\[X̔ėpXNvgłB

 PHP ́Ahttp://www.php.net ł܂B

 

1.6. MySQL ĉ?

 łlĈI[v\[X SQL f[^x[Xł MySQL ́A MySQL
AB ɂĊJAzzAT|[gĂ܂B

 MySQL DB GẂA http://www.mysql.com/ _E[hł܂B

 

1.7. Kvł?

  ړÎɕKvȃc[Ɉȉ̂̂܂B

 i. GCC Ȃǂ C RpC
   
ii. Apache 2 EFuT[o
   
iii. Apache p LDAP W[
   
iv. iPlanet LDAP CuEt@C
   
 v. SSL GW
   
vi. PHP
   
vii. MySQL DB GW
   
    L:: ̃pbP[W͑Săt[łAlbg_E[h
    \łB
   
 

1.8. Ƃ̑O

 {ł́Aȉ̂̂ɃVXeɃCXg[ς݂ł邱ƂO
ɂĂ܂B

 i.  gzip  gunzip - http://www.gnu.org \
   
ii.  gcc  GNU make - http://www.gnu.org \
   
 

2. Kv

 ̃pbP[W_E[hARpCȂ΂Ȃ܂B
{ł́ÃRpC菇܂A\[XR[h̃CX
g[ƂɊĂȂƌł傤B

 

2.1. {

 Solaris / Linux  GNU CC RpC̓Ă}VKvɂȂ܂
B GNU gunzip  GNU tar KvłB

 

2.2. Apache 2.0.46

 Apache  HTTP T[oŁAWebDAV AvP[VT[o𓮍삳̂
p܂B http://www.apache.org/dist/httpd/  Apache 2.0.46 ̃\
[XR[h_E[hĂB

 

2.3. OpenSSL

 http://www.openssl.org/source/  OpenSSL _E[hKv
܂BŐVł_E[hĂBOpenSSL CXg[A
Apache  mod_ssl g݂݁AEFuT[o SSL ؖǗ̂
SSL Cu𗘗p܂Bgzip ꂽ OpenSSL ̃\[XR[h /tmp/
downloads Ƀ_E[hĂB

 

2.4. iPlanet LDAP Cu

  from http://wwws.sun.com/software/download/products/3ec28dbd.html 
 iPlanet LDAP SDK _E[hĂBiPlanet LDAP SDK gp
̂́Aꂪ ldaps:// (LDAP over SSL) ŝɎgCu
ł邩łB

 

2.5. mod_auth_ldap

 Apache  LDAP T|[ggݍނ̂ mod_auth_ldap 𗘗p܂B 
http://www.muquit.com/muquit/software/mod_auth_ldap/
mod_auth_ldap_apache2.html  mod_auth_ldap _E[hĂ
B

 

2.6. MySQL DB GW

 http://www.mysql.com/downloads/index.html Ap̃vbgtH[
ɍ MySQL rh_E[hĂB

 

2.7. PHP

 http://www.php.net/downloads.php  PHP ̃\[XR[h_E[h
ĂB

 

3. CXg[

 ܂ŏɑOĕKvȏOsǍŃC̃CXg[
܂B

 

3.1. OĕKvȂ

 XCXg[悤ƂĂAvP[VT[oɂ́A SSL 
Cu LDAP ̃CuKvłBApache 2.x p SSL ؖ
^p̂ SSL GWKvɂȂ܂B

 

3.1.1. iPlanet LDAP SDK

 su R}hgp root ɂȂĂB

$ su -                                                                 

 /usr/local/iplanet-ldap-sdk.5 fBNg쐬ĂB /tmp/
downloads  /usr/local/iplanet-ldap-sdk.5 fBNg
ldapcsdk5.08-Linux2.2_x86_glibc_PTH_OPT.OBJ.tar.gz Rs[Ă
B

# mkdir /usr/local/iplanet-ldap-sdk.5                                                             
# cp /tmp/downloads/ldapcsdk5.08-Linux2.2_x86_glibc_PTH_OPT.OBJ.tar /usr/local/iplanet-ldap-sdk.5 
# cd /usr/local/iplanet-ldap-sdk.5                                                                
# tar -xvf ldapcsdk5.08-Linux2.2_x86_glibc_PTH_OPT.OBJ.tar                                        

 ŐfBNgɁAKv iPlanet LDAP Cut@C
ׂē͂łB

 

3.1.2. OpenSSL GW

  OpenSSL GWCXg[Kv܂B

 OpenSSL ́ASSL/TLS vgR̃I[v\[XłBEFuT[o
 SSL ؖ쐬AǗ̂ɁAOpenSSL KvƂȂ܂BApache p
 SSL W[ŎgCû߂ɂA OpenSSL CXg[
Kv܂B

 OpenSSL ̃\[XR[ht@CfBNgɈړĂB

 # cd /tmp/download                                                    
# gzip -d openssl.x.x.tar.gz                                           
# tar -xvf openssl.x.x.tar                                             
# cd openssl.x.x                                                       
# make                                                                 
# make test                                                            
# make install                                                         

 make install Ċ΁A /usr/local/ssl  OpenSSL ̃oCi
łĂ͂łB

 

3.2. MySQL

 MySQL ̃CXg[͎ɊȒPłB_E[hoCiKȃf
BNgɒułB

 ܂ MySQL f[p̃[UƃO[v쐬At@CKȃfB
NgɃRs[܂B

 # groupadd mysql                                                      
# useradd -g mysql mysql                                               
# cd /usr/local                                                        
# gunzip < /path/to/mysql-VERSION-OS.tar.gz | tar xvf -                
# ln -s full-path-to-mysql-VERSION-OS mysql                            

  install_db XNvg𑖂点At@C̃p[~bVύX
B

 # cd mysql                                                            
# scripts/mysql_install_db                                             
# chown -R mysql .                                                     

 

3.2.1. mySQL ̋N

 ł MySQL NACXg[sĂ邩m߂Ă
B

 # bin/mysqld_safe --user=mysql &                                      

 ps -ef R}hgAMySQL f[ғĂ邱Ƃm߂Ă
Bȉ̏o͂ڂɂ͂łB

# ps -ef | grep mysql                                                                                                                                                                                                                           
root      3237     1  0 May29 ?        00:00:00 /bin/sh bin/safe_mysqld                                                                                                                                                                         
mysql     3256  3237  0 May29 ?        00:06:58 /usr/local/mysql/bin/mysqld --defaults-extra-file=/usr/local/mysql/data/my.cnf --basedir=/usr/local/mysql --datadir=/usr/local/mysql/data --user=mysql --pid-file=/usr/local/mysql/data/downloa 

 

3.2.2. MySQL ̒~

 MySQL T[o~߂ɂ́Aȉ̎菇ɏ]ĂB

# cd /usr/local/mysql                                                  
# ./bin/mysqladmin -u root -p shutdown                                 

 

3.2.3. f[^fBNg̎w

 MySQL f[́ASuf[^fBNgvƌĂ΂fBNg
̒Ɋi[܂BL̃CXg[菇ɏ]ꍇAf[^fBNg
 /use/local/mysql/data ɂȂ͂łB

 f[^fBNg̈ʒuw肷ɂ́Amysqladmin [eBeB
Ɏ悤Ɏgp܂B

# /usr/local/mysql/bin/mysqladmin variables -u root --password={your_password} | grep datadir 

 

3.3. Apache 2.0

 ͂߂ɃRpCpɂtOݒ肵ĂB

# export LDFLAGS="-L/usr/local/iplanet-ldap-sdk.5/lib/ -R/usr/local/iplanet-ldap-sdk.5/lib/:/usr/local/lib" 
# export CPPFLAGS="-I/usr/local/iplanet-ldap-sdk.5/include"                                                 

  Apache 2.0 ̃\[Xt@CWJAconfigure XNvgs
ĂB

# cd /tmp/download                                                                 
# gzip -d httpd-2.0.46.tar.gz                                                      
# tar -xvf httpd-2.0.46.tar                                                        
# cd httpd-2.0.46                                                                  
#./configure --enable-so  --with-ssl --enable-ssl  --enable-rewrite   --enable-dav 

  make R}h𑖂点܂B

# make                                                                 
# make install                                                         

 

3.3.1. Apache ̋N

# /usr/local/apache2/bin/apachectl start                               

 

3.3.2. Apache ̒~

# /usr/local/apache2/bin/apachectl stop                                

 

3.4. mod_auth_ldap

 modauthldap_apache2.tar.gz WJĂB

cd /tmp/download                                                       
# gzip -d modauthldap_apache2.tar.gz                                   
# tar -xvf modauthldap_apache2.tar                                     
# cd modauthldap_apache2                                               

 x mod_auth_ldap ݒ肵ACXg[ĂB

# ./configure --with-apxs=/usr/local/apache2/bin/apxs  --with-ldap-dir=/usr/local/iplanet-ldap-sdk.5/ 
# make                                                                                                
# make install                                                                                        

 

3.5. CERT DB for LDAPS://

 cert7.db  key7.db ꂼA http://www.xml-dev.com/xml/key3.db 
http://www.xml-dev.com/xml/cert7.db 擾A/usr/local/apache2/
sslcert/ fBNgɒuKv܂B

 

3.6. PHP

 PHP ̃\[Xt@CWJĂB

gzip -d php-xxx.tar.gz                                                 
tar -xvf php-xxx.tar                                                   

 configure sAmake R}h𑖂点ĂB

cd php-xxx                                                             
./configure --with-mysql --with-apxs=/usr/local/apache2/bin/apxs       

 \[XR[hRpCĂB

# make                                                                 
# make install                                                         

 php.ini t@CKȃfBNgɃRs[ĂB

cp php.ini-dist /usr/local/lib/php.ini                                 

 

4. WebDAV T[rX̐ݒƋN

 ͈ՂƂłB̃ZNVŁAX Apache ̃[gz
fBNg WebDAV Lɂ܂B

 

4.1. /usr/local/apache/conf/httpd.conf ̏C

  /usr/local/apache/conf/httpd.conf ɁAȉ Apache fBNeBu
邱Ƃm߂ĂB

  Addmodule mod_dav.c                                                  

 ȂΒǉĂB̃fBNeBúAApache  DAV ̋@
\m点̂łB̃fBNeBúARei̊Oɒu
ȂĂ͂Ȃ܂B

  ɁAApache  DAVLockDB t@Ci[悤w肵ȂĂ͂Ȃ
B DAVLockDB ́AWebDAV ̃bNEf[^x[XłB̃fBNg
́A httpd vZXɂ菑݉\łׂłB

   DAVLock t@C /usr/local/apache/var ̉Ɋi[Ă܂B
̃fBNg̗͑prɂpĂ܂BȂ /usr/local/
apache/conf/httpd.conf Ɉȉ̈sǉADAVLockDB t@C /usr/
local/apache/var ̉ɂ邱Ƃw肵ĂB

  DAVLockDB      /usr/local/apache/var/DAVLock                         

 ̃fBNeBúARei̊OɒuȂĂ͂Ȃ܂
B

 

4.2. DAVLockDB p̃fBNg̍쐬

 L̒ʂAEFuT[õvZXɂ菑݉\ȃfBNgA
DAVLockDB pɍ쐬ȂĂ͂Ȃ܂BʏEFuT[õvZX́A
'nobody'[Uœ삵܂Bȉ̃R}hgÂƂm
ĂB

ps -ef | grep httpd                                                    

/usr/local/apache zɃfBNg쐬Aȉ̃R}hɂp[
~bVݒ肵ĂB

  # cd /usr/local/apache                                               
  # mkdir var                                                          
  # chmod -R 755 var/                                                  
  # chown -R nobody var/                                               
  # chgrp -R nobody var/                                               

 

4.3. DAV Lɂ

 DAV Lɂ̂́AƂōς݂܂BApache [gz
fBNg DAV Lɂɂ́A̓fBNg̐ݒsR
eiɁAȉ̃fBNeBuǉĂB

  DAV On                                                               

 ̃fBNeBúAw肵fBNgƂ̃TufBNgɑ΂
 DAV Lɂ܂B

 ȉ /usr/local/apache/htdocs/DAVtest  WebDAV  LDAP F؂L
ɂTvݒ܂B /usr/local/apache/conf/httpd.conf
t@C̒ɓĂB

 DavLockDB /tmp/DavLock                                                
<Directory "/usr/local/apache2/htdocs/DAVtest">                        
Options Indexes FollowSymLinks                                         
AllowOverride None                                                     
order allow,deny                                                       
allow from all                                                         
AuthName "SMA Development server"                                      
AuthType Basic                                                         
LDAP_Debug On                                                          
#LDAP_Protocol_Version 3                                               
#LDAP_Deref NEVER                                                      
#LDAP_StartTLS On                                                      
LDAP_Server you.ldap.server.com                                        
#LDAP_Port 389                                                         
# If SSL is on, must specify the LDAP SSL port, usually 636            
LDAP_Port 636                                                          
LDAP_CertDbDir /usr/local/apache2/sslcert                              
Base_DN "o=SDS"                                                        
UID_Attr uid                                                           
DAV On                                                                 
#require valid-user                                                    
require valid-user                                                     
#require roomnumber "123 Center Building"                              
#require filter "(&(telephonenumber=1234)(roomnumber=123))"            
#require group cn=rcs,ou=Groups                                        
</Directory>                                                           

 

4.4. DAVtest fBNg̍쐬

 ÕZNVŏqׂ悤ɁAS DAV fBNgAEFuT[õv
ZXɂ菑݉\łȂĂ͂Ȃ܂B̗ł́AEFuT[o
'nobody'Ƃ[Uœ삵ĂƉ肵܂Bʂ͂ȂĂ
܂Bhttpd ǂ̃[Uœ삵Ă邩ׂɂ́Aȉ̃R}h
gĂB

# ps -ef | grep httpd                                                  

 /usr/local/apache/htdocs z 'DAVetst' ƂÕeXgpfBN
g쐬ĂB

# mkdir /usr/local/apache/htdocs/DAVtest

 fBNg httpd vZXɂ鏑݂\ɂȂ悤ɁAp[
~bVύXĂBhttpd  'nobody' [Uœ삵Ă
ȂAȉ̃R}hgpĂB

  # cd /usr/local/apache/htdocs                                        
  # chmod -R 755 DAVtest/                                              
  # chown -R nobody DAVtest/                                           
  # chgrp -R nobody DAVtest/                                           

 

4.5. Apache ̍ċN

 ŌɁAApache ɓĂݒ莎[`𑖂点āA httpd.conf
̍\Ȃ΂Ȃ܂B

# /usr/local/apache/bin/apachectl configtest                           

  G[bZ[WoAL菇ׂĐsmFĂ
BG[bZ[W𗝉łȂ΁ACyɎɃG[bZ[
Wdq[ (saqib@seagate.com <mailto:saqib@seagate.com>) ő
B

 ݒ莎ȂAApache EFuT[oNĂB

# /usr/local/apache/bin/apachectl restart

 łȂ́ALDAP F؂ SSL ÍA WebDAV LƂȂ
Apache T[oɂƂɂȂ܂B

 

4.6. WebDAV T[ovgRɏĂ邩

 XCXg[ WebDAV @\AWebDAV o[W 2 vgR
SɏĂ邩ǂ͔ɏdvłBSɌ݊łȂƁAN
CAg WebDAV AvP[VK؂ɋ@\܂B

 vgRɏĂ邩ɂ́ALitmus Ƃc[g܂
B Litmus  WebDAV T[ovgReXgXC[gŁAT
[o RFC2518 ɋK肳 WebDAV vgRɏĂ邩ǂ
邱ƂړIƂĂ܂B

 http://www.webdav.org/neon/litmus/  Litmus ̃\[XR[h_E
[hA /tmp/downloads fBNgɒuĂB

 ꂩ gzip  tar gAt@CWJ܂B

# cd /tmp/downloads                                                    
# gzip -d litmus-0.6.x.tar.gz                                          
# tar -xvf litmus-0.6.x.tar                                            
# cd litmus-0.6.x                                                      

 Litmus ̃RpCƃCXg[͊ȒPłB

# ./configure                                                          
# make                                                                 
# make install                                                         

 make install  Litmus ̃oCit@C /usr/local/bin ̉ɁA
̃wvt@C /usr/local/man ̉ɃCXg[܂B

 CXg[Ă WebDAV T[ovgRɏĂ邱Ƃ
ɂ́Aȉ̃R}hpĂB

# /usr/local/bin/litmus http://you.dav.server/DAVtest userid passwd    

 

5. WebDAV T[oǗ

 ̃ZNVł́AႦ΃ANZX̂߂ LDAP ݒA Apache 
ł DAV \bh̐ݒȂǂ́A낢ȊǗ^XNɂĐ܂B

 DAV ɊւݒύX̑啔́Ahttpd.conf t@Cōs܂B
̃t@ĆA /usr/local/apache/conf/httpd.conf ɂ܂B

 httpd.conf ́AApache peLXgx[X̐ݒt@CłBǂ
ȃeLXgGfB^łҏWł܂ -  vi D݂łBύXsO
Ãt@C̃obNAbvERs[ĂĂB

 httpd.conf ɕύXA /usr/local/apache/bin/apachectl restart
R}h Apache T[oċNȂĂ͂Ȃ܂BAċN
O /usr/local/apache/bin/apachectl configtest R}h httpd.conf
ɐݒ肪sĂ邩eXgĂB

 

5.1. DAV L@\ւ̃ANZX𐧌

 ÕZNV DAVtest LfBNg쐬ۂɁAF؂̂߂
LDAP g܂B̗ł́A LDAP ̃[U ID/pX[hŔF
łlȂNłÃtH_ɃANZXł邱ƂɂȂ܂B

 httpd.conf t@C require fBNeBu邱ƂŁÃ[
Ũ[UȂO[vɑ΂ANZX𐧌ł܂B

 ÕZNV DAVtest ɊւݒxĂ݂܂傤B

  <Directory /usr/local/apache/htdocs/DAVtest>                               
  Dav On                                                                     
  #Options Indexes FollowSymLinks                                            
                                                                             
  AllowOverride None                                                         
  order allow,deny                                                           
  allow from all                                                             
  AuthName "LDAP_userid_password_required"                                   
  AuthType Basic                                                             
  <Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK> 
  Require valid-user                                                         
  </Limit>                                                                   
  LDAP_Server ldap.server.com                                                
  LDAP_Port 389                                                              
  Base_DN "o=ROOT"                                                           
                                                                             
  UID_Attr uid                                                               
  </Directory>                                                               

require fBNeBu valid-user ɃZbg΁Aǂ̔F؂ꂽ[
Uł̃tH_ɃANZXł܂B

 

5.1.1. [U UID ŃANZX𐧌

 LDAP  UID gāADAV ptH_ւ̃ANZX𐧌ł܂B

 require valid-user fBNeBuA require user 334455 445566 ɕ
܂B

 邱ƂŁAUID  334455  445566 ł郆[UɃANZX𐧌
܂BȊO̒ÑtH_ɃANZXłȂȂ܂B

 

5.1.2. [UO[vŃANZX𐧌

 require fBNeBúA[UO[vŃANZX𐧌
ɂpł܂B́ALDAP O[v LDAP tB^̂ꂩ𗘗p
邱Ƃŉ\ɂȂ܂BtB^𗘗pȂA LDAP ̃tB^\
ɓKĂȂƂ܂B

 

5.2. DAV L@\ւ̏݃ANZX𐧌

 N DAV ̋L\[X{\łĂADAV ̋L\[X̕
W@\胆[UɌ肷Kv邩܂B httpd.conf
t@C <Limit> ^O邱ƂŊȒPɎł܂B

  <Directory /usr/local/apache/htdocs/DAVtest>                               
  Dav On                                                                     
  #Options Indexes FollowSymLinks                                            
                                                                             
  AllowOverride None                                                         
  order allow,deny                                                           
  allow from all                                                             
  AuthName "LDAP_userid_password_required"                                   
  AuthType Basic                                                             
  <Limit GET PUT POST DELETE PROPFIND PROPPATCH MKCOL COPY MOVE LOCK UNLOCK> 
  Require valid-user                                                         
  </Limit>                                                                   
  LDAP_Server ldap.server.com                                                
  LDAP_Port 389                                                              
  Base_DN "o=ROOT"                                                           
                                                                             
  UID_Attr uid                                                               
  </Directory>                                                               

 <limit> ȉ̂悤ɕς邱ƂŁA胆[Uɏ݃ANZX𐧌
܂B

  <Limit PUT POST DELETE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK>        
  Require 334455                                                       
  </Limit>                                                             

 vɁAPUT POST DELETE PROPPATH MKCOL COPY MOVE LOCK  UNLOCK
@\́AUID  334455 ł郆[Us܂B̐l͊FA\[X
 GET  PROPFIND \bhKpł܂Ȃ̂ǂ̃\bhKp
ł܂B

 

6. SSL gp WebDAV gtBbN̕ی

  t@CT[oɊi[ꂽf[^̃ZLeBAϏdvɂȂ
Ă܂Bf[^sɉςꂽꍇAƂ͐h\
܂B̑ÕZNVɂāAX͔F؋@\񋟂邽߂ɁA
Apache rhۂ LDAP F؃W[g݂݂܂BA
HTTP gtBbN͔ɈSႭAf[^ׂ͂ĕœ]܂
- ܂ALDAP F؂s[U ID pX[hlɕœ]
܂̂łBꂪN܂BN[U ID/pX[h
`āA DAV i[ւ̃ANZX擾ł܂Bhɂ́A{
Iɂ HTTP + SSL  HTTPS ɂ HTTP gtBbNÍȂ
Ă͂Ȃ܂BHTTPS œ]ׂ̂͂ĈÍ܂̂ŁA
LDAP ̃[U ID/pX[h͊ȒPɂ͕ł܂B HTTPS 443ԃ|
[gœ삵܂B̑ÕZNVɂăRpCʁA
Apache ̓|[g80(ʏ HTTP)443 (HTTPS)̗bX悤
ɂȂĂ܂BȂ̃T[o DAV ̂߂ɎgȂ
΁Ȁꍇ|[g80Ԃ邱Ƃ߂܂B̃ZNV
́A SSL ɊւƁAApache HTTP T[o SSL Ǘ邽߂̏
񋟂܂B

 

6.1. SSL 

  SSL (Secure Socket Layer)́Albg[NwƃAvP[VẘԂ
ʒuvgRwłBOʂASSL ͂ނ̃gtB
bN--LDAP, POP, IMAP čłdvȂ̂ HTTP-- Í郁JjY
񋟂܂B

  ȉ SSL Ɋ܂܂wɊȈՉ\܂B

                                                                       
        +-------------------------------------------+                  
        |   LDAP   |    HTTP    |   POP   |   IMAP  |                  
        +-------------------------------------------+                  
        |                   SSL                     |                  
        +-------------------------------------------+                  
        |               Network Layer               |                  
        +-------------------------------------------+                  
                                                                       

 

6.1.1. SSL ŗpÍASY

  SSL ŗpÍZpɂ́AJE閧AʌAăbZ[
W_CWFXg̎Oނ܂B

  JE閧Í - SSL RlNV̊Jn: ̃ASY̏ꍇ
AÍƕ͈ǧJƔ閧𗘗pĎs܂BEFuT
[o͔閧ێAJF؏̒ɓăNCAgɑ܂
B

 1.  NCAgAHTTPS gEFuT[oɃRecvB
   
 2.  EFuT[óAT[ǒJ܂ރfW^ؖtĉ
    B
   
 3.  NCAǵAؖ̊؂ĂȂׂB
   
 4.  ꂩNCAǵAؖF؋ǂAuEU̐M
    F؋ǂ̃Xg̒ɂ邩ׂBꂪAXMł CA
    ؖ𓾂Kv闝RłB
   
 5.  ̌ŃNCAǵAEFuT[o Fully Qualified Domain Name
    (FQDN) Aؖɂ Common Name (CN) ƈv邩ׂB
   
 6.  ׂď𖞂΁ASSL RlNVJnB
   
    L:: 閧ňÍꂽ̂́AJgĂł܂
    BlɁAJňÍꂽ̂́A閧gĂ
    ܂BJÍɎgA閧͕ɎgƂ
    肪Ȍ܂B͐܂B̌
    AɎg܂BAЕ̌ňÍ΁Ȁꍇ
    ͂Е̌ŕȂƂ܂BႦ΁AJpĈ
    bZ[WJŕ͂ł܂B
   
     閧ÍɎgAJ𕜍ɎgƂŁAMɑ΂A
    M̊Sۏ؂܂BJÍɎgA閧𕜍Ɏg
    ƂŁAӐ}M(閧̏L) f[^ɃANZX
    Ƃۏ؂܂B (܂A閧ێlAbZ[W
    ł܂)
   
  Ώ̌Í - ۂɓ]f[^̈Ís : SSL RlNV
̊mACPU ɑ΂镉ׂJE閧ÍŷŁAf[^
̈Íɂ͑Ώ̌Íp܂BΏ̌Íł́Af[^
Í̌ōs܂BΏ̌Íŗp錮́A
SSL ZbVnߒŁAJE閧ÍpČ
B

 bZ[WE_CWFXgT[óA]ꂽf[^̊S؂
 HMAC, SHA, MD5 Ȃǂ̃bZ[WE_CWFXgASY𗘗p
B

 

6.2. eXgpؖ

 Apache RpCԂɁAX̓eXgpؖ쐬܂BX
͂̓Ǝ̏ؖ쐬̂ɁAmod_ssl ɂ񋟂 makefile 
gp܂BX͈ȉ̃R}hp܂B

# make certificate TYPE=custom                                         

 eXgړIɂ͂̏ؖpł܂B

 

6.3. ^pɎgؖ

  ^psɂ́AF؋ (Certificate AuthoritiesBȉACA) ؖ
擾Kv܂BF؋ǂ͔F؃x_łA[ŨuEU
NCAgɐMł CA ƂăXgAbvĂ܂BÍAS
YɂĉZNVŏqׂ悤ɁA CA MłF
؋ǂ̃XgɓĂȂƁA[U͕ی삳ĂTCgɐڑ悤
ƂۂɌxbZ[W炤ƂɂȂ܂B

  lɁAeXgp̔F؏ł́A[ŨuEUɌxbZ[W\
邱ƂɂȂ܂B

 

6.4. CSR ̍쐬@

  CSRAؖv́AMł CA ɑ菐Ă炤Kv
B̃ZNV́ACSR 쐬AőI CA ɑ@
Đ܂BȉɎ悤ɁA # openssl req R}h CSR ̍
ɗpł܂B

# cd /usr/local/apache/conf/                                                     
# /usr/local/ssl/bin/openssl req -new -nodes -keyout private.key -out public.csr 
Generating a 1024 bit RSA private key                                            
............++++++                                                               
....++++++                                                                       
writing new private key to 'private.key'                                         
-----                                                                            
You are about to be asked to enter information that will be incorporated         
into your certificate request.                                                   
What you are about to enter is what is called a Distinguished Name or a DN.      
There are quite a few fields but you can leave some blank                        
For some fields there will be a default value,                                   
If you enter '.', the field will be left blank.                                  
-----                                                                            
Country Name (2 letter code) [AU]:US                                             
State or Province Name (full name) [Some-State]:California                       
Locality Name (eg, city) []:San Jose                                             
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Seagate               
Organizational Unit Name (eg, section) []:Global Client Server                   
Common Name (eg, YOUR name) []:xml.seagate.com                                   
Email Address []:saqib@seagate.com                                               
                                                                                 
Please enter the following 'extra' attributes                                    
to be sent with your certificate request                                         
A challenge password []:badpassword                                              
An optional company name []:                                                     
                                                                                 

    "PRNG not seeded": Ȃ̃VXe /dev/random ȂƁA "PRNG
    not seeded" G[bZ[Wo܂B̏ꍇAȉ̃R}h
    pł܂B
   
    # /usr/local/ssl/bin/openssl req -rand some_file.ext -new -nodes -keyout private.key -out public.csr  
   
     some_file.ext p̃t@CVXeɂǂȃt@Cłw
    \łB OpenSSL A𐶐̂ɂ̃t@Cgp̂łB
   
  ̎_ŁAؖv𐶐邽߂ɁAT[öʒuɂĉx
q˂܂B

  L:Ȃ Common Name ́Adav.server.com ƂEFuT[o̊
SC DNS(FQDN)ɂȂ܂BȂ̂̂͂Ă܂ƁA
삵܂BKvɂȂ܂̂ŁAŎgppX[h
YȂłB

 ̃vZXƁAȂ private.key  public.csr 擾
܂BF؋ǂ public.csr oKv܂B̒iKł́A
public.key ͂܂ÍĂ܂BÍɂ͈ȉ̃R}h
sĂB

 # mv private.key private.key.unecrpyted                                           
# /usr/local/ssl/bin/openssl rsa -in private.key.unecrpyted -des3 -out private.key 

 

6.5. T[o閧ƃT[oؖ̃CXg[

 F؋ǂ͂Ȃ̃NGXgƁAGR[hꂽؖ (fW^
ؖ)ȂɑԂ܂BfW^ؖ́AX.509o[W3ɂ
`tH[}bgɂȂ܂BȉɁAT^IX.509o[W3f
W^ؖ̍\܂B

 E ؖ
   
      o[W
       
      VAԍ
       
      ASY ID
       
      s
       
      L
       
      
          ؖ̔s
           
          ̗ؖL
           
      Subject
       
      ؖ҂̌J
       
      
          JASY
           
          RSA J
           
      g̈
       
 E ؖASY
   
 E ؖ
   
 

6.5.1. fW^ؖ̌

 X.509ؖ؂ɂ́Aȉ̃R}hgp܂B

# openssl verify server.crt                                            
server.crt: OK                                                         

 server.crt ́AfW^ؖ܂ރt@CłB

 

6.5.2. fW^ؖ̒g

 fW^ؖ̒ǵAȉ̂悤 # openssl x509 R}hgp
ƂŌ邱Ƃł܂B

# openssl x509 -text -in server.crt                                                                             
Certificate:                                                                                                    
    Data:                                                                                                       
        Version: 3 (0x2)                                                                                        
        Serial Number: 312312312 (0x0)                                                                          
        Signature Algorithm: md5WithRSAEncryption                                                               
        Issuer: C=US, O=GTE Corporation, CN=GTE CyberTrust Root                                                 
        Validity                                                                                                
            Not Before: Feb  8 03:25:50 2000 GMT                                                                
            Not After : Feb  8 03:25:50 2001 GMT                                                                
            Subject: C=US, ST=New York, L=Pelham, O=xml-dev, OU=web, CN=www.xml-dev.com/Email=saqib@xml-dev.com 
        Subject Public Key Info:                                                                                
            Public Key Algorithm: rsaEncryption                                                                 
            RSA Public Key: (1024 bit)                                                                          
                Modulus (1024 bit):                                                                             
                ............                                                                                    
                ............                                                                                    
                Exponent: 65537 (0x10001)                                                                       
    Signature Algorithm: md5WithRSAEncryption                                                                   
        ............                                                                                            
        ............                                                                                            
                                                                                                                
                                                                                                                

 Ȃ͂̏ؖT[oɒuA Apache ɂ̈ʒuw肷Kv
܂B

 {ł́A閧 /usr/local/apache2/conf/ssl.key/ fBNgɒu
AăT[oؖ /usr/local/apache2/conf/ssl.crt/ fBNg
ɒu܂B

 F؋ǂMt@C /usr/local/apache2/conf/ssl.crt/ fBN
g server.crt ƂOŃRs[ĂB

 --> āAقǂ̎菇Őꂽ private.key  /usr/local/apache2
/conf/ssl.key/ fBNgɒuĂB

 ̌ŁA閧ƃT[oؖt@Cw悤 /usr/local/
apache2/conf/ssl.conf C܂B

#   Server Certificate:                                                
#   Point SSLCertificateFile at a PEM encoded certificate.  If         
#   the certificate is encrypted, then you will be prompted for a      
#   pass phrase.  Note that a kill -HUP will prompt again.  Keep       
#   in mind that if you have both an RSA and a DSA certificate you     
#   can configure both in parallel (to also allow the use of DSA       
#   ciphers, etc.)                                                     
SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt          
#SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server-dsa.crt     
                                                                       
#   Server Private Key:                                                
#   If the key is not combined with the certificate, use this          
#   directive to point at the key file.  Keep in mind that if          
#   you've both a RSA and a DSA private key you can configure          
#   both in parallel (to also allow the use of DSA ciphers, etc.)      
SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/private.key      
#SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server-dsa.key  

 

6.6. RSA 閧̃pXt[Y

 EFuT[oɊi[ RSA 閧́AʏÍĂÃt@
Cǂɂ̓pXt[YKvƂ܂B̂߁A mod_ssl t
Apache NۂɃpXt[Yv̂łB

 

# apachectl startssl                                                   
Apache/1.3.23 mod_ssl/2.8.6 (Pass Phrase Dialog)                       
Some of your private key files are encrypted for security reasons.     
In order to read them you have to provide us with the pass phrases.    
Server your.server.dom:443 (RSA)                                       
Enter pass phrase:                                                     

 RSA 閧Í̂͂ƂĂdvȂƂłBNȂ́u
ĂȂ RSA 閧vɓ΁A/ޏ͗eՂɂȂ̃E
FuT[oUł܂B閧ÍĂ΁AnbJ[̓pXt
[Yu[gtH[XUŔjłȂ艽ł܂B͂
(܂蒷) pXt[Ygp邱Ƃ߂܂B

 AEFuT[oNxɃpXt[Yv킯ł
AÍ̂Y܂ꍇ܂BɃu[g̃EFuT[o
̋N rc XNvg𗘗pĂƁApXt[Yvē͑
ƂȂAu[gvZX~܂Ă܂܂B

 閧(pXt[Xɂ)Í߂΁ApXt[Y̗v͊ȒP
Ɏ~߂܂BAŇɓȂ悤ɂĂ
BƂẮAEFuT[oŔ閧𕜍OɁAZLeB̃K
ChCAS邱Ƃ߂܂B

 𕜍ɂ́A

 ܂Íꂽ̕쐬܂B

# cp server.key server.key.cryp                                        

 ̌ňÍĂ錮ĂB̈Íꂽ̃p
Xt[Yv܂B

# /usr/local/ssl/bin/openssl rsa -in server.key.cryp -out server.key   
read RSA key                                                           
Enter PEM pass phrase:                                                 
writing RSA key                                                        

  ꂽ閧S̎@ƂāA root 炵
ȂƂ̂܂B

# chmod 400 server.key                                                 

 

6.7. MłF؋

 ȉA낢ȃuEUɐMĂF؋ǂ̃XgłB

 i. Baltimore <http://www.baltimore.com/>
   
ii. Entrust <http://www.entrust.com/>
   
iii. Thawte <http://www.thawte.com>
   
iv. Verisign <http://www.verisign.com>
   
 

7. {ɂ

  { Linux Japanese FAQ Project s܂B|Ɋւ邲
 JF vWFNg <JF@linux.or.jp> ɘAĂB

 

v4.1.0j

|:
   
      yomoyomo <ymgrtq@ma.neweb.ne.jp>
   
Z:
   
        앐Y <nakano@apm.seikei.ac.jp>
       
        Seiji Kaneko  <skaneko@a2.mbn.or.jp>
       
        앐r <kgh12351@nifty.ne.jp>
       
        czꂳ <matsuda@palnet.or.jp>
       
PKI pꎫT

A

Ώ̈Í
   
     ̈Íł́A閧ƌJ̌yAgp܂B閧͔铽
    AJ͍L͂ɔzz܂B
   
C

F؋(Certificate Authority (CA)) (CA)
   
     fW^ؖ̔sҁBfW^ؖLGhGeBeB
    ̓ꐫ̊mFsB
   
ؖv(Certificate Signing Request (CSR)) (CSR)
   
     ؖv(CSR)́AF؋(CA)ւ̓o^ɍۂđM̂ł
    B CSR ɂ́AfW^ؖvĂGhGeBeB̌J
    ܂܂܂B
   
Common Name (CN) (CN)
   
     Common Name ́AႦ Saqib Ali ƂGhGeBeB̖O
    łB̃GhGeBeBEFuT[oȂA CN ͂̃EF
    uT[o Fully Qualified Domain Name (FQDN) ɂȂ܂B
   
D

fW^ؖ
   
     GhGeBeB̌J{̃GhGeBeB (J̏L
    )̎ʏB̏L(GhGeBeB) ̓ꐫؖ܂
    Bs CA ɂ菐܂B
   
fW^
   
     fW^́A閧gpbZ[W_CWFXg邱
    Ƃɂ쐬܂BfW^́AM҂̓ꐫƁÃf[^
    ̊Sۏ؂܂B
   
E

GhGeBeB
   
     PKI ɎQGeBeBBʏ̓T[oAT[rXA[^A
    ͐lłBCA ̓GhGeBeBł͂܂B RA  CA ɑ΂
    GhGeBeBłB
   
P

閧
   
     閧͔Ώ̈ÍŎgp錮łȀLҁiGhGe
    BeBjɂ铽̂łB閧́AÍAɎgp
    ܂B
   
J
   
     J͔Ώ̈ÍŎgp錮łAL͂ɔzz܂BJ
    ́AÍAɎgpł܂B
   
J(Public Key Infrastructure (PKI)) (PKI)
   
    J
   
S

Secure Socket Layer (SSL) (SSL)
   
     Secure Socket Layer (SSL)́AF(fW^ؖ)A@(Í)
    Aăf[^S(bZ[W_CWFXg - MD5ASHA Ȃ) 
    ZLeBvgRłB
   
Ώ̈Í
   
     ̈Íł́AbZ[W͓̌ɂÍA܂
    Bn l̃[ÜÍ̗pVXeɎQꍇA
    (((n^2-n))/2) ̌KvɂȂ܂B
   
