Actually the http access to an Ibay can be restricted by a password that you must share between each users. With few users that can be done, but in a company it is not conceivable
I have done some coding on that purpose for allowing groups, users to apache shares and activating mod DAV (file transfer by apache.). From my side it is workable except if I load a new require (after the official require IBAYNAME) it is evident that the former password protection of the Ibay will not work and my user/group require will be used. I do believe that few people is using this type of authentication, but for question of compatibility I would keep in work this older option.
So I have some questions to the @giacomo, @davidep, @filippo_carletti, @alep, @stephdl, @Stll0, @alefattorini
- Do I code to modify an official rpm
- Do I code for a module and for those who will install it, the former authentication by a unique password wonât work anymore.
some examples of what Iâm modifying :
[root@nethserver-dev4 ~]# cat /etc/e-smith/templates/httpd/ibay-default/35pwauth
{
use esmith::AccountsDB;
use esmith::DB;
my $a = esmith::AccountsDB->open;
my $WebDav = $a->get_prop("$Name","HttpWebDav") || 'disabled';
my $UserAccess = $a->get_prop("$Name",'HttpUserAccess') || 'disabled';
if (($WebDav eq 'enabled') || ($UserAccess eq 'enabled')) {
$OUT .= qq(
#Set the path to pwauth/unixgroup for user/group authentication
AddExternalAuth pwauth /usr/bin/pwauth
SetExternalAuthMethod pwauth pipe
AddExternalGroup unixgroup /usr/bin/unixgroup
SetExternalGroupMethod unixgroup environment);
}
}
[root@nethserver-dev4 ~]# cat /etc/e-smith/templates/httpd/ibay-default/70UserModDav
{
use esmith::AccountsDB;
my $a = esmith::AccountsDB->open_ro;
#we retrieve the the values of properties
my @Writers = split (/[,]/, ($a->get_prop("$Name","AclWrite") || ''));
my @Readers = split (/[,]/, ($a->get_prop("$Name","AclRead") || ''));
my $UserAccess = $a->get_prop("$Name",'HttpUserAccess') || 'disabled';
my $WebDav = $a->get_prop("$Name","HttpWebDav") || 'disabled';
my $DavAllow = $a->get_prop("$Name","HttpWebDavAllow") || '';
#we retrieve the key name of user/group
my @users = map { $_->key } $a->users();
my @groups = map { $_->key } $a->groups();
my @readuser = 'admin';
my @readgroup = '';
my @writeuser = 'admin';
my @writegroup = '';
#we separate user and group
foreach my $Reader (@Readers) {
push @readuser, $Reader if (grep /$Reader/,@users);
push @readgroup, $Reader if (grep /$Reader/, @groups);
}
foreach my $Writer (@Writers) {
push @writeuser, $Writer if (grep /$Writer/,@users);
push @writegroup, $Writer if (grep /$Writer/, @groups);
}
#we just want unique name, write access are also read access automatically
my %seen = ();
@readuser = sort (grep { ! $seen{ $_ }++ } (@readuser,@writeuser));
%seen = ();
@writeuser = sort (grep { ! $seen{ $_ }++ } (@writeuser));
%seen = ();
@readgroup = sort (grep { ! $seen{ $_ }++ } (@readgroup,@writegroup));
%seen = ();
@writegroup = sort (grep { ! $seen{ $_ }++ } (@writegroup));
#we delimit the allow permissions
my $webaccess;
if ($Access eq 'private') {
$webaccess = join(" \\\n ", split(' ', $PrivateAllow));
}
else {
$webaccess = 'all';
}
#we can set a different allow for external access
my $davallow = $webaccess if ($DavAllow eq '');
#enable DAV if requested
my $DAVOn = ($WebDav eq 'enabled') ? 'DAV On':'';
if (($WebDav eq 'enabled') || ($UserAccess eq 'enabled')) {
$OUT .= qq (
# Enable DAV access
$DAVOn
AuthName $Name
AuthBasicProvider external
AuthType Basic
AuthExternal pwauth
GroupExternal unixgroup
AuthzUserAuthoritative off
# Read only access
<Limit GET PROPFIND OPTIONS LOCK UNLOCK REPORT>
order deny,allow
deny from all
allow from $webaccess
Require user @readuser
Require group @readgroup
</Limit>
# Write access
<LimitExcept GET PROPFIND OPTIONS LOCK UNLOCK REPORT>
order deny,allow
deny from all
allow from $davallow
Require user @writeuser
Require group @writegroup
</LimitExcept>);
}
}
[root@nethserver-dev4 ~]# cat /etc/e-smith/events/actions/nethserver-full-apache-write
#!/usr/bin/perl
use esmith::ConfigDB;
use strict;
eval { require esmith::AccountsDB };
if($@) {
exit(0); # AccountsDB is not available, exit
}
use esmith::AccountsDB;
my $db = esmith::ConfigDB->open_ro();
my $adb = esmith::AccountsDB->open_ro();
my $event = shift || die("Missing event argument");
my $ibay = shift || die("Missing ibay argument");
my $ibaydir = '/var/lib/nethserver/ibay/' . $ibay;
my $httpdststatus = $adb->get_prop($ibay, 'HttpStatus') || 'disabled';
print $httpdststatus;
exit 0 if ($httpdststatus eq 'disabled');
my $httpwrite = $adb->get_prop($ibay,'HttpWritable') || 'disabled';
if ($httpwrite eq 'enabled') {
system ('/usr/bin/setfacl','-P','-R','-m','u:apache:rwX,d:u:apache:rwX', "$ibaydir") == '0'
|| die "Failed to set apache acl on the ibay $ibay\n";
}