Webdav + LDAP + CAS2_AUTH

Hello, I have a problem when I trying to get documents with a webdav drive by LDAP and CAS authentication. I always have this error message in my logs

Digest authentication failed. Stored HA1 is empty

In my cas-config.xml I add these following lines

<specificAuthenticationChain name="WebDAV">
    <headers>
      <header name="User-Agent">(Microsoft-WebDAV-MiniRedir|DavClnt|litmus|gvfs|davfs|WebDAV|cadaver|BitKinex).*</header>
    </headers>
    <urlPatterns>
        <url>(.*)/site/dav.*</url>
    </urlPatterns>
    <replacementChain>
        <plugin>DIGEST_AUTH</plugin>
        <plugin>WEBDAV_BASIC_AUTH</plugin>
    </replacementChain>

I don't understand where is my problem, I don't know if I forget a file or a configuration.

Thank you for your help

David

0 votes

3 answers

1020 views

ANSWER

Hello, I'm facing the same situation. Does creating a LDAP_AUTH for WebDAV in order to "shunt" the digest and authenticate on a LDAP could work ? Is that going to create futur issues ?

Thank you.

Sylvain

01/27/2014

No it won't work. The webdav connector does not communicate with basic auth.
01/27/2014



hello,

WebDAV uses an authentication based on digest.

This digest is computed when the user authenticates the first time with the Web UI, but if you're authenticating against CAS, no password is sent to Nuxeo, which can not compute the digest, and as a consequence won't be able to validate the credentials sent from WebDAV.

So that's the problem you're facing.

Thierry

1 votes



Merci pour les pistes de solutions (sorry don't know how to translate that).

Have a nice day.

Sylvain

0 votes



So, just to be sure, if CAS2_AUTH is enabled for Web UI, it's impossible to login in WebDAV because of the digest which is not computed due to CAS2_AUTH. And it's not possible to modify the WebDAV authentication to get it work while CAS2_AUTH is enabled for Web UI.

A way to use both (I mean while CAS2_AUTH is enabled), is first to use LDAP backend and BASIC_AUTH and login in Web UI, this way the digest is computed. Then re-enable CAS2_AUTH. WebDAV will work because a digest was computed. But if the user password is changed on LDAP there will be a problem with WebDAV authentication bescause the digest will be wrong. And every users have to login while CAS2_AUTH is disabled.

Perhaps : Is there a way to “force” nuxeo to automatically compute a digest for each user found in LDAP, without a user has to login ?

Thank you for explanations

Sylvain

0 votes



You have done a pretty good summary of the situation. I konw people who added a digest field in their LDAP schema to store the digest computed from the user password. Another solution would be to define a little feature using basic authentication to compute the digest and store it into Nuxeo, before using WebDAV : calling a simple URL like http://myserver:8080/nuxeo/site/automation/doc would do the trick, but it's not quite friendly for end-users
01/27/2014