Ask Question
« General Questions on Nuxeo

Webdav + LDAP + CAS2_AUTH

Hello, I have a problem when I trying to get documents with a webdav drive by LDAP and CAS authentication. I always have this error message in my logs

Digest authentication failed. Stored HA1 is empty

In my cas-config.xml I add these following lines

<specificAuthenticationChain name="WebDAV">
    <headers>
      <header name="User-Agent">(Microsoft-WebDAV-MiniRedir|DavClnt|litmus|gvfs|davfs|WebDAV|cadaver|BitKinex).*</header>
    </headers>
    <urlPatterns>
        <url>(.*)/site/dav.*</url>
    </urlPatterns>
    <replacementChain>
        <plugin>DIGEST_AUTH</plugin>
        <plugin>WEBDAV_BASIC_AUTH</plugin>
    </replacementChain>

I don't understand where is my problem, I don't know if I forget a file or a configuration.

Thank you for your help

David

djoncour
Member (231)   1   3   2 		01/13/2014 ( History)
0 votes
3 answers
1946 views
ANSWER
scivray
Hello, I'm facing the same situation. Does creating a LDAP_AUTH for WebDAV in order to "shunt" the digest and authenticate on a LDAP could work ? Is that going to create futur issues ?

Thank you.

Sylvain

01/27/2014
Thierry Martins
No it won't work. The webdav connector does not communicate with basic auth.
01/27/2014
ANSWERS

hello,

WebDAV uses an authentication based on digest.

This digest is computed when the user authenticates the first time with the Web UI, but if you're authenticating against CAS, no password is sent to Nuxeo, which can not compute the digest, and as a consequence won't be able to validate the credentials sent from WebDAV.

So that's the problem you're facing.

Thierry

Thierry Martins
Support Manager (6.3K)   3   4   6 		01/13/2014 ( History)
1 votes

Merci pour les pistes de solutions (sorry don't know how to translate that).

Have a nice day.

Sylvain

scivray
Member (105)   0   0   1 		01/27/2014 ( History)
0 votes

So, just to be sure, if CAS2_AUTH is enabled for Web UI, it's impossible to login in WebDAV because of the digest which is not computed due to CAS2_AUTH. And it's not possible to modify the WebDAV authentication to get it work while CAS2_AUTH is enabled for Web UI.

A way to use both (I mean while CAS2_AUTH is enabled), is first to use LDAP backend and BASIC_AUTH and login in Web UI, this way the digest is computed. Then re-enable CAS2_AUTH. WebDAV will work because a digest was computed. But if the user password is changed on LDAP there will be a problem with WebDAV authentication bescause the digest will be wrong. And every users have to login while CAS2_AUTH is disabled.

Perhaps : Is there a way to “force” nuxeo to automatically compute a digest for each user found in LDAP, without a user has to login ?

Thank you for explanations

Sylvain

scivray
Member (105)   0   0   1 		01/27/2014 ( History)
0 votes
Thierry Martins
You have done a pretty good summary of the situation. I konw people who added a digest field in their LDAP schema to store the digest computed from the user password. Another solution would be to define a little feature using basic authentication to compute the digest and store it into Nuxeo, before using WebDAV : calling a simple URL like http://myserver:8080/nuxeo/site/automation/doc would do the trick, but it's not quite friendly for end-users
01/27/2014
Follow
Tags
Linked Questions
Related Questions
[Resolved] - LTS2021 - Nuxeo api automation login does not support OAUTH2 authentication
Plugin to handle identity propagation between an external application and Nuxeo CAS_AUTH and PORTAL_AUTH
Nuxeo Drive and CAS2 authentication
Does nuxeo offers OTP(one time password) for nuxeo rest service authentication?
Utilisation de Automation PHP et CAS
How to configure mod_sso Proxy Authentication with Nuxeo CMIS?
Custom Authentication not working as expected with Java Client SDK
Webdav digest authentication failed after Hotfix installation
Nuxeo Drive - Problem of synchronization