Enabling integrated WebDAV digest authentication
To use digest authentication for an existing WebDAV realm, you need to enable mod_digest_apple and change your virtual host configuration directives to use digest authentication instead of basic authentication.
Prior to version 10.2.4 of Mac OS X Server, you also needed to maintain a separate digest file containing a list of authorized users, passwords, and realms. This separate file is no longer necessary.
The new mod_digest_apple module first checks for users in a specified digest file. If the file is absent or unspecified, or if the user name and password fail to authenticate successfully against that file, the module tries to use Open Directory for user authentication. Open Directory users must be set up for password validation using Open Directory Password Server.
This approach applies to WebDAV authentication (called "author" access in Server Settings); it does not apply to access to Web pages via a browser (called "browse" access in Server Settings).
The Apple digest module is included in the standard installation of Mac OS X Server 10.2.4, but is disabled by default.
Follow these steps to enable mod_digest_apple:
1. As the root user, open this file in a text editor:
/etc/httpd/httpd.conf
Note: If you need help with this step, see technical document 106619, "Mac OS X Server: How to Locate and Edit Configuration Files".
2. Enable the digest module by adding the following lines to the file:
LoadModule apple_digest_module /usr/libexec/httpd/mod_digest_apple.so
AddModule mod_digest_apple.c
3. Be sure the similar directives for the "standard Apache mod_digest" are deleted or commented out. (They are commented out by default):
#LoadModule digest_module /usr/libexec/httpd/mod_digest.so
...
#AddModule mod_digest.c
4. If you have enabled the newer Apache mod_auth_digest, you must disable that as well. Also, remove any Apache directives specific to that module from your Apache configuration files.
5. Save changes and close the file.
6. As the root user, open this file in a text editor:
/etc/httpd/httpd_macosxserver.conf
7. Find the WebDAV directives for the virtual host that contains the desired realm. Here is an example of the directives for "realm1":
<Directory "/Library/WebServer/Documents/realm1">
AuthName "realm1"
AuthType Basic
8. Change the AuthType from "Basic" to "Digest." Here are the completed changes for "realm1":
<Directory "/Library/WebServer/Documents/realm1">
AuthName "realm1"
AuthType Digest
9. Save changes and close the file.
The changes take effect when you restart Web service.
Any new virtual hosts you create using Server Settings are configured to use basic authentication by default. You will need to make the changes described above if you want to use digest authentication.
Starting with Mac OS X 10.2, the Finder issues a warning about clear-text passwords when a user tries to connect to a WebDAV server with basic rather than digest authentication. This warning should no longer appear when the server is configured for digest authentication.
Note: Some WebDAV clients do not use digest authentication. For example, Goliath 1.0 requires basic authentication.