- Log into the Debian device
- Run the following commands in a terminal:
# update repositories and install any available software updates
sudo apt update
sudo apt upgrade
# install apache2
sudo apt install apache2
# download and extract keepass web
wget https://github.com/keeweb/keeweb/archive/gh-pages.zip
sudo unzip gh-pages.zip -d /var/www/html/
sudo mv /var/www/html/keeweb-gh-pages /var/www/html/keepass
# create webdav directory and set permissions
sudo mkdir /var/www/html/webdav
sudo chown -R www-data:www-data /var/www/html/webdav
# change permissions on the newly setup application folder
sudo chown -R www-data:www-data /var/www/html/keepass
# create a new keepass.conf file to configure the site
sudo nano /etc/apache2/sites-available/keepass.conf - Paste the following directives into keepass.conf
DavLockDB "/var/www/html/webdav/DavLock"
<Location /keepass >
RewriteEngine on
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ blank.html [R=200,L,E=HTTP_ORIGIN:%{HTTP:ORIGIN}]
# Don't require LDAP authentication for a healthcheck
SetEnvIf Request_URI "^/healhcheck" accessgranted=1
Order deny,allow
Satisfy any
Deny from all
Allow from env=accessgranted
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL "ldap://i12bretro.local:389/DC=i12bretro,DC=local?sAMAccountName?sub?(objectClass=user)" NONE
AuthLDAPBindDN "readonly_svc@i12bretro.local"
AuthLDAPBindPassword "Read0nly!!"
AuthName "Restricted Area [i12bretro.local]"
# to authenticate a domain group, specify the full DN
AuthLDAPGroupAttributeIsDN on
require ldap-group CN=WebAuthAccess,CN=Users,DC=i12bretro,DC=local
</Location>
<Location "/webdav">
DAV On
AuthType "Basic"
AuthName "webdav"
Options Indexes
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Headers "origin, content-type, cache-control, accept, authorization, if-match, destination, overwrite"
Header always set Access-Control-Expose-Headers "ETag"
Header always set Access-Control-Allow-Methods "GET, HEAD, POST, PUT, OPTIONS, MOVE, DELETE, COPY, LOCK, UNLOCK"
Header always set Access-Control-Allow-Credentials "true"
</Location> - Edit the index.html file and modify the kw-config meta tag, setting the value to config.json
#
sudo nano /var/www/html/keepass/index.html - Press CTRL+O, Enter, CTRL+X to write the changes to index.html
- Create and edit config.json to by running the following command:
sudo nano /var/www/html/keepass/config.json
- Paste the following in to config.json
{
"settings": {
"theme": "fb",
"autoSave": true,
"autoSaveInterval": 1,
"canOpenDemo": false,
"dropbox": false,
"gdrive": false,
"onedrive": false,
"canExportXml": true
},
"files": [{
"storage": "webdav",
"name": "Database",
"path": "/webdav/database.kdbx"
}]
} - Press CTRL+O, Enter, CTRL+X to write the changes to config.json
- Continue by executing the following commands in terminal:
# enable the keepass site and required Apache modules
sudo a2ensite keepass
sudo a2enmod dav dav_fs ldap authnz_ldap rewrite headers
# restart apache2 service for the changes to take effect
sudo systemctl restart apache2 - Open a web browser and navigate to http://DNSorIP/keepass
- Authenticate with a valid LDAP user account
- Click the New icon
- Click the New link in the lower left hand corner
- Enter a Master password and re-type it to confirm
- Enter a Name for the keepass database
- Click the Save to... button > File
- Save the database to ~/database.kdbx
- Close the browser
- Continue by executing the following commands in terminal:
# copy the keepass database to webdav directory
sudo mv ~/database.kdbx /var/www/html/webdav/ - Open a web browser and navigate to http://DNSorIP/keepass
- Enter the master password created earlier
- Enjoy your web based keepass editor