Apache 2.4 replacement for mod_auth_shadow

My employer has been running RHEL 6.x and Apache httpd 2.2 for many years. We are currently in the process of migrating to new hardware running RHEL 7.1 and Apache httpd 2.4. Our current web site has various locations that contain downloadable material for different sets of clients. Clients all have system accounts on the server box. We currently control access to the locations based on client user's group membership.

For example:

<Location /xyzzy/*>
    AuthName "xyzzy product support"
    AuthShadow on
    AuthType Basic
    require group xyzzy
    Options Includes ExecCGI Indexes FollowSymLinks MultiViews
</Location>

We have been successfully using mod_auth_shadow to implement this access control under Apache 2.2. However, we've found that this module won't load under 2.4 because the module calls ap_requires(), which is not present under 2.4.

We've noticed that RHEL 7 by default runs

/usr/sbin/saslauthd -m /run/saslauthd -a pam

so I've been looking at using PAM through mod_authn_sasl as a replacement for mod_auth_shadow. I've had partial success with this apache configuration:

<Location /xyzzy/*>
    AuthType Basic
    AuthName "xyzzy product support"
    AuthBasicProvider sasl
    AuthBasicAuthoritative On
    AuthSaslPwcheckMethod saslauthd
    Require valid-user
</Location>

combined with this /etc/pam.d/http file:

#%PAM-1.0
auth       include      password-auth
auth       include      pam_group
account    include      password-auth

With this combination any user with valid login credentials can access the xyzzy location. I believe this validates that the basic connection between Apache -> saslauthd -> PAM is working. But that's not the level of granularity we're looking for.

This alternative httpd configuration:

<Location /xyzzy/*>
    AuthType Basic
    AuthName "xyzzy product support"
    AuthBasicProvider sasl
    AuthBasicAuthoritative On
    AuthSaslPwcheckMethod saslauthd
    Require group xyzzy
</Location>

generates this error in the httpd log:

AH01664: No group file was specified in the configuration

This suggests that httpd is not going through saslauthd in order to validate group membership. So far, I haven't found an httpd directive that would force group authentication through sasl in the way that user/password authentication does.

(Why am I using the system passwd, shadow and group files for authentication instead of a separate database for http? Some clients prefer to download their support files via ftp rather than http. So we use the system in order to give our clients relatively easy switching between the two protocols)

As a last resort I'm prepared to try updating mod_auth_shadow for 2.4. But I've never coded or debugged an apache module, so there's an unknown learning curve involved in that approach. So I'm completely open to suggestions!