I have been trying to tie apache on a windows server to our active directory server for authentication and authorization.
In order to test it, I have been trying the "ldap-status" handler, with the following parameters
<Location "/ldap-status">
SetHandler ldap-status
AuthType Basic
AuthBasicProvider ldap
AuthName "LDAP Status"
LDAPReferrals off
AuthLDAPBindAuthoritative on
AuthLDAPURL "ldap://1.2.3.4:389/cn=Users,dc=XXX,dc=example,dc=com?sAMAccountName?sub?(objectClass=person)" NONE
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN on
AuthLDAPMaxSubGroupDepth 0
AuthLDAPBindDN xxx
AuthLDAPBindPassword xxx
Require ldap-group "cn=TEST GROUP,cn=Users,dc=XXX,dc=example,dc=com"
</Location>
Up to this point, if I remove Require ldap-group
and replace it with Require valid-user
, it works correctly, but not if I restore the group requirement.
From what I can see from the AD server using powershell, the group exists and it has a member
attribute which lists the DN of all members; based on this I set AuthLDAPGroupAttribute
to member
and AuthLDAPGroupAttributeIsDN
to on
.
I am sure my user is in the group for which I am requiring the check, however In apache error log there is only this record, which does not really help understanding the cause:
[Mon Apr 27 14:52:08.023952 2020] [authz_core:error] [pid 13168:tid 2072] [client 10.0.1.45:59690] AH01631: user mtassinari: authorization failure for "/ldap-status":
What can I do to correct the configuration in order to understand why "require ldap-group" fails?
Best Answer
In the end I have been able to make it work by splitting authentication and authorization with alias, like this:
I think the key difference here is the
AuthLDAPURL
, which in the authorization provider is without any filter, it just doesn't feel right to have to repeat common configuration parameters to make it work.