I have been trying to tie apache on a windows server to our active directory server for authentication and authorization.
In order to test it, I have been trying the "ldap-status" handler, with the following parameters
<Location "/ldap-status">
SetHandler ldap-status
AuthType Basic
AuthBasicProvider ldap
AuthName "LDAP Status"
LDAPReferrals off
AuthLDAPBindAuthoritative on
AuthLDAPURL "ldap://1.2.3.4:389/cn=Users,dc=XXX,dc=example,dc=com?sAMAccountName?sub?(objectClass=person)" NONE
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN on
AuthLDAPMaxSubGroupDepth 0
AuthLDAPBindDN xxx
AuthLDAPBindPassword xxx
Require ldap-group "cn=TEST GROUP,cn=Users,dc=XXX,dc=example,dc=com"
</Location>
Up to this point, if I remove Require ldap-group and replace it with Require valid-user, it works correctly, but not if I restore the group requirement.
From what I can see from the AD server using powershell, the group exists and it has a member attribute which lists the DN of all members; based on this I set AuthLDAPGroupAttribute to member and AuthLDAPGroupAttributeIsDN to on.
I am sure my user is in the group for which I am requiring the check, however In apache error log there is only this record, which does not really help understanding the cause:
[Mon Apr 27 14:52:08.023952 2020] [authz_core:error] [pid 13168:tid 2072] [client 10.0.1.45:59690] AH01631: user mtassinari: authorization failure for "/ldap-status":
What can I do to correct the configuration in order to understand why "require ldap-group" fails?
Best Answer
In the end I have been able to make it work by splitting authentication and authorization with alias, like this:
I think the key difference here is the
AuthLDAPURL, which in the authorization provider is without any filter, it just doesn't feel right to have to repeat common configuration parameters to make it work.