Your 'Require' line reads
Require ldap-group cn=CHANGED, cn=CHANGED
That doesn't look write - I don't believe you can have have two cn's in a DN like that.
Assuming that I have 2 groups with following structure:
dn: ou=IT,dc=domain,dc=com
ou: IT
objectClass: top
objectClass: organizationalUnit
dn: cn=bob,ou=IT,dc=domain,dc=com
cn: bob
sn: Bob
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: xx
...
dn: ou=HR,dc=domain,dc=com
ou: HR
objectClass: top
objectClass: organizationalUnit
dn: cn=alice,ou=HR,dc=domain,dc=com
cn: alice
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
userPassword:: xx
...
You can list all users either in IT or in HR department by executing:
$ ldapsearch -W -x -D "cn=binder,dc=domain,dc=com" \
'(&(|(ou:dn:=IT)(ou:dn:=HR))(cn=*))'
So, you should try with ldapsearch from the command line first:
$ ldapsearch -W -x -D "cn=binder,ou=Users,ou=Directory,o=IC" \
'(&(|(ou:dn:=Managers)(ou:dn:=Employees)(ou:dn:=Misc))(cn=*))'
If it work, edit the mod_authz_ldap configuration file as belows:
Require ldap-filter &(|(ou:dn:=Managers)(ou:dn:=Employees)(ou:dn:=Misc))(cn=*)
Best Answer
With a valid AuthnzLDAP setup, it's possible to require ldap-group, like so:
See http://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html#reqgroup for reference.
It's worth noting that you can also require ldap-dn, ldap-attribute, or even ldap-filter. The latter could also be used to require an ldap-group, like this:
..which is most useful to generate complex attribute-based requirements:
Thanks, commenter @james-yale for the most relevant answer..