Ldap – Apache LDAP Authentication with AD Subgroup

I am trying to authenticate using an Active Directory User on a Website running on Apache.

My Setup

Active Directory: User "steven" is a member of the group "staff". User "cindy" is a member of the group "finances" which is a member of "staff" (= cindy is a member of a subgroup of the "staff" group).

Apache: Apache 2.4 with mod_authnz_ldap

My Apache site config:

AuthName "Please enter your login data."

AuthType Basic
AuthBasicProvider ldap

AuthLDAPBindDN account@domain.local
AuthLDAPBindPassword "userpassword"

AuthLDAPURL "ldap://dc.domain.local/DC=domain,DC=local?sAMAccountName?sub?(objectClass=*)"

Require ldap-group CN=Staff,OU=Groups,OU=Accounts,DC=domain,DC=local

Problem

Steven (or any other user that would be a direct member of the "staff" group) authenticates successfully, however members of sub groups, such as cindy will not authenticate.

I have already tried adding "AuthLDAPMaxSubGroupDepth 10" (10 should be the default value anyway) but that did not help either.

Anyone who might be able to help?

Best Answer

I haven't had occasion to use the AuthLDAPMaxSubGroupDepth directive. I've always used the LDAP_MATCHING_RULE_IN_CHAIN search control instead. You might have a look at that. It should perform better, in terms of network traffic between the DC and Apache, because the DC itself will resolve the nested groups.

Best Answer

Related Solutions

Debian – Apache + LDAP Auth: access to / failed, reason: require directives present and no Authoritative handler

Ldap – How to configure Review Board running under linux to use a LDAP user

Related Topic