Ldap – How to keep members of a LDAP group from accessing a folder with Apache .htaccess

Using Apache 2.2.14 on Ubuntu 10.04, I am trying to protect a folder with LDAP authentication. Our LDAP server is running Novell eDirectory.

All our users are in subgroups of ou=Users,ou=Directory,o=IC. Like this:

• ou=Managers,ou=Users,ou=Directory,o=IC
• ou=Employees,ou=Users,ou=Directory,o=IC
• ou=Misc,ou=Users,ou=Directory,o=IC
• ou=Outsiders,ou=Users,ou=Directory,o=IC

I want all of ou=Users,ou=Directory,o=IC to be able to access my folder, except those in ou=Outsiders,ou=Users,ou=Directory,o=IC.

I can get into my folder with my LDAP log in information using the following settings, but it doesn't block users in the Outsiders group:

AuthName "Login Required: please enter your L-number and PIN"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldaps://ldap.example.com/ou=Users,ou=Directory,o=IC?cn?sub?(objectclass=Person)
Require ldap-filter (|(cn=*,ou=Managers,ou=Users,ou=Directory,o=IC)(cn=*,ou=Employees,ou=Users,ou=Directory,o=IC)(cn=*,ou=Misc,ou=Users,ou=Directory,o=IC))
AuthLDAPBindDN cn=binder,ou=Admin,ou=Directory,o=IC
AuthLDAPBindPassword password

I've tried:

• Require valid-user
• Various AuthLDAPURLs
• Require ldap-group for only the groups I want.
• Other searches for the Require ldap-filter, like not having "cn=*" in it.

Everything either doesn't let me in, throws a 500 error, or lets members of ou=Outsiders,ou=Users,ou=Directory,o=IC in.

So, how do I keep members of ou=Outsiders,ou=Users,ou=Directory,o=IC out of my folder?