Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- Jun 2008
apache + AD and require ldap-group
First off, here's my conf:
<IfModule mod_authz_ldap.c> <VirtualHost *:80> ServerName svn.mydomain.com ServerAlias svn svn.hq subversion SetOutputFilter DEFLATE DocumentRoot /var/www/svn/ ErrorLog logs/error_log <Location "/svn"> #AuthBasicProvider ldap AuthType Basic AuthzLDAPAuthoritative off AuthName "Domain User Required:" AuthLDAPURL "ldap://dc.mydomain.com:389/OU=IT-Accounts,DC=dc,DC=mydomain,DC=com?sAMAccountName?sub?(objectClass=*)" AuthLDAPBindDN "CN=ldap,OU=Special Accounts,OU=IT-Accounts,DC=dc,DC=mydomain,DC=com" AuthLDAPBindPassword gljaslkjasldkjasdlkj require valid-user <LimitExcept GET POST> require ldap-group CN=HW SVN,DC=dc,DC=mydomain,DC=com </LimitExcept> </Location> </VirtualHost> </IfModule>
I also have another OU named IT-Groups, which has another OU named Special Security Groups.
Under Special Security Groups, I have CN HW SVN. Under HW SVN I have the users listed.
The users are partof IT-Accounts, so CN=USER, etc. My goal is to provide HTTP access to only CN=FW SVN, CN=HW SVN, etc.
However, the problem is that when I setup ldap-group and enter CN=HW SVN, any user that isn't part of this group is still able to log-in. Despite the fact that that the user isn't part of that group.
what if you change the line in your config to this
AuthLDAPURL "ldap://dc.mydomain.com:389/OU=Special Accounts,OU=IT-Accounts,DC=dc,DC=mydomain,DC=com?sAMAccountName?sub?(objectClass=*)"