Find the answer to your Linux question:
Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2008

    apache + AD and require ldap-group

    Hi All,

    First off, here's my conf:

    <IfModule mod_authz_ldap.c>
    <VirtualHost *:80>
        ServerAlias svn svn.hq subversion
        SetOutputFilter DEFLATE
        DocumentRoot /var/www/svn/
        ErrorLog logs/error_log
        <Location "/svn">
            #AuthBasicProvider ldap
            AuthType Basic
            AuthzLDAPAuthoritative off
            AuthName "Domain User Required:"
            AuthLDAPURL "ldap://,DC=dc,DC=mydomain,DC=com?sAMAccountName?sub?(objectClass=*)"
            AuthLDAPBindDN "CN=ldap,OU=Special Accounts,OU=IT-Accounts,DC=dc,DC=mydomain,DC=com"
            AuthLDAPBindPassword gljaslkjasldkjasdlkj
            require valid-user
    <LimitExcept GET POST>
             require ldap-group CN=HW SVN,DC=dc,DC=mydomain,DC=com
    As far as AD is concerned, I have a the user "ldap" located under IT-Accounts > Special Accounts.

    I also have another OU named IT-Groups, which has another OU named Special Security Groups.

    Under Special Security Groups, I have CN HW SVN. Under HW SVN I have the users listed.

    The users are partof IT-Accounts, so CN=USER, etc. My goal is to provide HTTP access to only CN=FW SVN, CN=HW SVN, etc.

    However, the problem is that when I setup ldap-group and enter CN=HW SVN, any user that isn't part of this group is still able to log-in. Despite the fact that that the user isn't part of that group.


  2. #2
    Linux Engineer jledhead's Avatar
    Join Date
    Oct 2004
    North Carolina
    what if you change the line in your config to this
    AuthLDAPURL "ldap:// Accounts,OU=IT-Accounts,DC=dc,DC=mydomain,DC=com?sAMAccountName?sub?(objectClass=*)"
    that way the base starts with Special accounts, anything above that will be restricted.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts