apache + AD and require ldap-group

[willywill]

Hi All,

First off, here's my conf:

Code:

<IfModule mod_authz_ldap.c>
<VirtualHost *:80>
    ServerName svn.mydomain.com
    ServerAlias svn svn.hq subversion

    SetOutputFilter DEFLATE

    DocumentRoot /var/www/svn/
    ErrorLog logs/error_log

    <Location "/svn">
        #AuthBasicProvider ldap
        AuthType Basic
        AuthzLDAPAuthoritative off
        AuthName "Domain User Required:"
        AuthLDAPURL "ldap://dc.mydomain.com:389/OU=IT-Accounts,DC=dc,DC=mydomain,DC=com?sAMAccountName?sub?(objectClass=*)"
        AuthLDAPBindDN "CN=ldap,OU=Special Accounts,OU=IT-Accounts,DC=dc,DC=mydomain,DC=com"
        AuthLDAPBindPassword gljaslkjasldkjasdlkj

        require valid-user

<LimitExcept GET POST>
         require ldap-group CN=HW SVN,DC=dc,DC=mydomain,DC=com
        </LimitExcept>
</Location>
</VirtualHost>
</IfModule>

As far as AD is concerned, I have a the user "ldap" located under IT-Accounts > Special Accounts.

I also have another OU named IT-Groups, which has another OU named Special Security Groups.

Under Special Security Groups, I have CN HW SVN. Under HW SVN I have the users listed.

The users are partof IT-Accounts, so CN=USER, etc. My goal is to provide HTTP access to only CN=FW SVN, CN=HW SVN, etc.

However, the problem is that when I setup ldap-group and enter CN=HW SVN, any user that isn't part of this group is still able to log-in. Despite the fact that that the user isn't part of that group.

Suggestions?

[jledhead]

what if you change the line in your config to this

Code:

AuthLDAPURL "ldap://dc.mydomain.com:389/OU=Special Accounts,OU=IT-Accounts,DC=dc,DC=mydomain,DC=com?sAMAccountName?sub?(objectClass=*)"

that way the base starts with Special accounts, anything above that will be restricted.