I have got authentication working on my Apache 2.4 webserver, if I require a specific
user. However, I would like to require one or more specific groups. I have tried the
example given in the documentation:
Require ldap-group
with no group name specified.
I get this result in my log files:
[Wed Jan 12 13:13:52.676003 2022] [authnz_ldap:debug] [pid 23541] mod_authnz_ldap.c(899):
[client 10.14.0.18:36914] AH01713: auth_ldap authorize: require group: testing for group
membership in ""
[Wed Jan 12 13:13:52.841650 2022] [authnz_ldap:debug] [pid 23541] mod_authnz_ldap.c(926):
[client 10.14.0.18:36914] AH01719: auth_ldap authorize: require group "":
didn't match with attr Comparison complete [memberOf][53 - Server is unwilling to
perform]
[Wed Jan 12 13:13:52.841690 2022] [authnz_ldap:debug] [pid 23541] mod_authnz_ldap.c(943):
[client 10.14.0.18:36914] AH01716: auth_ldap authorise: require group "": failed
[Comparison complete][53 - Server is unwilling to perform], checking sub-groups
[Wed Jan 12 13:13:52.842761 2022] [authnz_ldap:debug] [pid 23541] mod_authnz_ldap.c(966):
[client 10.14.0.18:36914] AH01718: auth_ldap authorise: require group (sub-group)
"": didn't match with attr DN failed group verification. [memberOf][53 -
Server is unwilling to perform]
I have tried the following in the configuration:
Require ldap-group cn=accounts
Require ldap-group accounts
with AuthLDAPGroupAttributeIsDN set to both "on" and "off". Neither
work:
[Wed Jan 12 14:02:47.588735 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(907):
[client 10.14.0.18:38342] AH01714: auth_ldap authorize: require group: testing for
memberOf: uid=testuser,cn=users,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com
(cn=accounts)
[Wed Jan 12 14:02:47.753521 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(926):
[client 10.14.0.18:38342] AH01719: auth_ldap authorize: require group
"cn=accounts": didn't match with attr Comparison complete [memberOf][32 - No
such object]
[Wed Jan 12 14:02:47.753562 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(943):
[client 10.14.0.18:38342] AH01716: auth_ldap authorise: require group
"cn=accounts": failed [Comparison complete][32 - No such object], checking
sub-groups
[Wed Jan 12 14:02:47.754391 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(966):
[client 10.14.0.18:38342] AH01718: auth_ldap authorise: require group (sub-group)
"cn=accounts": didn't match with attr DN failed group verification.
[memberOf][32 - No such object]
[Wed Jan 12 14:02:47.754422 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(899):
[client 10.14.0.18:38342] AH01713: auth_ldap authorize: require group: testing for group
membership in "accounts"
[Wed Jan 12 14:02:47.754426 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(907):
[client 10.14.0.18:38342] AH01714: auth_ldap authorize: require group: testing for
memberOf: uid=testuser,cn=users,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com (accounts)
[Wed Jan 12 14:02:47.764320 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(926):
[client 10.14.0.18:38342] AH01719: auth_ldap authorize: require group
"accounts": didn't match with attr Comparison complete [memberOf][32 - No
such object]
[Wed Jan 12 14:02:47.764358 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(943):
[client 10.14.0.18:38342] AH01716: auth_ldap authorise: require group
"accounts": failed [Comparison complete][32 - No such object], checking
sub-groups
[Wed Jan 12 14:02:47.765169 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(966):
[client 10.14.0.18:38342] AH01718: auth_ldap authorise: require group (sub-group)
"accounts": didn't match with attr DN failed group verification.
[memberOf][32 - No such object]
I would appreciate any help to get this working. I am running on a fully updated CentOS 7
VM.